Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealth

Wednesday, Dec 2, 2015 4:37 AM Paul Smith wrote:
> How well does it work for other people? For me, it gives me the country 
> fairly reliably, and nothing else reliably at all.
I use google maps to check the accuracy of geolocation, from my laptop, which 
doesn't have GPS.   At home, in a small town in a sparsely populated region, 
it's accurate to about fifteen miles.   In New York, it's accurate to a few 
blocks.  In Herndon, Virginia, it's similarly accurate.   It was able to 
geolocate me during my train rides to and from DC last week with about ten mile 
accuracy, which is pretty impressive.

This is sufficient accuracy to tell that I'm out of town, and it's also 
sufficient to give a social engineer enough information to zero in on me.   If 
all you know is that I'm in the U.S., finding records about me is hard; if you 
know what town I live in, it's a lot easier.

> A hashed IP address will not help issues with 'tracking' people using their 
> IP addresses (you just track people using the hashed address instead). The 
> only thing it will prevent is someone using geolocation, which my tests 
> suggest is pretty useless 99% of the time anyway...
Bear in mind that if everybody behind a particular NAT gets the same hash, and 
anybody leaks the actual IP address, that leak can be used to geolocate 
everybody behind that NAT.   It's still worth doing the hashing, but it might 
be better to do it in a way that produces a different token for each user.   Or 
it might not--we'd have to think about the threat model.


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon(_at_)fugue(_dot_)com

pgpy1fRN7aQks.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp