"There's more to it"
This is something that has been bugging me for a long time now, so <rant>.

Yesterday in one of my chats in Telegram I had a question from someone wanting to make their laptop completely bulletproof privacy respecting, yada yada.. down to the MAC address being randomized. Now I am a networking guy.. or at least I like to think I am.

So I told him, routers must block any MAC addresses from leaking out. So the MAC address is only relevant inside of the network you're in. IPv6 changes this and there is network discovery involved with fandroids and cryphones where WiFi remains turned on as you leave the house (price of convenience amirite?) - but I'll get back to that later.

Now for a laptop MAC address randomization isn't exactly relevant yet I'd say.. at least in something other than Windows where your privacy is right out the window anyway. MAC randomization while Nadella does the whole assfuck, sign me up! /s

So let's assume Linux. No MAC randomization, not necessary, privacy respecting nonetheless. MAC addresses do not leak outside of the network in traditional IPv4 networking. So what would you be worried about inside the network? A hacker inside Starbucks? This is the question I asked him, and argued that if you don't trust the network (and with a public hotspot I personally don't) you shouldn't connect to it in the first place. And since I recall MAC randomization being discussed on the ISC's dhcp-users mailing list a few months ago (http://isc-dhcp-users.2343191.n4.nabble.com/...), I linked that in as well. These are the hardcore networking guys, on the forum of one of the granddaddies of the internet. They make BIND which pretty much everyone uses. It's the de facto standard DNS server out there.

The reply to all of this was simply to the "don't connect to it if you don't trust it" - I guess that's all the privacy nut could argue with. And here we get to the topic of this rant. The almighty rebuttal "there's more to it than that!1! HTTPS doesn't require trust anymore!1!"

... An encrypted connection to a website meaning that you could connect to just about any hostile network. Are you fucking retarded? Ever heard of SSL stripping? Yeah HSTS solves that but only a handful of websites use it and it doesn't scale up properly, since it's pretty much a hardcoded list in web browsers. And you know what? Yes "there's more to it"! There's more to networking than just web browsing. There's 65 THOUSAND ports available on both TCP and UDP, and there you go narrow your understanding of networking to just 2 of them - 80 and 443. Yes there's a lot more to it. But not exactly the kind of thing you're arguing about.

Enjoy your cheap-ass Xiaomeme phone where the "phone" part means phoning home to China, and raging about the Google apps on there. Then try to solve problems that aren't actually problems and pretty vital network components, just because it's an identifier.


P.S. I do care a lot about privacy. My web and mail servers for example do not know where my visitors are coming from. All they see is some reverse proxies that they think is the whole internet. So yes I care about my own and others' privacy. But you know.. I'm old-fashioned. I like to solve problems with actual solutions.

  • 6
    Sorry, just noticed that I didn't get to the IPv6 and network discovery part. Quick note on that.

    IPv6 encodes the MAC address into the last 56 bits of the address. This also means that when you get a /64 range, you only get 8 usable network bits. In other words it's more or less equivalent to a /24 in IPv4. Additionally since the MAC address is now inside the IP address, it does indeed leak out of the network all the way to the servers you're visiting. Modern problems require modern solutions /s

    Network discovery is something that fandroids and cryphones do, and that's where the argument for MAC randomization usually starts and actually makes sense. When you're just looking around for AP's, who cares what the MAC address is. However once connected I'd argue that the device should be using its real MAC, since connecting to some extent implies trusting that network. Solving privacy while also not fucking up networks? Revolutionary!
  • 2
    Stay offline if you don't trust the network. No other option
  • 5
    Well, yes, one can be concerned about privacy at Starbucks without needing them to manipulate your connection: If my device registers itself with the same MAC in different networks, the networks operators of those networks could work together and can extrapolate my interests and time schedule based on my time in their networks.

    About IPv6:
    IPv6 has privacy extensions. Assuming DHCPv6 is not used, most if not all IPv6 clients register temporary addresses, use them for some hours and discard them.
  • 1
    @sbiewald That is correct, but there are a million other ways that network operators could track you if they want to. Captive portals that set a cookie (could be part of their privacy policy to comply with GDPR, and you will agree because you want to use their network right?) and login with Facebook or Google come to mind. If you don't trust the network, really just don't connect to it. You've got a network that you could fire up at any time right in your pocket. Android hotspots are always an option. And with that, you are the one that owns the network. None of that fuss with privacy policies or having to figure out who maintains the network and what their intentions might be.
  • 3
    There's a lot of privacy enthusiasts out there who really don't know what they're doing.... lots of them download random free vpns from app stores.
  • 1
    @Condor Are always an option?
    In a foreign country with hell of roaming charges? In big buildings without mobile cell repeaters or indoor cells? In areas with poor coverage or freaking expensive and limited mobile contracts (e.g. Germany)?

    If I don't trust the operator, I use a VPN (not those apps) or another form of encryption. SSL stripping doesn't work on most apps and there is HSTS nowadays.
    Sure, some hotspots do require social login or require a mobile number, but at least they tell me. By the way, cookies on captive pages are at least on Android not stored.
  • 1
    @sbiewald in the EU roaming is actually abolished. Europeans can roam in other EU countries at the same rate as their regular subscription.

    Big buildings and such affect any kind of wireless transmission. If you're in that building and need to use its network (because you work there or whatever), then yeah just use that. I've been in such a scenario for several years, wasn't fun and the IT guys firewalled the shit out of it. I ended up making an SSH tunnel to a friend's house, where the server was listening on port 443. Nowadays I'd make a VPN for that however, and just VPN into one of my own servers.

    As I've said before, HSTS doesn't scale up properly and is the responsibility of website operators to assess whether their website is important enough to warrant an entry on the HSTS list. If you're a social media platform or a major search engine where that's warranted, you're probably already on that list however. End users on the other hand cannot affect it.
  • 1
    Go offline, Ditch your tech, and go live on a mountain somewhere. self sufficient, and don't talk to anyone.

    Simple as that. GL.
  • 0
    @Condor If you only travel inside the EU and have a EU contract with roaming enabled(!), and are only outside of your home country less then three months... than you don't have to pay an extra fee, yes.

    And HSTS is only hardcoded for a very small amount of sites, any site can just announce without being in that list.
    Once one accesses sites with HTTPS support over search engines or bookmark, SSL stripping doesn't work anyway (especially the first way should be the majority of website accesses nowadays).
  • 0
    @sbiewald well yeah, wouldn't that account for nearly all cases where you'd use roaming (at least within the EU)? For travels longer than 3 months one should buy a SIM card in that country, and that's what the restrictions on it address. Otherwise anyone could register a SIM card from another country and use it on a completely different local network where they live. Much like with peering agreements between ASN's on the internet, I guess that mobile carriers also want to keep load proportional to each network. The restrictions on free roaming make sense to me.

    I guess that on cellular availability I made the mistake of accounting for all cases. Perhaps I should've said "a lot more than WiFi is available".

    Interesting note on HSTS outside of that list, I should look into that and consider whether I could enable it on my website that way. It is a useful technology but the list alone is definitely not enough. Would be nice to be able to just announce it from the site itself yeah.
  • 1
    I'm using HSTS in announce mode for my website, and a duration of two years. It's just an HTTP header.

    The only hole is first time access of course, then SSL stripping might work.
Add Comment