Privacy consultant and former Internet Architecture Board president Christian Huitema has said he reckons hotspot users should be given better privacy protection.
In an informational draft for the Internet Engineering Task Force published yesterday, Huitema explained that DNS Service Discovery (DNS-SD), the protocol that lets users of a public hotspot find (for example) the printer, also exposes them to "serious privacy problems". His collaborators on the draft were Apple's zeroconf pioneer Stuart Cheshire and crypto-engineer Chris Wood.
Huitema wrote: "The DNS-SD messages leak identifying information such as the instance name, the host name or service properties."
For example, he wrote, someone wanting to print a document in an airline lounge will, without knowing it, be using a DNS-SD service to make that connection.
"In that scenario, the server is public and wants to be discovered, but the client is private," he wrote. "The adversary will be listening to the network traffic, trying to identify the visitors' devices and their activity. Identifying devices leads to identifying people, either just for tracking people or as a preliminary to targeted attacks."
That's unacceptable, the draft stated: "Discovery activity should not disclose the identity of the client."
Things are even worse if two hosts in a conversation are supposed to be private (for example, two people using the hotspot for a direct file exchange).
"The server wants to be discovered by the client, but has no desire to be discovered by anyone else," the draft read – but if the client software is using DNS-SD, that's just what would happen.
Even watches could expose their owners through DNS-SD, Huitema wrote, because "David's" watch looking for his phone will identify specific devices, which the adversary might know have a vulnerability.
The way the service is designed, the draft noted, would even let a savvy adversary build a device fingerprint. As it's now written, DNS-SD messages include a list of services published by a device, "which can be retrieved because the SRV records will point to the same host name" – attributes describing services, service port numbers, as well as "priority and weight attributes in the SRV records".
In other words, since there are too many ways in which client, server and user identities can leak, DNS-SD is sorely in need of a do-over.
The good news is that Huitema is working with the University of Konstanz's Daniel Kaiser on a draft, progressing through an IETF working group, to hide that information. ®