There's a lot of people who are kind of rightfully scared by "did u know ANY POST on cohost can leak wherre u live!!! 🤯" posts doing the round on here, and especially so other sites with strict character limits.
I feel somewhere in the mist of VPN ads taken by clueless YouTubers, and the death (if it was ever born to begin with) of accurate reporting tech reporting, we got lost as to the actual thread model brought about by people getting your IP addres.
So - here's a little primer on IP addresses, how people get them, what that means you for, and some commentary on the commentary
what is an IP address?
- an IP address is a semi-uniquely linked identifier, designed to designate where little bundles of data should end up on the internet
- you have a private address - this is generally used for devices on your network talking to each other, without involving the outside world
- you also have a public address - this is for the outside world to be able to send data to your network
- it's nice it's called an address, because you can think of it being a little end destination for data
how would someone get my IP address?
- you give out this identifier when you do anything, at all, on the internet. without it, the internet wouldn't function, because the internet relies on being able to send data bidirectionally, and, know the source
- this includes any site that you load images from
- Cohost posts (along with most blogging platforms...) can embed images from other websites
- however, if you were to visit a unique link - specifically here, load an image from a Cohost post set to private, for example - someone trying to get your IP address could see the one request being made, and, get the address associated
- most social media sites, and some blogging platforms "solve" this problem away by having you talk directly to their server to load in external data, such that the external website just sees the social media website's IP address
what's the danger in someone having my IP?
- an IP address kind of gives your unique location, to an extent - the way your IP is truly linked to your location properly is through data brokers selling your IP address along with GPS data collected from various sources (such as apps on your phone)
- the primary goal of this is for advertisers, but, of course, anyone can buy from databrokers, including a variety of sites which just do fairly accurate reporting on the location related to an IP
- most ISPs will not give you a constant IP address. generally restarting your router will get you a new IP addressand using a proxy inbetween to load images
- if you are susceptible to the kind of risk where users having your IP address would pose harm, use some way of routing traffic through another server (such as VPN)
is Cohost unique in "leaking" my IP address?
- No. You're giving your IP address when you browse the internet, play games online - because, again, any time you use something online, your IP is required
how do I solve this?
- Think about if your threat model would be at risk by someone having your IP. For most people, you aren't at risk.
- If you are at risk, use a VPN whenever you use the internet, at all times. There's no half assing this, because, whenever you use the internet, your IP is required. (if you use Safari on macOS or iOS, and, pay for iCloud - Apple Private Relay will do this by default without you thinking about it! it's not bulletproof as it doesn't work for other browsers, but it's a good option for casual use. go turn it on!)
- If you can't afford a VPN, consider rotating your IP address by rebooting your wifi router frequently. This doesn't solve the issue, but, because an IP address is a pretty broad range when it comes to location, getting a new IP frequently will generally prevent an IP from being linked too specifically for you.
- If you can't afford a VPN and can't reboot your router (e.g. living in University dorms) - install a browser extension to block all offsite content. There's multiple options available for this - I've heard good things about uMatrix
- If you can't install a browser extension, can't afford a VPN, and can't reboot your router - don't look at content to which only a small audience audience may be looking (IE: following private pages). If enough people look at posts, the IP addresses will just become noise.
how does Cohost solve the image IP-leaking problem?
They uh. Don't. Or, they can, but, it costs a lot of money to run a media proxy in terms of bandwidth - and, being real here, it's like fighting a losing battle. You can just as easily get someone's IP by just embedding a link that looks like one thing, but, is really another https://google.com (<-- this isn't malicious, it'll just take you to a YouTube video) - and, this technique works on any website that allows markdown or adding links to text (including the recently publicly traded Reddit).


