If you must give your devices names, please don't leak them on the Internet.
That's the advice of one Internet Architecture Board (IAB) member, a former chair of the organisation and a German computer science academic. In an IETF RFC entitled Current Hostname Practice Considered Harmful, the trio (Christian Huitema, a former IAB chair; current IAB member Dave Thaler; and Rolf Winter of the Augsburg University of Applied Sciences) argue that too many 'net protocols leak sufficient information to make hostnames a privacy risk.
The “informational” RFC (meaning it's not on the standards track) fits in the context of the IAB's and IETF's long work to make privacy the default stance of the Internet.
“Hang on!” cry the old-timers, “a hostname and a suffix are the basis of a Fully Qualified Domain Name! How can we properly locate
myhost.example.com in the DNS without names?”
It's not DNS naming that the paper proposes replacing, but rather, all the other ways people use names that can leak. As they explain, “it is common practice to use the hostname without further qualification in a variety of applications from file sharing to network management. Hostnames are typically published as part of domain names and can be obtained through a variety of name lookup and discovery protocols.”
Think instead of a device that might interest a spook – “Donald's_Samsung_S3” or “Kellyanne's_Microwave_Oven”. If those names leak to the Internet, it makes surveillance significantly easier.
Moreover, the phone carries that name with its owner, and as long as the WiFi is on, it advertises itself, meaning an attacker “can correlate the hostname with various other information extracted from traffic analysis and other information sources, and they can potentially identify the device, device properties, and its user”.
If you call your phone or your favourite cattle servers
Mirkwood, you probably think there are other Tolkien fans in the world and you're anonymous.
But the RFC says the authors' experiments at an IETF meeting showed that with enough hostnames in a database and access to other datasets – an LDAP server on the same network, for example – “the identification of the device owner can become trivial given only partial identifiers in a hostname”.
The paper identifies the “guilty parties” – protocols that leak hostnames – as DHCP, various aspects of DNS (DNS address-name resolution, multicast DNS, DNS-based service discovery), link-local multicast name resolution, and NetBIOS over TCP.
Some of these represent leaks “inside” the firewall rather than on the public Internet – but on the one hand, it's not impossible to breach or monitor networks; and on the other hand, someone logging into the enterprise network over public WiFi is sniffable to the “identity” level even if they encrypt their traffic.
As well as avoiding naming hosts where it's not necessary, the authors suggest applying the principles of MAC address randomisation to hostnames. However, as we reported last week, that technique needs an effective implementation and they're hard to find.
Since it's probably impossible to root out every protocol that assumes a host publishes its name somewhere, the three 'net boffins suggest operating system makers – all the way to phones – allow hosts to have a “global” and a “per network” hostname.
That way, if it's a named host on the Internet, that hostname doesn't necessarily map to the “my” randomised hostname. ®