On Wed, Oct 26, 2016 at 7:17 AM, Daniel Minor <dmi...@mozilla.com> wrote:
> > > On Tue, Oct 25, 2016 at 3:30 PM, Eric Rescorla <e...@rtfm.com> wrote: > >> On Wed, Oct 26, 2016 at 6:17 AM, Chris Peterson <cpeter...@mozilla.com> >> wrote: >> >> > On 10/25/2016 11:43 AM, Eric Rescorla wrote: >> > >> >> Setting aside the policy question, the location API for mobile devices >> >> generally >> >> gives a much more precise estimate of your location than can be >> obtained >> >> from the upstream network provider. For instance, consider the case of >> the >> >> ISP upstream from Mozilla's office in Mountain view: they can only >> >> localize >> >> a user to within 50 meters or so of the office, whereas GPS is >> accurate to >> >> a few meters. And of course someone who is upstream from the ISP may >> just >> >> have standard geo IP data. >> >> >> > >> > Assuming every MITM and website already has approximate geo IP location, >> > we could fuzz the navigator.getCurrentPosition() result for HTTP sites. >> > That would leak no more information than passive geo IP and would not >> break >> > HTTP websites using the geolocation API. >> >> >> This turns out to be incredibly hard. >> https://tools.ietf.org/id/draft-thomson-geopriv-location- >> obscuring-03.html >> >> If you want to do something like this, probably the best way to do it >> would >> be >> to report the GeoIP from some public database based on the apparent >> current >> public IP. >> >> -Ekr >> >> > Rather than fuzzing we could consider limiting the precision of the > returned values for HTTP websites to something like a tenth of a degree. > That would be enough to locate you in the right part of the world without > giving much away (unless you happen to be very near a pole...). > This turns out not to work very well if you are near the grid lines and moving at all. I would strongly encourage anyone thinking of trying to design a new scheme to first read Martin's document, which covers the space pretty well -Ekr > Dan > > >> >> > >> > _______________________________________________ >> > dev-platform mailing list >> > dev-platform@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-platform >> > >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform