[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

2015-12-02 08:03:41
Wednesday, Dec 2, 2015 4:37 AM Paul Smith wrote:
How well does it work for other people? For me, it gives me the country 
fairly reliably, and nothing else reliably at all.

I use google maps to check the accuracy of geolocation, from my laptop, which 
doesn't have GPS.   At home, in a small town in a sparsely populated region, 
it's accurate to about fifteen miles.   In New York, it's accurate to a few 
blocks.  In Herndon, Virginia, it's similarly accurate.   It was able to 
geolocate me during my train rides to and from DC last week with about ten mile 
accuracy, which is pretty impressive.

This is sufficient accuracy to tell that I'm out of town, and it's also 
sufficient to give a social engineer enough information to zero in on me.   If 
all you know is that I'm in the U.S., finding records about me is hard; if you 
know what town I live in, it's a lot easier.

A hashed IP address will not help issues with 'tracking' people using their 
IP addresses (you just track people using the hashed address instead). The 
only thing it will prevent is someone using geolocation, which my tests 
suggest is pretty useless 99% of the time anyway...

Bear in mind that if everybody behind a particular NAT gets the same hash, and 
anybody leaks the actual IP address, that leak can be used to geolocate 
everybody behind that NAT.   It's still worth doing the hashing, but it might 
be better to do it in a way that produces a different token for each user.   Or 
it might not--we'd have to think about the threat model.

Sent from Whiteout Mail -

My PGP key:

Attachment: pgpy1fRN7aQks.pgp
Description: PGP signature

ietf-smtp mailing list
<Prev in Thread] Current Thread [Next in Thread>