Wednesday, Dec 2, 2015 4:37 AM Paul Smith wrote:
How well does it work for other people? For me, it gives me the country
fairly reliably, and nothing else reliably at all.
I use google maps to check the accuracy of geolocation, from my laptop, which
doesn't have GPS. At home, in a small town in a sparsely populated region,
it's accurate to about fifteen miles. In New York, it's accurate to a few
blocks. In Herndon, Virginia, it's similarly accurate. It was able to
geolocate me during my train rides to and from DC last week with about ten mile
accuracy, which is pretty impressive.
This is sufficient accuracy to tell that I'm out of town, and it's also
sufficient to give a social engineer enough information to zero in on me. If
all you know is that I'm in the U.S., finding records about me is hard; if you
know what town I live in, it's a lot easier.
A hashed IP address will not help issues with 'tracking' people using their
IP addresses (you just track people using the hashed address instead). The
only thing it will prevent is someone using geolocation, which my tests
suggest is pretty useless 99% of the time anyway...
Bear in mind that if everybody behind a particular NAT gets the same hash, and
anybody leaks the actual IP address, that leak can be used to geolocate
everybody behind that NAT. It's still worth doing the hashing, but it might
be better to do it in a way that produces a different token for each user. Or
it might not--we'd have to think about the threat model.
--
Sent from Whiteout Mail - https://whiteout.io
My PGP key: https://keys.whiteout.io/mellon(_at_)fugue(_dot_)com
pgpy1fRN7aQks.pgp
Description: PGP signature
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp