Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    • Menu
    Projects Groups Snippets
  • Sign up now
  • Login
  • Sign in / Register
  • iterm2 iterm2
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 2,625
    • Issues 2,625
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 has launched! Please visit Breaking changes in 15.0 and 15.0 Removals to see which breaking changes may impact your workflow.

  • George Nachman
  • iterm2iterm2
  • Issues
  • #6050
Closed
Open
Created Sep 19, 2017 by Peter van Dijk@habbie

Please disable 'Perform DNS lookups to check if URLs are valid?' by default

Thanks for filing an issue! Please answer the questions below so I can help you.

  • iTerm2 version: 3.0.15
  • OS version: 10.12.6
  • does not seem necessary: Attach ~/Library/Preferences/com.googlecode.iterm2.plist here (drag-drop from finder into this window)
  • does not seem necessary: Attach a debug log, if possible. Instructions at https://iterm2.com/debuglog
  • does not seem necessary: Are you reporting a performance issue or a hang? Please attach a sample. Instructions at https://gitlab.com/gnachman/iterm2/wikis/HowToSample
  • does not seem necessary: Are you reporting a crash? Please attach the crash log. Instructions at https://gitlab.com/gnachman/iterm2/wikis/crash-logs

Detailed steps to reproduce the problem:

  1. Install iTerm
  2. Hover on things that remotely resemble URLs and touch Cmd
  3. Watch iTerm leak things in plain text over DNS

What happened: iTerm sent various things (including passwords) in plain text to my ISP's DNS server

What should have happened: iTerm should not have done that

I monitored my DNS traffic for a while, and I kept noticing lookups that made no sense, for things that had been printed to my terminal. Initially I blamed bash-completion, but when I noticed it also happened for remote ssh sessions, it became obvious that iTerm2 was to blame. A coworker then found #3688 (closed) and #5303 (closed). I immediately disabled this feature.

Having this feature on by default is a terrible security and privacy risk. Please disable it by default. I personally never even noticed the blue vs. white on clickable links, which suggests (n=1) that usability will not be reduced that much by setting this feature disabled by default.

And, to stress the impact, in the act of selecting text and Cmd-C'ing it to Copy, it is very easy to trigger this for passwords (for example, when I generate them using pwgen).

Edited Sep 19, 2017 by Peter van Dijk
Assignee
Assign to
Time tracking