www < that’s a good one.
Unless you change it all the time e.g. on every boot.
Based on your list, “host” looks good.
RMS seems to be the best host name … thumbs up if you agree
I kind of like the idea of standardizing hostname, though in a local network it can be useful to have different names for different machines.
But when say, connecting to DHCP on an untrusted WiFi network it’d ideally send something random or just a default name or nothing at all.
This is seemingly possible, and preferable in the scenario of an untrusted network. Some (rare?) DHCP servers may however require this field (as an administrative choice).
In my crowded, trusted home network, the DHCP server unfortunately only displays this field in the listing of current leases, so it is a pain when a client does not send a client-identifier (or sends a relatively meaningless client-identifier).
For Linux computers it may be possible to configure the DHCP client to remove any connection between the hostname and the client-identifier used for DHCP. As an example of where this might be needed:
The computer that I am currently sitting on has a wired interface and a wireless interface. Both interfaces are using DHCP. They show up in the DHCP lease table with the same name (i.e. nothing to distinguish which interface is which), that name being the hostname, presumably because Linux sent the hostname as the client-identifier in both DHCP requests.
I agree that it very much depends. I think this is true for all network anonymity features. E.g. changing MAC address on every connect is probably a good precaution for hotel and train networks, but not for corporate or home ones.
Looks like in network-manager that at least can be set on a connection basis with the mac-address-randomization
option.
Apparently there is a per-connection option for this, as well, ipv4.dhcp-hostname
! (and a ipv6 equivalent if you care about that) I think that would address your issue, as the wired and wireless connection are considered separate connections: https://linux-tips.com/t/customizing-dhcp-client-hostname-in-network-manager/408/2
Assuming you’re using nm, of course
I most definitely care about IPv6 but it isn’t using DHCP.
Yes, I am using nm.
Will see tomorrow whether this actually worked.
Such a fruitful discussion! Hopefully the Purism team will find this thread and take it under consideration for the next PureOS spin.
@kieran Hostname randomization is a brilliant idea! Can we just set a boot script to edit /etc/hosts everytime? I think that just getting the browser to take up the new hostname on each boot would be good progress. Is there anywhere else to modify, apart from /etc/hosts? How would it be modified – with sed or awk, cat with truncate, or custom code?
You’re right that a router could be programmed to block all destinations apart from one’s VPN servers, although as you pointed out, that’s not a portable solution. (Pocket VPNs are available, but I don’t know how practical they are or whether or not they require one to install untrusted apps.) If it’s not obvious, we should all assume that VPNs are compromised and export everything to who-knows-where, but they’re quite good at hiding one’s IP from targets. (Tor is better in this regard but has other serious drawbacks.) That said, if one’s hostname is sent to the target, then they would at least know that username X is associated with the same person as username Y even if the IP changes, absent hostname reassignment in between.
I’m not sure that (null) is a wise hostname to use. On the plus side, you might find a 0day in your IoT device by trying that. On the minus side, obviously only one device can use it at a time, and it’s probably rare (i.e.identifying) in the wild. And just in case some noob finds this thread and thinks that anonymity comes down to just IP and hostname… I suppose I should also mention that stylometry and clicking/tapping behavior are major sources of deanonymization, for starters.
“Or their open tabs.” – You don’t need to know anything about cybersecurity to see how stupid some people are.
@reC Thanks for the warning about hostname importation from EFI. That’s horrid.
@Dwaff Unique is sometimes good, sometimes bad. If all you do is visit one website, then reboot and get a new hostname, then no useful information will be conveyed by it. (You can’t say that I’m the same guy who visited the site, or some other site, yesterday. Of course this might all be compromised by some ass of a process which goes out and sends my hostname to an update server.) Your link to that list of popular hostnames is a great resource. Unfortunately, I was unable to load it, but I found it cached elsewhere. Adding to what kieran and reC mentioned, it seems to say that the most popular hostnames are, in order: “www”, “host”, “mail”, “dummy”, “ns”, and “ftp”. “www” is about 6X “host”, and on down from there. Take all this with a grain of salt because it also says that “host5” is extremely popular, so it sounds like a very biased sample. Still, those are good choices.
