Re: Address privacy

[Fernando Gont <fgont@si6networks.com>]

On 28/1/20 21:17, Tom Herbert wrote:
> On Tue, Jan 28, 2020 at 3:45 PM Fernando Gont <fgont@si6networks.com> wrote:
>>
>> On 28/1/20 19:45, Tom Herbert wrote:
>> [...]
>>>> I don't think you can quantify privacy. What would be the units for that?
>>>>
>>>> There's secrecy and not-secrecy. But with these things, you simply
>>>> mitigate (to some extent) the ability to correlate network activity.
>>>>
>>> Fernando,
>>>
>>> In the case of single use addresses, that is each flow gets its own
>>> addresses, the privacy effects are quantifiable. Since each flow has a
>>> different source address, no two flows or communications can be
>>> correlated to being sourced from the same user. In this case, the
>>> identifiers are not reused is used in multiple contexts, so it isn't
>>> possible to correlate seemingly unrelated activity using an
>>> identifier. When an identifier is reused for the same node, even once,
>>> then the possibility of correlations exists.
>>
>> You are not quantifying privacy: that's still qualitative description.
>>
> It is quantified. If a flow uses a unique address then the risk of
> using the address of packets in the flow to correlate to other flows
> is zero.

What are the units? And what would "1" (or for instance "100") of such 
units mean?


(for the sake of exercise, even if you were "quantifying" this in terms 
of probability, 0 would be "impossible", 1 would mean 100% chance, and 
the rest would be impossible to specify, given factors such as network 
activity patterns, different kinds of applications, etc.)


[...]
>>> It's a false sense of security. Here's a good analysis:
>>> https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
>>
>> Forcing password changes exacerbate some human aspects, and at times
>> leads to trouble. That doesn't say it doesn't have a place.
>>
>> Folks also argue that firewalls are a false sense of security. Some
>> argue the same about resistance to address-scan -- even when the #1 task
>> to hack a system is normally to find it. IMO, whatever makes the
>> attacker's life harder has a place and a use.
> 
> For things like address-scan and breaking a key, the risk of attack
> can be quantified based on existing processing capabilities needed for
> brute force attack.

I was noting that different people have different views regarding what 
is useful, and what is not. Some discourage address-scan resistance as a 
technique of "security through obscurity".



> Regardless, I still haven't seen a reasonable answer to user's obvious
> question regarding temporary address: "What should my frequency of
> address change be to ensure my privacy?"

If what you want is inability of correlation (and assuming you cannot 
correlate based on the prefix), then it's not a matter of time. It's a 
matter of addresses being bound to flows.

Any other measures depend on so many factors (network activity patterns, 
etc.) that it's virtually impossible to specify.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492