Hacker News new | ask | show | jobs
by talent_deprived 977 days ago
Actually, it is, try the test for yourself in your home over a 30 day period. Drop IPv6 at the router and in your main PC and devices by disabling it. At the end of that 30 days, it will become clear that Ad companies were using IPv6 to track people in the household when Ads for things completely unrelated to their interests and related to the other members of the household start showing on each others PC's and devices.
1 comments
kstrauser 977 days ago
That's impossible if the devices have privacy extensions enabled, which is the default on all major OSes. My house has a /64 IPv6 prefix. Inside that, the computer I'm writing this on has 8 temporary IPv6 addresses it's using at this moment. An ad company can no more track my individual computer inside my house than it could your computer inside yours. The only difference is that your network is a black box behind public IP 1.2.3.4, and mine is a black box behind public prefix abcd:ef01:2345:6789::/64. (Well, I use IPv4, too, but for the sake of this discussion...)
link
talent_deprived 977 days ago
> That's impossible if the devices have privacy extensions enabled

Wrong. Try what I said. It was recent enough the results are reproducible.

> An ad company can no more track my individual computer inside my house than it could your computer inside yours.

Yes, they can and my testing showed me, they do:

https://johannaullrich.eu/assets/papers/ullrich2015_raid.pdf

link
kstrauser 977 days ago
> Wrong. Try what I said. It was recent enough the results are reproducible.

Nope. What really happened is that an ad company might have started collecting information about your IPv6 prefix, precisely like they might store information about your IPv4 address. That's all the information they can reconstruct about the hosts inside your LAN.

The paper you linked showed that if a host uses the method for generating pseudorandom addresses described in RFC 4941 instead of using completely random one, and if the attacker has a complete history of your generated pseudorandom addresses, and if the attacker has successfully defeated MD5 on a practical time scale, then it's possible that they could guess your future pseudorandom address.

In practice, most OSes generate truly random addresses, and an advertiser doesn't have your complete history of generated addresses, and the advertiser wouldn't spend all those resources to track you specifically anyway. In other words, that 8 year old paper isn't relevant to the situation today.

link