Privacy policy for Tux Paint; ideas?

Bill Kendrick nbs at sonic.net
Tue Dec 15 06:52:43 UTC 2020


On Mon, Dec 14, 2020 at 07:08:27PM -0200, Jesusalva TMW wrote:
>    Hello Bill,
>    The only "glaringly wrong" thing I've noticed on the policy, would be the
>    gallery page – You might want to detail a bit on gallery entries, eg. Can
>    the drawings be anonymous? Do you store something else besides name and
>    drawing? Etc.

Thanks very much for pointing this out.  That _was_ glaring!


>    You also forgot to mention Facebook (widget at left, on the navigation
>    bar). It seems to store cookies and trackers as well.

My feelings toward Facebook have taken a dive lately; I've gone ahead
and just remove that JavaScript-based widget. :-P


>    You should also inform the country where data is processed, iirc? I
>    remember a lot of problems involving Google and Facebook on that regard.
>    I'm not so up to date as I should be, I guess.

I'll see what I can sort out regarding this.
I'm currently basically _the_ sole person behind
the social media and website maintenance, but one day
I hope to get some help (so if I ever get hit by a bus,
it doesn't just fall apart :) )

That said, I laugh at the term "data processing" here,
considering what little is done on the site.  That said,
I recall that it's a _very_ broadly-defined term. :)


>    Other than that, I advise giving a quick look at gdpr.eu/checklist , it
>    was very helpful for me, and might be helpful for you as well.

Thanks, I'll take a look.


>    Unrelated: You might want to consider using Let's Encrypt to add HTTPS
>    support to the website as well.

I started looking into that, but had difficulty, and never
looked back into it / searched for help.

The main concerns _I_ have about it being HTTP is any
MitM attacks that some hackers might bother trying for
whatever reason, or ISPs snooping around or injecting junk in
the site.  The very basics, in other words.  Again, since there's
no concept of 'accounts' on the site, there's nothing to protect,
in that sense.


>    Failing that, Cloudflare can also cover
>    the requests if you add a self signed certificate to your Apache
>    installation. Your Apache seems severely outdated and not using
>    mod_security either, the /css/ folder has directory listing, and your
>    website might be vulnerable to XSS attacks. My browser was weeping a bit
>    about that, thought I would let you know.

Thanks for mentioning this.  I don't think about these much on a
site like this -- again, because there's no concept of accounts,
and no possibility for visitors to store information directly,
or retrieve it later.

However, it's obviously embarassing if someone could point
to tuxpaint.org/some/path/to/page.php?arg=XSS_script_to_show_bad_stuff :)

I've found some XSS analysis tools online, and already caught one
place where I should be sanitizing user input.  (Where in this case,
the "user" would be a nefarious link that someone constructs,
which some victim may click, and get a surprise.)


>    Lighthouse also complained about unused JavaScript, the language selection
>    not having a label for screenreaders, and lack of DOCTYPE.

I had not come across this before, and will check it out now.  Thanks! :)


>    TL;DR You might want to revise the whole website if you get time, these
>    problems might really hurt SEO performance and expose the server to
>    attacks – A problem if you happen to have sensitive information on it!

Indeed!  (Fortunately, I do not :) ... but still!)


Thanks very much!  I've already updated the draft Privacy Policy,
while composing my reply, BTW. :)

  http://tuxpaint.org/privacy/

-- 
-bill!
Sent from my computer


More information about the Spi-general mailing list