undefined | Better HN

0 pointsilliac78611d ago0 comments

You definitely need glasses then.

Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.

0 comments

overfeed10d ago

The attack surface is far larger than what you specified. Any networking equipment sotting between the client and server(s) can pick up and log IP addresses.

Knowing the online services one uses, and the times (to the millisecond) they used them goes a long way to deanonymize individuals. Correlating Internet routing events is very effective when combined with other data sources, like physical surveillance and knowing the exact times the target got home, or interacted with their phone after getting a DM alert.

illiac786OP10d ago

What’s the difference if Mullvad did not have the vulnerability described above?

UqWBcuFx6NV4r10d ago

it really isn’t.

illiac786OP10d ago

Examples?

overfeed10d ago

IP addresses are metadata - and don't require search warrants, meaning they are fair game for dragnet surveillance. Tapping into a backbone, a la Room 641A, can be used to cross-reference timestamped public posts on an anonymous message board to other data sources (e.g. subpoena Netflix for payer based of Netflix's access logs from VPN exit IPs)

j / k navigate · click thread line to collapse

0 comments

overfeed10d ago

The attack surface is far larger than what you specified. Any networking equipment sotting between the client and server(s) can pick up and log IP addresses.

illiac786OP10d ago

What’s the difference if Mullvad did not have the vulnerability described above?

UqWBcuFx6NV4r10d ago

it really isn’t.

illiac786OP10d ago

Examples?

overfeed10d ago

j / k navigate · click thread line to collapse