@vmedea If you actually need different hostnames for different devices, then random ones might work (unless you have a long uptime and reuse the same one for too many Web transactions) or otherwise “host1”, “host2”, etc., based on Dwaff’s list. More importantly, how can we set “assigned-mac-address” to “random” for wifi and/or Ethernet?
Based on that “tips” page you sent, I found that there are also “ipv4.dhcp-send-hostname” and “ipv6.dhcp-send-hostname”. Seems like one can set these to “no” and get it to just not send a hostname, but whether this covers HTTP referers as well is unclear to me, as is the overall scope of such a constraint. What do you people think?
I’m not sure I understand. How does the browser leak the hostname? When will “HTTP referers” contain the local hostname, according to you?
@vmedea It didn’t. I am wondering whether the correct nm parameter is dhcp-client-id
(not dhcp-hostname
) so I changed that one as well and we will see tomorrow.
As you can see from the side discussion that I am having with @vmedea this is a can of worms but …
The actual hostname is permanently stored in /etc/hostname
but on the other hand you can theoretically change the hostname temporarily (which may be what you want here) using the hostname
command.
The problem in the previous paragraph is that some random software might just read /etc/hostname
so there is definitely an element of trial and error.
One approach would be to change your hostname permanently to some long, random, unique, printable, valid string, then change it temporarily to another long, random, unique, printable, valid string - and then go looking for all the places on or coming out of your own computer that either string shows up. Then work out how that place got hold of the hostname.
That will give you an inventory to work on.
Only then would you go ahead and implement actual hostname randomization.
You may have to adjust /etc/hosts
as well.
As you can see from my side discussion about DHCP, that is just one of the places where the hostname can be independently configured. If you don’t use DHCP then you can bypass having to think about that but then for a portable device you more or less do want to use DHCP.
As far as I know the browser does not transmit the hostname in the User-Agent string. It does however transmit the operating system and version (which is itself bad enough) unless you take action against that.
I would like to state for the record that there is no way that I would want hostname randomization and there is no way that I would want to set the hostname to “linux” (or similar) on all hosts. I have many hosts and I need a sensible, unique name on each host. Your mileage is free to vary.
I think the popularity of “www” is bogus (and likewise some of the others). When you look at the popularity of the first label of the domain name across all hosts on the internet then domain names that are named functionally (like www, mail, ns, ftp, smtp, imap) will be popular. However the actual implementing host (even if there is only one) will probably have a real and different hostname. In other words, the domain name label (like www) is some kind of alias.
This is good practice because it allows you to shuffle the services around a set of implementing hosts without breaking clients.
Please do not use “my list” as ultimate reference. It is but one example of such a list and I did not even check if it is current or from 90’s.
@vmedea @kieran My assertion that the hostname came from the HTTP referer is based on some investigation I did for a friend. I could see, in one of the websites that he had logged into, the name of his iPhone. He certainly hadn’t submitted it manually, so I just assumed it had come from the referer via User-Agent. Maybe I’m wrong and leaked through an app or something, life if Apple just hands the device name to any old app by default.
It sounds like host1, host2, etc. is probably the best policy, unless you can get sufficient protection by disabling transmission altogether via “ipv4.dhcp-send-hostname” and “ipv6.dhcp-send-hostname” (if they even work, which might be hard to determine).
The problem with tracking down leaks via signature strings is that some of them might occur under HTTPS. Unfortunately, I’ve never bothered to log sightings of escaped hostnames, so I have no information as to where they come from, which means I have no better suggestion than signature strings.
At least, there is a fix to the rare OS name problem. PureOS should implement it by calling itself something popular like “Ubuntu”, but probably won’t, which means we need to rely on a browser plugin. This is a problem because privacy-related plugins are famous for compromising privacy (so eff.org would be a good place to look for safer ones) and using the plugin might be as rare as using the OS in the first place, or rare enough to be an anonymity problem if it induces other telltale behavioral changes. I should emphasize that I’m just trying to raise the bar for identification, not make it impossible, which even Tor doesn’t do.
@Dwaff I know but I don’t see that we have any better rough approximation of popularity rankings.
@vmedea And that didn’t work either. I need to look into that in more detail later.
The Referer
HTTP header and the User-Agent
HTTP header are two completely different things.
