search

uazo / bromite-buildtools

my build machine for bromite development
GNU General Public License v3.0
331 stars 10 forks source link

Bind timezone to ip address #245

Open NearestWater262 opened 1 year ago

NearestWater262 commented 1 year ago

I love that you have continued the bromite torch. The fingerprint measure are impeccable as well, better than brave and much more effective.

Can you provide an option to match time zone to IP? because otherwise it renders a VPN to be semi-useless. check out the Vytal extension for relavent code.

uazo commented 1 year ago

the issue is interesting but need to use external service (so privacy issue), because only an external server can indicate the device's outgoing IP

it seems to be possible to extract it from a dns call

dig +short myip.opendns.com @resolver1.opendns.com

some code in chromium:

some ip to location list

but I would be interested to know how often device's IP changes and if so, to be notified so that can delete everything.

to be better evaluated

because otherwise it renders a VPN to be semi-useless.

I don't really agree, why do you say that?

check out the Vytal extension for relavent code.

what is it? where can I find it?

PF4Public commented 1 year ago

@NearestWater262 Why do you insist on binding to IP? Won't random timezone do the trick?

NearestWater262 commented 1 year ago

@PF4Public I guess, but the mismatching IP/timezone is a red flag and doesnt look "Normal". if you go on Fingerprint.com they talk about this also, how they use this to catch people they dont want avoiding fingerprints.

@uazo please see here https://github.com/vytal-io/vytal-extension/blob/master/src/utils/getReverseGeocoding.ts looks like they use openstreetmap

in the end, if you have to make an outgoing connection on startup, you could have it off by default, but it's so useful, it's definitely worth it. and Vytal has already written the code.

why you say that?

not having this renders the VPN useless because if I am in Europe, and my phone is set to CET (European Central Time), but I have an Asian IP address, they are gonna at least guess i am in the CET time zone actually. And it really stands out as something unique: guy with Asian IP and Europe timezone

only other that you could do maybe is set all to UTC, and join the UTC crowd with tor and mullvad browser people, but you would be the only Chromium based browser like this :P so maybe not good.

uazo commented 1 year ago

is a red flag and doesnt look "Normal"

nothing in this browser can be defined as normal. :) I wouldn't worry about the fake timezone...

if you go on Fingerprint.com they talk about this also, how they use this to catch people they dont want avoiding fingerprints.

yes, I had read it. in fact, I have read so many documents on the subject, so many that my ideas are more confused than before.

looks like they use openstreetmap

yes, i finally found it, but i still haven't read its privacy policy. have you? can you give us a summary?

And it really stands out as something unique: guy with Asian IP and Europe timezone

hypothesis, where is the data to prove it? think of the opposite, if everyone uses vpn with chrome, the output ip of the vpn has everything but the real timezone of that area... so far only google has them, and they are careful not to make them public. although theoretically we could build them too... carl was firmly against it, but i'm thinking about it..

NearestWater262 commented 1 year ago

@uazo okay so I made a mistake. They are using ip-api.com for the timezone info.

https://github.com/vytal-io/vytal-extension/blob/master/src/utils/getIp.ts

the privacy policy for them is actually really good and extremely simple. They don't keep a log of the client's IP after 1 min

https://ip-api.com/docs/legal

hypothesis, where is the data to prove it? think of the opposite, if everyone uses vpn with chrome, the output ip of the vpn has everything but the real timezone of that area...

If someone uses an VPN IP, and the time zone is different, then someone's general location can be inferred. It's not only weird/unique behavior, but it is also de-anonymizing.

uazo commented 1 year ago

the privacy policy for them is actually really good and extremely simple

Yes, I have read it, but I don't like that the entity that runs it is not exposed. I don't think I will ever use it.

If someone uses an VPN IP, and the time zone is different, then someone's general location can be inferred.

so let me understand by talking about weird behavior, do you also change the language of your browser? how many people actually do that? I realize you're talking about android and it doesn't apply, but do you also change the system keyboard? and the speech synthesis, do you put the default in the language of the ip zone? and the fonts, do you add those particular to that zone?

my belief is that tor's attitude is the best, which is to flatten the differences, to make the browser not adapt to the device nor to the ip, to anything. everyone should behave the same way all the time. But I have no evidence to prove it.

in any case, regarding your request, I will do something with it (sooner or later :)

NearestWater262 commented 1 year ago

Yeah I know.. It's difficult :/ well, i think it should be an option still. It's a big data point. But you are the developer of course.