Been wondering lately if the folks who tell us shit like "we don't log your IP" are instead keeping a hash of the IP, which a dedicated actor (like a state intelligence apparatus, or law enforcement) could probably combine with other sources to out you.
The IPv4 address space is small enough where hashing is effectively useless. Though a bigger concern IMO is DDOS mitigation services like Cloudfare. It doesn't matter if websites log or not if half of the internet is using the same reverse-proxy service.
I wouldn't be a doomer about it, but it is important to understand that there will always be a man in the middle. That's literally how the Internet is designed. Your computer connects to an ISP which connects to some other ISP which connects to some other ISP (and so on) which connects to the destination of your message. Cryptography has afforded us the ability to ensure the messages aren't tampered with, but they can still be recorded and timestamped at every hop along the way.
To have real anonymity on the Internet would be like expecting to be able to mail a letter with no address written on it. You could get away with making a dead drop here and there, but not anything persistent.
tangential, but I remember reading about a physical dead drop method neatly updated for the internet age: a fake rock that had short-range wireless communication (I forget if it was bluetooth or wifi or what) that all you had to do to dead drop was walk past it with a keyed partner device and it would either upload or download the payload
Yeah, but ideally we'd have our DDoS protection done by someone other than the issuer of our certificate, so that they can't trivially decrypt and log any traffic.
Edit: https://hexbear.net/post/127316
Looks like there's plans to switch certificate providers.
Been wondering lately if the folks who tell us shit like “we don’t log your IP” are instead keeping a hash of the IP, which a dedicated actor (like a state intelligence apparatus, or law enforcement) could probably combine with other sources to out you.
Good thing this site is open source so we don't have to wonder.
Well yeah, of course. Otherwise there'd be more of us here who could build cool shit. My point is that it's all there for anyone to vet who has put in the time to learn how.
@LeninWeave linked to a good example of when we've noticed stuff and brought it to the devs / admins: https://hexbear.net/post/127316
If you've got any proof hexbear is hashing all the IPs of everyone and storing them, then please make a post about it because I think we'd all want to know.
Been wondering lately if the folks who tell us shit like "we don't log your IP" are instead keeping a hash of the IP, which a dedicated actor (like a state intelligence apparatus, or law enforcement) could probably combine with other sources to out you.
The IPv4 address space is small enough where hashing is effectively useless. Though a bigger concern IMO is DDOS mitigation services like Cloudfare. It doesn't matter if websites log or not if half of the internet is using the same reverse-proxy service.
:side-eye-1: :side-eye-2:
Lol if it makes you feel any better it's basically impossible to be anonymous on the internet anymore, so we're fucked anyway
I wouldn't be a doomer about it, but it is important to understand that there will always be a man in the middle. That's literally how the Internet is designed. Your computer connects to an ISP which connects to some other ISP which connects to some other ISP (and so on) which connects to the destination of your message. Cryptography has afforded us the ability to ensure the messages aren't tampered with, but they can still be recorded and timestamped at every hop along the way.
To have real anonymity on the Internet would be like expecting to be able to mail a letter with no address written on it. You could get away with making a dead drop here and there, but not anything persistent.
tangential, but I remember reading about a physical dead drop method neatly updated for the internet age: a fake rock that had short-range wireless communication (I forget if it was bluetooth or wifi or what) that all you had to do to dead drop was walk past it with a keyed partner device and it would either upload or download the payload
I think the youtube channel The Modern Rogue did a demonstration on that.
Yeah, but ideally we'd have our DDoS protection done by someone other than the issuer of our certificate, so that they can't trivially decrypt and log any traffic.
Edit: https://hexbear.net/post/127316
Looks like there's plans to switch certificate providers.
They can't trivially decrypt and log the traffic if any cipher suite with forward secrecy is used. ECDHE is a good example.
They can and do trivially decrypt the traffic. The CF certificate is used only between the client and CF's servers, which decrypt the data.
Good thing this site is open source so we don't have to wonder.
Not everyone can read code, comrade.
Well yeah, of course. Otherwise there'd be more of us here who could build cool shit. My point is that it's all there for anyone to vet who has put in the time to learn how.
@LeninWeave linked to a good example of when we've noticed stuff and brought it to the devs / admins: https://hexbear.net/post/127316
If you've got any proof hexbear is hashing all the IPs of everyone and storing them, then please make a post about it because I think we'd all want to know.
I didn't say this?
Removed by mod
Simply epic, sir