Re: Opt-out for wifi network of the Google Location Server

On Nov 27, 2011, at 7:14 AM, Dan Brickley wrote:

> On 27 Nov 2011, at 14:11, Thomas Roessler <tlr@w3.org> wrote:
> 
>> On 2011-11-27, at 12:51 +0100, Bjoern Hoehrmann wrote:
>> 
>>> The malicious opt-in problem exists whether or not you filter networks
>>> on the client, and that would be taken care of in the same way that you
>>> prevent poisoning the database with other false information, like not
>>> having information that comes too infrequently or from too few sources.
>>> Note that the "reliable channel" does not seem to be required to opt in,
>>> they could require that to protect against this, if that actually helps.
>> 
>> So, I'm honestly having a hard time seeing the "malice" here.  What exactly is it that you're protecting by keeping people from measuring what access points are around them, and by keeping service providers from using those data?  How are these personal data?
>> 
>> I can see several nearby things a provider like Google could do that would rightly make people freak out: Collecting arbitrary MAC addresses (and thereby being able to do movement profiles of mobile devices that they aren't able to track otherwise), or (even accidentally) collecting payload data from wireless networks.  We've been there.
>> 
>> But assuming we're only talking about access points that publicly broadcast their SSID: Why are you actually worried about that?
> 
> I was assuming folk here would've seen 
> 
> http://samy.pl/mapxss/
> 
> ...which claims ssid can sometimes be accessed from hostile Web pages via XSS, and then looked up to provide precise geo.

XSS against a gateway can also be exploited to reroute all internet traffic through a malicious proxy. Albeit a creative hack, MAC address lookup against a geolocation database is the least of your worries if your wifi router has an XSS vulnerability.

IMHO, it is a curiosity and a diversion.

/ David

Received on Tuesday, 29 November 2011 03:26:21 UTC