Hostnames

From Whonix
Jump to navigation Jump to search

Privacy Risks Posed by Hostnames

Introduction[edit]

Computers are given hostnames for a number of good reasons. For instance, this is particularly useful for computers which operate on a network, as administrators and users are then able to ping computers, remotely connect to the computer, mount computer disks, and conduct other relevant activities. Naming conventions for computers are usually left to the individual, and may either comprise random chosen selections (“MrBig”, “coffeelover”, “Qubes-WhonixRocks” etc.), or default values that comprise information such as user name, login name, and device brand / model / make.

In the case of smaller devices like smart phones, these usually have manufacturer-assigned names which are either generic (“Samsung Phone”) or completely unique (“android_f7s89f8ir78etywt”), and may contain information such as the brand name, language used, and the name of the device owner. In many cases, hostnames cannot be changed - or at least not without “rooting” the device. [1] In the case of Whonix, the hostname is always set to "host". [2] [3]

Privacy Risks[edit]

The hostname given to a user’s home computer or device can be leaked via a number of protocols, posing a privacy risk depending on the specificity of the naming convention. Vulnerable protocols which may leak the hostname include, but are not limited to: [1] [4]

Disclosure of information is particularly problematic for mobile devices, since adversaries that monitor remote networks (like Wi-Fi hotspots) are able to obtain the hostname via passive monitoring, or active probing using a variety of Internet protocols. In combination with traffic analysis, adversaries that can obtain a hostname may be able to extract information that identifies the particular device and its properties; potentially revealing unique individuals utilizing the device. [1]

Even if generic names are used for hostnames such as “pinkrose” or “linuxfan”, the possible identity of the user is narrowed significantly to a much smaller subset, particularly when combined with data on sites that are visited. This may quickly lead to user identification because hostname disclosure allows for tracking of the computer or device across many domains, and one-time exposure of the user via clearnet traffic can inform databases which link unique hostnames to user identities.

As a further example, consider an adversary that is tracking users connecting to a specific Wi-Fi hot spot in an airport. After retrieving the hostname of a particular user “ABSmith”, and observing VPN connections to the Apple corporate network, the two pieces of information reveal that Mr Smith is the owner, and is an employee of Apple.

Recommendations[edit]

Obviously a generic hostname is advisable, but in practice, there are limited other solutions available at present. One is to turn off any protocols that are not strictly necessary and which leak hostnames, particularly when insecure places are visited. This reduces the attack surface, but is impractical for certain protocols; for example, DHCP is necessary for Internet connectivity and many services depend on protocols such as mDNS. Another option is to use different hostnames for different purposes, rather than relying on a global hostname - this option is available on some OSes. Ultimately, a randomized hostname protocol is necessary to protect privacy, similar to methods utilized for MAC addresses. [1]

See Also[edit]

References[edit]

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!