My Authors
Read all threads
I've had a look at France's #StopCovid application sources. The server is coded with Java/Spring Boot so I was happy to find my favorite tech stack here! Then I became quickly disappointed ⬇️
Our minister @cedric_o said that the data was stored in France's "most secured file of the Republic". I have designed and worked on many applications for the French state (healthcare, central bank, etc) so I was expecting something... different
As you can see in the source code at gitlab.inria.fr/stopcovid19/ro… this is in fact a Spring Boot application that stores the data in a MongoDB server. It's basically storing a key per user, as well as its associated contacts.
So in fact, all the data from everybody is in the same MongoDB database. I don't see anything specific to secure it (like SSL connection in the database client). And unless the governement pays for the enterprise version, the data isn't encrypted at rest.
Using MongoDB means the backups are simply disk snapshots, who knows where those snapshots are stored?
For Spring Boot: I don't see anything to monitor it (like Spring Boot Actuator), so I'm guessing they monitor this using a Java agent -> all the data is therefore leaking to whatever monitoring solution they have, including the personal keys.
It would be trivial to get people's IPs when they connect, and then map all of the population contacts. In fact, you just need to turn on the Spring Boot logs, and as you can configure them from outside of the application, maybe it's already the case.
In fact, they probably did turn those logs on in order to protect the application from DDOS attacks. That's what they currently do for our official COVID form at media.interieur.gouv.fr/deplacement-co… using Incapsula, another third-party (from the US).
In a nutshell, I was expecting the "most secured file of the Republic" would be something different. I'm definitely not putting my personal data in there.
Thank you for all the comments. I’ve done a new thread today with more information ➡️
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Julien Dubois

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!