On Sun, 2007-09-09 at 20:05 -0700, David Barrett wrote: > c. Bringing these together: when you resolve my domain using an > encoded IP:port "backchannel", my dynamic DNS provider notifies me via > the persistent TCP connection, basically saying "hey, somebody at > xxx.yyy.zzz.www:port just resolved your name; you might want to try to > connect to it so he can get through your NAT".
Using DNS as the wire protocol is a bit unsettling. Particularly because DNS has no access control mechanism -- so basically as long as your laptop is running the P2P app and I have yours unique name (*.foo.quinthar.com), I can geolocate your IP address find out where you go on a day-to-day hour-by-hour basis even before your P2P app has a chance to enforce access control policy [1]. If the backchannel is two-way ( Jabber/SIP are, DNS is not) then you can authenticate the query source before revealing your IP. [1] Identity Trail: Covert Surveillance Using DNS http://petsymposium.org/2007/papers/PET2007_preproc_Identity_trail.pdf -- Saikat
signature.asc
Description: This is a digitally signed message part
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
