On Tue, Oct 25, 2016 at 3:30 PM, Eric Rescorla <e...@rtfm.com> wrote:
> On Wed, Oct 26, 2016 at 6:17 AM, Chris Peterson <cpeter...@mozilla.com> > wrote: > > > On 10/25/2016 11:43 AM, Eric Rescorla wrote: > > > >> Setting aside the policy question, the location API for mobile devices > >> generally > >> gives a much more precise estimate of your location than can be obtained > >> from the upstream network provider. For instance, consider the case of > the > >> ISP upstream from Mozilla's office in Mountain view: they can only > >> localize > >> a user to within 50 meters or so of the office, whereas GPS is accurate > to > >> a few meters. And of course someone who is upstream from the ISP may > just > >> have standard geo IP data. > >> > > > > Assuming every MITM and website already has approximate geo IP location, > > we could fuzz the navigator.getCurrentPosition() result for HTTP sites. > > That would leak no more information than passive geo IP and would not > break > > HTTP websites using the geolocation API. > > > This turns out to be incredibly hard. > https://tools.ietf.org/id/draft-thomson-geopriv-location-obscuring-03.html > > If you want to do something like this, probably the best way to do it would > be > to report the GeoIP from some public database based on the apparent current > public IP. > > -Ekr > > Rather than fuzzing we could consider limiting the precision of the returned values for HTTP websites to something like a tenth of a degree. That would be enough to locate you in the right part of the world without giving much away (unless you happen to be very near a pole...). Dan > > > > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