I just did a test of both Safari and Firefox on a spiPhone and in neither case did the User-Agent leak the name of the phone. For sure, the User-Agent leaks lots of information that would be useful to a would be intruder - but not the name of the phone. Software is fairly current - so I can’t rule out the possibility that an earlier version of iOS did leak the name of the phone via the User-Agent.
There are some cases where if the Referer is leaking anything at all then that would be a serious implementation error on the part of browser. There are other cases where the Referer might legitimately leak things that it ought not - but I didn’t test whether either browser takes steps to address that. In any case the Referer is supposed to be a valid URL, relating to the browsing, and so does not randomly leak information (unlike the User-Agent string, which can leak arbitrary information).
I can more believe that a mail client (for outgoing mail) could leak a hostname or other information that people may not intend to leak.
Either way, I suggest you look again at what really happened.
This discussion is only relevant to leaking your hostname to a DHCP server. So, where the DHCP server is your own (device at home), that shouldn’t be a concern - unless the DHCP server itself is leaking. DHCP may be more of a concern for portable devices, using untrusted DHCP servers. (Hence a mobile phone might leak the hostname to your mobile service provider - and any portable device using an employer or public WiFi might leak the hostname to the provider of the WiFi.)
I once tried to set a hostname to host
(for non-privacy related reasons: embedded systems is another area where boring and straightforward names are common). In any case, that ran into some issues, I don’t remember with which program. But yes the internal host name and the public DNS name for services are almost always different, and those stats are clearly about external names.
The only way I can see this happen is with some Apple-specific proprietary API (or indeed, an old version that leaked this in the User agent, though it makes little sense). In a far past with Java and ActiveX it was also possible. But I’d definitely see that as a serious privacy leak too !
In Linux there’s another way to prevent these kind of leaks: network namespaces allow setting up a completely different network stack for some applications. There’s also UTS namespaces that allow setting a different hostname and domain name. You could run any application that you don’t trust to not reveal this information in it. I’ve used it for steam and also browsers at times.
Sorry to hear it didn’t work I haven’t tested those network-manager settings myself, I might at some point. TBH I hardly get to connect to untrusted networks anymore since the virus….
Yes, good point. I’ve definitely seen this with mail clients. FWIW mutt has some options to control this:
set hidden_host=yes
set user_agent=no
Buut sure, having to do this for every single thing is brittle. It would be nice if there was some Linux distribution was proactive in this.
I think everyone that once accidentally shut down the wrong host over ssh would agree.
I never appreciated how broad this issue actually was. When I mentioned the “referer” stuff, I meant “the whole block of info that the browser sends along with the referer itself”, which also includes User-Agent. Sorry for the shameless abuse of terminology.
The only thing I’m certain of at this point is that I now feel less secure than when I submitted the question in the first place. I guess that happens often on this forum.
If would be real nice if PureOS and/or Cubes just had a cookie cutter solution which preempted most of these concerns. But probably no one from either group is reading this thread, or cares.
Thanks for all the info above. I’m really pleased to see all the dirty laundry being aired out in public. But for now, I have to admit that I’m sort of stumped as to what (not) to do about all of it without creating more rabbit holes. (I mean, not the literal question of which hostname to use, but the implicit followon question of how best to manage its downstream transmission.)
You are right, another HTTP header is also a possibility. It would be a really on-the-nose way for a browser to send this information, and I do know there is no standardized “local hostname” header, but nothing about Apple browsers’ peculiarities.
Yes it’s a huge can of worms
I control it using a different technique … outgoing mail server just does what I want for some headers. (Also, in the specific case of Thunderbird, there is an advanced config option to control the User-Agent.)
In fact the same approach may tame a bad web client (web browser) i.e. use an HTTP proxy server that drops or alters privacy-unfriendly HTTP headers. Won’t work for https though.
Speaking of rabbit holes, my next unread topic below this was “Librem Smart Watch?”
Which is just what the White Rabbit needed!
(It was just a coincidence, the topic will move over time and won’t be below this.)
Yea proxy-based solutions used to be the go-to way to do this, because it can act as a second layer of defense. But indeed, the security trade-off to be able to do that with HTTPS (endpoints are no longer endpoints) is just too big.
Also with most browser attacks being javascript-based nowadays, proxies can’t be that much help.
(for mail it’s still a good way though)