Please disable 'Perform DNS lookups to check if URLs are valid?' by default
Thanks for filing an issue! Please answer the questions below so I can help you.
- iTerm2 version: 3.0.15
- OS version: 10.12.6
- does not seem necessary: Attach ~/Library/Preferences/com.googlecode.iterm2.plist here (drag-drop from finder into this window)
- does not seem necessary: Attach a debug log, if possible. Instructions at https://iterm2.com/debuglog
- does not seem necessary: Are you reporting a performance issue or a hang? Please attach a sample. Instructions at https://gitlab.com/gnachman/iterm2/wikis/HowToSample
- does not seem necessary: Are you reporting a crash? Please attach the crash log. Instructions at https://gitlab.com/gnachman/iterm2/wikis/crash-logs
Detailed steps to reproduce the problem:
- Install iTerm
- Hover on things that remotely resemble URLs and touch Cmd
- Watch iTerm leak things in plain text over DNS
What happened: iTerm sent various things (including passwords) in plain text to my ISP's DNS server
What should have happened: iTerm should not have done that
I monitored my DNS traffic for a while, and I kept noticing lookups that made no sense, for things that had been printed to my terminal. Initially I blamed bash-completion, but when I noticed it also happened for remote ssh sessions, it became obvious that iTerm2 was to blame. A coworker then found #3688 (closed) and #5303 (closed). I immediately disabled this feature.
Having this feature on by default is a terrible security and privacy risk. Please disable it by default. I personally never even noticed the blue vs. white on clickable links, which suggests (n=1) that usability will not be reduced that much by setting this feature disabled by default.
And, to stress the impact, in the act of selecting text and Cmd-C'ing it to Copy, it is very easy to trigger this for passwords (for example, when I generate them using pwgen).