I think the popularity of “www” is bogus (and likewise some of the others). When you look at the popularity of the first label of the domain name across all hosts on the internet then domain names that are named functionally (like www, mail, ns, ftp, smtp, imap) will be popular. However the actual implementing host (even if there is only one) will probably have a real and different hostname. In other words, the domain name label (like www) is some kind of alias.
This is good practice because it allows you to shuffle the services around a set of implementing hosts without breaking clients.
@vmedea@kieran My assertion that the hostname came from the HTTP referer is based on some investigation I did for a friend. I could see, in one of the websites that he had logged into, the name of his iPhone. He certainly hadn’t submitted it manually, so I just assumed it had come from the referer via User-Agent. Maybe I’m wrong and leaked through an app or something, life if Apple just hands the device name to any old app by default.
It sounds like host1, host2, etc. is probably the best policy, unless you can get sufficient protection by disabling transmission altogether via “ipv4.dhcp-send-hostname” and “ipv6.dhcp-send-hostname” (if they even work, which might be hard to determine).
The problem with tracking down leaks via signature strings is that some of them might occur under HTTPS. Unfortunately, I’ve never bothered to log sightings of escaped hostnames, so I have no information as to where they come from, which means I have no better suggestion than signature strings.
At least, there is a fix to the rare OS name problem. PureOS should implement it by calling itself something popular like “Ubuntu”, but probably won’t, which means we need to rely on a browser plugin. This is a problem because privacy-related plugins are famous for compromising privacy (so eff.org would be a good place to look for safer ones) and using the plugin might be as rare as using the OS in the first place, or rare enough to be an anonymity problem if it induces other telltale behavioral changes. I should emphasize that I’m just trying to raise the bar for identification, not make it impossible, which even Tor doesn’t do.
@Dwaff I know but I don’t see that we have any better rough approximation of popularity rankings.
@vmedea And that didn’t work either. I need to look into that in more detail later.
The Referer HTTP header and the User-Agent HTTP header are two completely different things.
I just did a test of both Safari and Firefox on a spiPhone and in neither case did the User-Agent leak the name of the phone. For sure, the User-Agent leaks lots of information that would be useful to a would be intruder - but not the name of the phone. Software is fairly current - so I can’t rule out the possibility that an earlier version of iOS did leak the name of the phone via the User-Agent.
There are some cases where if the Referer is leaking anything at all then that would be a serious implementation error on the part of browser. There are other cases where the Referer might legitimately leak things that it ought not - but I didn’t test whether either browser takes steps to address that. In any case the Referer is supposed to be a valid URL, relating to the browsing, and so does not randomly leak information (unlike the User-Agent string, which can leak arbitrary information).
I can more believe that a mail client (for outgoing mail) could leak a hostname or other information that people may not intend to leak.
Either way, I suggest you look again at what really happened.
This discussion is only relevant to leaking your hostname to a DHCP server. So, where the DHCP server is your own (device at home), that shouldn’t be a concern - unless the DHCP server itself is leaking. DHCP may be more of a concern for portable devices, using untrusted DHCP servers. (Hence a mobile phone might leak the hostname to your mobile service provider - and any portable device using an employer or public WiFi might leak the hostname to the provider of the WiFi.)
I once tried to set a hostname to host (for non-privacy related reasons: embedded systems is another area where boring and straightforward names are common). In any case, that ran into some issues, I don’t remember with which program. But yes the internal host name and the public DNS name for services are almost always different, and those stats are clearly about external names.
The only way I can see this happen is with some Apple-specific proprietary API (or indeed, an old version that leaked this in the User agent, though it makes little sense). In a far past with Java and ActiveX it was also possible. But I’d definitely see that as a serious privacy leak too !
In Linux there’s another way to prevent these kind of leaks: network namespaces allow setting up a completely different network stack for some applications. There’s also UTS namespaces that allow setting a different hostname and domain name. You could run any application that you don’t trust to not reveal this information in it. I’ve used it for steam and also browsers at times.
Sorry to hear it didn’t work I haven’t tested those network-manager settings myself, I might at some point. TBH I hardly get to connect to untrusted networks anymore since the virus….
Yes, good point. I’ve definitely seen this with mail clients. FWIW mutt has some options to control this:
set hidden_host=yes
set user_agent=no
Buut sure, having to do this for every single thing is brittle. It would be nice if there was some Linux distribution was proactive in this.
I think everyone that once accidentally shut down the wrong host over ssh would agree.
I never appreciated how broad this issue actually was. When I mentioned the “referer” stuff, I meant “the whole block of info that the browser sends along with the referer itself”, which also includes User-Agent. Sorry for the shameless abuse of terminology.
The only thing I’m certain of at this point is that I now feel less secure than when I submitted the question in the first place. I guess that happens often on this forum.
If would be real nice if PureOS and/or Cubes just had a cookie cutter solution which preempted most of these concerns. But probably no one from either group is reading this thread, or cares.
Thanks for all the info above. I’m really pleased to see all the dirty laundry being aired out in public. But for now, I have to admit that I’m sort of stumped as to what (not) to do about all of it without creating more rabbit holes. (I mean, not the literal question of which hostname to use, but the implicit followon question of how best to manage its downstream transmission.)
You are right, another HTTP header is also a possibility. It would be a really on-the-nose way for a browser to send this information, and I do know there is no standardized “local hostname” header, but nothing about Apple browsers’ peculiarities.
I control it using a different technique … outgoing mail server just does what I want for some headers. (Also, in the specific case of Thunderbird, there is an advanced config option to control the User-Agent.)
In fact the same approach may tame a bad web client (web browser) i.e. use an HTTP proxy server that drops or alters privacy-unfriendly HTTP headers. Won’t work for https though.
Yea proxy-based solutions used to be the go-to way to do this, because it can act as a second layer of defense. But indeed, the security trade-off to be able to do that with HTTPS (endpoints are no longer endpoints) is just too big.
Also with most browser attacks being javascript-based nowadays, proxies can’t be that much help.
(for mail it’s still a good way though)
on ubuntu you can set the host name to be a single character name so they have an easier time fingerprinting you and YOU have an easier time reading the prompt WHILE also being MORE space efficient (you can never have enough screen-real-estate on a 128x32 terminal window )
Yes lots of options. I have a different prompt color combination for every host and tend to distinguish them mostly by that. In the past when I used konsole in which it was possible to set a different tab icon with an escape sequence which also made hosts very distinguishable Nowdays one could use an emoji I guess.
Well, it has taken a while for me to get back to this. I had unrelated problems with my WiFi that were more urgent and which prevented testing.
This is now working. In the DHCP Lease Table on the router, the WiFi is now listed using the user-specified string. (I don’t know whether something changed in the operating system or I stuffed up the change or something changed in the router or combination thereof.)
Unfortunately I have changed both dhcp-hostname and dhcp-client-id (to the same string) so I don’t know which one worked.
So … tying this back to the original topic … yes, if you have a portable device that you use with untrusted access points, you should override the default behavior in this regard.
If you are randomizing the hostname then it probably doesn’t matter too much, but the truly paranoid would also randomize the hostname sent in DHCP requests and ensure that the overridden string is sent (rather than the system hostname) or ensure that no hostname is sent in DHCP requests.
Necroposting, but I was looking in to this very issue and found this:
or
gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion/RightToPrivacy/WiPri/
I am hesitant to use it without it being more widely used (or audited), or (god forbid) understanding how it works myself. But perhaps it’s a place for someone else to start.
I think that choosing “localhost” out-of-the-box will fail badly. Whether the installer even lets you do that, I don’t know (because Librem 5 devices arrive with the hostname already chosen and no installer to run).