[Cryptography] Fast handling of IP Address changes for HTTPS

Christian Huitema huitema at huitema.net
Mon Jan 1 14:52:04 EST 2018


On 1/1/2018 11:08 AM, John Denker via cryptography wrote:

> If you are running a server (at home or otherwise),
> then in many cases the static IP is a feature not
> a bug.
>
> If you want people to be able to find your server,
> then you have to have a DNS entry that points to
> it ... and the DNS name has to be reasonably stable
> over time.
Yes. The point is that it is not very wise to use the same IP for
running a server and running a client.
>  -- If reverse-DNS is working, every script kiddie
>   can reverse your IP to find the DNS name, archive
>   the name, and use that to identify you forever.
>
>  -- Even if you think you have turned off reverse
>   DNS, if you utter the server name in public,
>   the big data companies will do a forward DNS
>   lookup, match your IP address (whether static
>   or not) and boom, all your traffic is identified.
>
>  -- et cetera.
Yes of course, you have to be worried about cookies, supercookies,  and
various forms of fingerprinting. The issue there is the web model that
allows pretty much anyone to run whatever code they want in your
browser. And the protection there has more to do with ad-blockers and
tracking blockers than with network level controls.

>
> If you are serious about hiding, you need something
> /at least/ as complicated as TOR (and I'm not 100%
> sure how much I trust TOR).  Rotating your IP address
> is barely even security theater.

TOR may be great, but I would like to see privacy for the masses, not
just good hiding for the few. TOR has a built-in trade-off: hiding at
the cost of  increased latency through multi-hop. This is why I like IP
address randomization: it does not affect latency or bandwidth, and
could potentially be deployed massively.

-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180101/517c2444/attachment.html>


More information about the cryptography mailing list