undefined | Better HN

0 pointsJackC11y ago0 comments

This is a great example -- thanks.

So, is it fair to say that there's no privacy concern if the API only exposes a one-way lookup? I.e. "here are the access points I can see -- where am I?"

That also addresses the other concern raised below, that the database could be used to search for known-vulnerable routers.

0 comments

hackuser11y ago

> is it fair to say that there's no privacy concern if the API only exposes a one-way lookup?

It helps, but no. The data is still there to use. The API or Mozilla policy may change, or security may fail.

From what I can tell, there's no need to record either the devices gathering data or the devices looking up their location. Just don't store that data and everything is fine.

JackCOP11y ago

Oh, another example that affects even the one-way lookup is stalking -- if I've been over to Joe's house before, and then he goes into hiding, I can say, "hey, I see Joe's access point, where am I?"

That could be mitigated by requiring at least two access points for a query.

hannosch11y ago

Both the Mozilla API as well as Google have this "you need to know two" protection. At Mozilla we go a bit further and also make sure the two BSSID's you are sending aren't almost identical. That happens in a lot of modern access points who are setup with separate 2.4 and 5GHz networks or those who have a guest network.

j / k navigate · click thread line to collapse