DEV Community

Cover image for IP Info was a mistake, and how digging for the source of the problem is tricky
Voltra
Voltra

Posted on

3 1

IP Info was a mistake, and how digging for the source of the problem is tricky

IP Info is the list of information that is publicly available from just having your IP Address (whether that be IPv4 or IPv6).

Some businesses even use that as their source of income (which I'm pretty sure is illegal).

So what can you get from an IP Address? Well just about any of the following:

  • Hostname
  • City
  • Potentially inaccurate zipcode
  • Region/State
  • Country code
  • (I hope inaccurate) latitude and longitude
  • Timezone
  • ASN info
  • Internet Service Provider info
  • Security info (such as whether you're using a VPN, Tor, a proxy, a relay, or if you're hosting a server)
  • Abuse contact info

If you ask me, none of that should be available. Or at the very least, not freely available to literally anyone.

The question that naturally comes to mind is: Why the hell is this even available in the first place?

Well, it's a bit complicated. The RFC 791: IP Protocol doesn't mention any of it. Neither does RFC 997: Internet Numbers, nor RFC 1519: CIDR, nor RFC 1531: DCHP, nor RFC 903: RARP, nor RFC 2460: IPv6.

Clearly, it's absolutely not needed for the Internet Protocol (and related stuff) to be functional.

So what's going on?

I found RFC 8805: A format for self-published geo-location feeds which explains that at least Google (sigh... not again) accepts such a format. Thus IP prefixes can have geolocation baked in those lists. But that's from 2020.

There was an abandoned RFC 1876: Location within DNS that the Investigating the Imprecision of IP Block-Based Geolocation research paper cites, and tells you that alternatives "had" to be used. So it's not in there.

What's the need?

The "need", at least as expressed in RFC 8805, is to be able to better serve content to end users. I mean sure, but that only requires one or max two pieces of info: the country and the region/state. Why the hell is the rest available? Why is it freely and openly available!?

A glimpse at the source?

Turns out that the research paper cited above has one interesting reference: An investigation of geographic mapping techniques for internet hosts.

This 2001 paper doesn't talk about how things have been done, but how things could be done. And once again, it's a case of scientists asking themselves whether they could, before asking themselves whether they should.

You think this is bad? Well I'll give you this treat for you to check out on your free time. The only thing I'll tell you is that it's from 2023...

What did we learn?

The Internet Protocol has been plagued by a lack of security that even IPSec cannot help and fix. Scientists have been very eager to help anyone get more and more information about you from simply an IP Address. Why? I guess we'll never know (spoiler: it's greed or scientific stupidity).

A simple number, used to help in information exchange, now allows people to passively get information about you. A 32 bit number, now gives you access to bytes upon bytes of data on someone.

That there is a lot of unnecessary endangerment, that should have been trivially avoided. Could there be a legal case to be made? I'd like for that to be true. If even scientists are eager to give out your privacy for free, only that could potentially fix the issue (along with making it "more" illegal I guess).

My recommendations?

  1. Never share your IP Address (duh)
  2. Never (accidentally) expose your IP Address (e.g. using any kind of P2P or direct connections)
  3. Use any masking tool at your disposal (e.g. VPN, Proxy, etc...)
  4. Tell your friends, family, etc.

Do your career a favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Top comments (0)

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay