IP Info was a mistake, and how digging for the source of the problem is tricky

voltra

Voltra

Posted on September 4, 2023

IP Info was a mistake, and how digging for the source of the problem is tricky

IP Info is the list of information that is publicly available from just having your IP Address (whether that be IPv4 or IPv6).

Some businesses even use that as their source of income (which I'm pretty sure is illegal).

So what can you get from an IP Address? Well just about any of the following:

  • Hostname
  • City
  • Potentially inaccurate zipcode
  • Region/State
  • Country code
  • (I hope inaccurate) latitude and longitude
  • Timezone
  • ASN info
  • Internet Service Provider info
  • Security info (such as whether you're using a VPN, Tor, a proxy, a relay, or if you're hosting a server)
  • Abuse contact info

If you ask me, none of that should be available. Or at the very least, not freely available to literally anyone.

The question that naturally comes to mind is: Why the hell is this even available in the first place?

Well, it's a bit complicated. The RFC 791: IP Protocol doesn't mention any of it. Neither does RFC 997: Internet Numbers, nor RFC 1519: CIDR, nor RFC 1531: DCHP, nor RFC 903: RARP, nor RFC 2460: IPv6.

Clearly, it's absolutely not needed for the Internet Protocol (and related stuff) to be functional.

So what's going on?

I found RFC 8805: A format for self-published geo-location feeds which explains that at least Google (sigh... not again) accepts such a format. Thus IP prefixes can have geolocation baked in those lists. But that's from 2020.

There was an abandoned RFC 1876: Location within DNS that the Investigating the Imprecision of IP Block-Based Geolocation research paper cites, and tells you that alternatives "had" to be used. So it's not in there.

What's the need?

The "need", at least as expressed in RFC 8805, is to be able to better serve content to end users. I mean sure, but that only requires one or max two pieces of info: the country and the region/state. Why the hell is the rest available? Why is it freely and openly available!?

A glimpse at the source?

Turns out that the research paper cited above has one interesting reference: An investigation of geographic mapping techniques for internet hosts.

This 2001 paper doesn't talk about how things have been done, but how things could be done. And once again, it's a case of scientists asking themselves whether they could, before asking themselves whether they should.

You think this is bad? Well I'll give you this treat for you to check out on your free time. The only thing I'll tell you is that it's from 2023...

What did we learn?

The Internet Protocol has been plagued by a lack of security that even IPSec cannot help and fix. Scientists have been very eager to help anyone get more and more information about you from simply an IP Address. Why? I guess we'll never know (spoiler: it's greed or scientific stupidity).

A simple number, used to help in information exchange, now allows people to passively get information about you. A 32 bit number, now gives you access to bytes upon bytes of data on someone.

That there is a lot of unnecessary endangerment, that should have been trivially avoided. Could there be a legal case to be made? I'd like for that to be true. If even scientists are eager to give out your privacy for free, only that could potentially fix the issue (along with making it "more" illegal I guess).

My recommendations?

  1. Never share your IP Address (duh)
  2. Never (accidentally) expose your IP Address (e.g. using any kind of P2P or direct connections)
  3. Use any masking tool at your disposal (e.g. VPN, Proxy, etc...)
  4. Tell your friends, family, etc.
πŸ’– πŸ’ͺ πŸ™… 🚩
voltra
Voltra

Posted on September 4, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related