
Leaving Spellcheck Enabled Is a Privacy Risk (2016) - behnamoh
https://github.com/signalapp/Signal-Desktop/issues/824
======
MereInterest
The conspiracy theorist in me thinks that Google deliberately makes Chrome's
offline spell check be as poor as possible, to give people incentive to give
all text to them under the guise of spellchecking. It seems like every day or
so, there will be some common word that is marked as misspelled, usually a
plural or possessive form of a word that is in their spellcheck dictionary.

The developer in me thinks that this is because nobody at Google cares about
the experience if the user chooses incrementally slightly more privacy, and so
it simply gets no attention.

------
joecool1029
Title of submission should be: 'Leaving spellcheck Enabled On Chrome Is a
Privacy Risk'.

In the spirit of trying to do constructive discussion, the original post
references the long dead Signal Chrome app. The new desktop garbage they push
is a Node.js app called Signal Desktop. They use native spellchecking provided
by Node and Hunspell (even on Windows, which could use native windows API
available for 8 and newer and which probably is privacy violating)

To the best of my knowledge, Hunspell is privacy conscious software.

EDIT: Additional context, [https://github.com/electron-userland/electron-
spellchecker](https://github.com/electron-userland/electron-spellchecker) also
confirms it only uses Hunspell on windows.

~~~
lihaciudaniel
Thank you this will help anyone with paranoia of being watched.

------
SteveNuts
What about things like spotlight? If I work in healthcare and I search for
"Jane Doe medical records.txt" does part or all of that search end up hitting
a webservice somewhere?

~~~
palijer
You can use an SSL proxy/snooper to find out. I use Charles to see what is
actually happening at that level, you would be surprised (or not) at how much
stuff is sent to third parties.

[https://www.charlesproxy.com/](https://www.charlesproxy.com/)

~~~
scalableUnicon
That used to be straight forward, but now most of the apps come with
certificate pinning and for seeing through network request, toying with tools
Frida are now needed.

~~~
matheusmoreira
Can certificate pinning be defeated?

~~~
tedivm
It's not something I'd expect your average user to be able to do, but it is
possible and is regularly done for various reverse engineering purposes. The
approach I've seen involve changing what certificate is pinned to one that is
locally controlled.

That being said I don't think it's nearly as common for certificate pinning to
be present as people think- in fact it was deprecated in 2017 because it
caused so many problems. Instead things like HSTS and transparency logs are
used to prevent damage from malicious issuance of certificates, and
organizations can typically override things with their own CA.

If your software is pinned to a specific certificate (even if that certificate
is a root CA) your software won't work in many corporate environments. One of
the exact reasons mentioned- medical data- is a big driver in this. My company
has APIs used by medical companies, and they have to whitelist our service in
their firewalls because many of them MITM all traffic to ensure that PHI isn't
sent out over an unapproved service by mistake.

~~~
jtl999
> in fact it was deprecated in 2017 because it caused so many problems.
> Instead things like HSTS and transparency logs are used to prevent damage
> from malicious issuance of certificates, and organizations can typically
> override things with their own CA.

Still kinda salty that pinning was deprecated from HTTPS. It wasn't perfect
(accidental/malicious pinning was far too easy seeing how it was merely
controlled by an HTTP header), but the current alternatives (Certificate
Transparency, CAA DNS records) aren't an adequate replacement. Sure
Certificate Transparency helps to detect a misused certificate, but it doesn't
actively prevent it from being used, and CAA requires that the CA isn't
"lying" about the header through a "bug" or otherwise.

------
lynndotpy
I don't believe Signal Desktop runs as a Chrome app anymore, can anyone
confirm?

~~~
sneak
That’s correct.

~~~
Zhenya
Just an FYI, you can run it in Linux on Chromebook:

[https://support.google.com/chrome/a/answer/9025903?hl=en](https://support.google.com/chrome/a/answer/9025903?hl=en)

------
mirimir
The title ought to include "in Signal", or more generally, "in apps that use
online dictionaries". I always disable that. And it's easy to check; just test
with no uplink.

Also, misspelling is a profiling risk.

------
qwerty456127
AFAIK leaving the text translation feature enabled (even if you disable for a
particular language) is even more of a risk.

~~~
londons_explore
Text translation in Chrome doesn't send anything to Google servers unless you
actually translate a page.

It detects what language the page is written in with an entirely client side
model (which is why it's accuracy is poor).

------
gentleman11
Is this a chrome/electron only issue, or is it OS level as well? What about
Firefox?

~~~
livre
Chrome issue, you can disable it in the settings page.

------
detaro
(2016)

~~~
code_duck
Have any of the relevant issues changed since 2016?

~~~
detaro
For one, Chrome Apps for non-ChromeOS aren't a thing anymore.

Also, it's customary to add that notice on HN regardless of how timeless the
content is.

~~~
code_duck
Yes, of course the year is always there if it's not this year.

What I mean is to that this same insecurity principle could apply to other
situations.

