mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

18K
active users

There's a "Signal deanonymized" thing going around:
gist.github.com/hackermondev/4

Stay calm. Deep breaths.

👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location

👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected

👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.

Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md
GistUnique 0-click deanonymization attack targeting Signal, Discord and hundreds of platformUnique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md

@rysiek This is downplaying it way too much for my taste. Let me explain:

The rough location information is usually only available to servers. Now, even though I prefer zero trust, I would argue that trusting a messenger's server to not give away my rough location is way more reasonable than trusting the person that uploaded the data I'm downloading from the server.

**But in this case, the person that uploaded the data can extract the location I'm downloading it from.** This is big. It takes metadata to a whole different level.

I also want to quickly respond to the arguments:

That very rough radius could actually a pretty big deal in less populated areas.

The second argument is whataboutism. (And there are definitely apps that are not affected.)

Kinda agree with the third one though.

---

If I were #Signal, I would turn off the caching mechanism for now and urge #Cloudflare to rethink their statement. The privacy protection mechanisms are clearly lacking. Cloudflares position is simply not acceptable.

@rysiek You all remember the WebRTC "IP leak" fiasco from back then, right? Where people could be called on some messengers and before even accepting the call, your own IP would leak to the caller? (And also Natalie Silvanovich showed everyone why it's a bad idea to start the WebRTC state machine prior to accepting a call to everyone because it's a huge attack surface - googleprojectzero.blogspot.com) Pretty much everyone jumped ship back then and agreed it to be a big no no.

This attack here is pretty much the same thing without the need to even make a call. It is way more subtle and therefore even more severe IMO.

googleprojectzero.blogspot.comExploiting Android Messengers with WebRTC: Part 1 Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in We...
Michał "rysiek" Woźniak · 🇺🇦

@f09fa681 this attack is in no way the same. The WebRTC one was about the IP address of the target. IP address provides much, much more exact location data.

This attack only gives the attacker information on which Cloudflare datacenter had the resource cached. In other words, that the target is in the "capture area" of that datacenter.

That is orders of magnitude less exact than having an IP address of the target.

Again, you are confusing two different things, and comparing apples to oranges.

@rysiek I would question the IP address providing more precise location data **in general**.

Looking up my IP from both of my ISPs (mobile and landline) I'm getting a similarly accurate geolocation, one ~30km and one ~40km away from me. The Cloudflare airport code gives me ~30km accurate position. That's an anecdotal report for sure but possibly transferable to the general situation in Switzerland.

So what am I missing here that makes one an apple and the other an orange?

@f09fa681 that's like saying "I know I rolled a 4 on my d6 so the probability of rolling 4 on a d6 is surely higher than 1/6th."

What you're missing here is that your personal distance to nearest Cloudflare datacenter is not the same thing as the capture area of that datacenter.

If I only have your closest Cloudflare DC to go on to figure out where you are, that area is much, much bigger, than the area I have to consider if I have your IP address.

@rysiek According to cloudflare.com/network/ there are 330 data centers, so that may make it less accurate in the general case.

The quality of data-mined locations associated to IP addresses can however result in similarly accurate or inaccurate locations (also depending on the privacy hygiene of the ISP, the user and other devices using the IP). Another anecdotal evidence: I'm sometimes supposed to be in Lausanne according to IP-based geolocation lookup which is ~180km away from me (and some websites switch to French, yay).

I'll agree it's not the same thing on a technical level, sure, but would need more data to assess whether the location quality is several orders of magnitudes worse as you claim. In the end, it's similarly bad that it leaks.

www.cloudflare.comCloudflare Global Network | Data Center LocationsExceptional performance, security and reliability for the modern enterprise, with a vast global network spanning hundreds of cities in 100+ countries.

@f09fa681 it is not similarly bad, because while IP address is associated with your name or ISP or even home address (for example, in case LEA is interested in you), this is very much not.

I am not going to continue to belabor that point. You made a comparison to an issue that involved IP addresses, which are generally considered personally identifiable information, for good reasons.

Cloudflare dacatenter thing is not PII, also for very good reasons. You decide to dig your heels in, fine. 🤷‍♀️

@rysiek Granted, I did overlook that you can do more with an IP address to deanonymise (e.g. law enforcement) and therefore get a more accurate location information in my comparison. So, I will back down on those two things being "pretty much the same thing".

Take that ability away from the attacker (so, no law enforcement access, no traffic correlation), then the rough location can be similarly revealing to get an idea on where the victim is and track them without them knowing that something fishy is going on (we had at least that when someone was calling you repeatedly).