Smart observation! While it doesn’t give a precise location (~300 miles), that info can still be dangerous to certain people. A state agency with a history of going after activists and journalists (eg North Korea & Saudi Arabia) could use that info to know where to focus efforts if not at least somewhat confirm their target’s location found through other means. If anything, they could at the least find out what country their target is hiding in.
The How to Protect Yourself section doesn’t provide instructions on how to protect yourself. I guess there really isn’t a way to protect yourself if you use those services, correct? The best thing you could do is prohibit notifications and only open communication from people you trust. That seems quite limiting and keeps your vulnerability in the control of anyone that messages you anyway. The only effective way to protect yourself is to not use any communication services at all, which would then make activists and journalists ineffective.
Using a VPN should defeat the attack by having a different data center cache the media file.
Nice, just almost twice the size of my country :p
While this is definitely a great read and an interesting attack vector, I think the term „deanonymization“ is stretching it here.
As far as I can see, this attack would only let you determine which Cloudflare datacenter the target has been accessing. This would, in most cases, be one near the target, but it wouldn‘t get you a precise position or any personal information about the target. You‘d just get a pretty unreliable and very large radius of where your target might be.
Also, VPN can help with this too.
It’s kind of funny to me that Discord was (at least initially) more receptive to this than Signal was, it’s also strange that signal uses cloudflare at all when their whole thing is privacy.
indeed it is
If we can all agree on the right to free speech, includijg the right to speech that you hate and condemn, these kinds of trash and misleading headlines need to wiped off the internet.
What
Honestly for saying it deanonizes people is a bit of a fibracation. Yes theoretically a threat actor could figure out what clould flare DNS sever it is. But that really doesnt do much realistically. For example qouting the researcher “i live in new york and my closest data center is in new Jersey”. Realistically what can a hacker do with that, other than know you live somewhere near new Jersey. The threat actor would gain very little and the information they supposedly gained isnt verifiable. You live near NJ but to the threat actor they would assume you live in NJ. Which is a red hairing, and thats not even bring up VPN’s or TOR into the equations. Which 99% of journalist use all the time for amenity. So in conclusion the information they gain is about the same as saying “i may or may not be near this cloudflare server”
Jesus, that’s good work.
