Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Sorry, just noticed that I didn't get to the IPv6 and network discovery part. Quick note on that.
IPv6 encodes the MAC address into the last 56 bits of the address. This also means that when you get a /64 range, you only get 8 usable network bits. In other words it's more or less equivalent to a /24 in IPv4. Additionally since the MAC address is now inside the IP address, it does indeed leak out of the network all the way to the servers you're visiting. Modern problems require modern solutions /s
Network discovery is something that fandroids and cryphones do, and that's where the argument for MAC randomization usually starts and actually makes sense. When you're just looking around for AP's, who cares what the MAC address is. However once connected I'd argue that the device should be using its real MAC, since connecting to some extent implies trusting that network. Solving privacy while also not fucking up networks? Revolutionary!
iiii3900219dStay offline if you don't trust the network. No other option
Well, yes, one can be concerned about privacy at Starbucks without needing them to manipulate your connection: If my device registers itself with the same MAC in different networks, the networks operators of those networks could work together and can extrapolate my interests and time schedule based on my time in their networks.
IPv6 has privacy extensions. Assuming DHCPv6 is not used, most if not all IPv6 clients register temporary addresses, use them for some hours and discard them.
N00bPancakes7311219dThere's a lot of privacy enthusiasts out there who really don't know what they're doing.... lots of them download random free vpns from app stores.
@Condor Are always an option?
In a foreign country with hell of roaming charges? In big buildings without mobile cell repeaters or indoor cells? In areas with poor coverage or freaking expensive and limited mobile contracts (e.g. Germany)?
If I don't trust the operator, I use a VPN (not those apps) or another form of encryption. SSL stripping doesn't work on most apps and there is HSTS nowadays.
Sure, some hotspots do require social login or require a mobile number, but at least they tell me. By the way, cookies on captive pages are at least on Android not stored.
@sbiewald in the EU roaming is actually abolished. Europeans can roam in other EU countries at the same rate as their regular subscription.
Big buildings and such affect any kind of wireless transmission. If you're in that building and need to use its network (because you work there or whatever), then yeah just use that. I've been in such a scenario for several years, wasn't fun and the IT guys firewalled the shit out of it. I ended up making an SSH tunnel to a friend's house, where the server was listening on port 443. Nowadays I'd make a VPN for that however, and just VPN into one of my own servers.
As I've said before, HSTS doesn't scale up properly and is the responsibility of website operators to assess whether their website is important enough to warrant an entry on the HSTS list. If you're a social media platform or a major search engine where that's warranted, you're probably already on that list however. End users on the other hand cannot affect it.
magicMirror7367219dGo offline, Ditch your tech, and go live on a mountain somewhere. self sufficient, and don't talk to anyone.
Simple as that. GL.
@Condor If you only travel inside the EU and have a EU contract with roaming enabled(!), and are only outside of your home country less then three months... than you don't have to pay an extra fee, yes.
And HSTS is only hardcoded for a very small amount of sites, any site can just announce without being in that list.
Once one accesses sites with HTTPS support over search engines or bookmark, SSL stripping doesn't work anyway (especially the first way should be the majority of website accesses nowadays).
@sbiewald well yeah, wouldn't that account for nearly all cases where you'd use roaming (at least within the EU)? For travels longer than 3 months one should buy a SIM card in that country, and that's what the restrictions on it address. Otherwise anyone could register a SIM card from another country and use it on a completely different local network where they live. Much like with peering agreements between ASN's on the internet, I guess that mobile carriers also want to keep load proportional to each network. The restrictions on free roaming make sense to me.
I guess that on cellular availability I made the mistake of accounting for all cases. Perhaps I should've said "a lot more than WiFi is available".
Interesting note on HSTS outside of that list, I should look into that and consider whether I could enable it on my website that way. It is a useful technology but the list alone is definitely not enough. Would be nice to be able to just announce it from the site itself yeah.
Fast-Nop33386219dI'm using HSTS in announce mode for my website, and a duration of two years. It's just an HTTP header.
The only hole is first time access of course, then SSL stripping might work.