On 10/09/13 04:14, Brian Smith wrote: > There is friction in changing SSIDs as it affects every device that > would connect to that network. There will also probably not be much > awareness among users of when/why/how to do this or what effect it > will have. So, I think this is an aspect that sounds great in > theory, but in practice will nearly never be used.
When I moved house, I changed my SSID from "99FooStreet" to "88BarAvenue". I name the SSID like this so people know whose network it is. Perhaps I'm unusual, but I'm sure I'm not unique. > Even if you use AES256 with a random, thrown-away key, the data will > be subject to reverse engineering. For example, one could correlate > a subset of the data with a separate database of known > (MAC,SSID,Location) triples, and/or attempt "traffic analysis" to > see relationships in how (MAC,SSID) pairs interact with each other > with respect to location. You have probably heard of the Netflix > Prize privacy issues [1]; this is a very similar problem to the > Netflix prize. Can you explain how? Say I have: <HASH1> => LAT1, LONG1 <HASH2> => LAT2, LONG2 from the published database, where the two LAT/LONGs are nearby. If I guess some possible SSIDs, I could work out some possible MAC addresses for AP 1 and AP 2. I could even validate them and find they are correct by submitting them to the web service and seeing if it returned a location (let's say one is "linksys" and the other is "BTHomeHub"). And the service gives me back... the location I already know. Ta da. Where's the privacy issue? Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
