I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users’ Privacy Abstract: In this paper, we show how to exploit real-time communication applications to determine the IP address of a targeted user. We focus our study on Skype, although other real-time communication applications may have similar privacy issues. We first design a scheme that calls an identified- targeted user inconspicuously to find his IP address, which can be done even if he is behind a NAT.
Since I mentioned how much l like Dropbox in my last post, I thought I’d add a follow-up. There’s been a bit of a buzz1 lately about how insecure Dropbox is. I don’t see this as a reason not to use it, but extra precautions should be taken if you want to store sensitive information. I personally love TrueCrypt for this, as creating a fixed-size encrypted drive doesn’t leak information about the number or size of files you’ve encrypted.
Adam Langley, an engineer on Google’s Chrome team, wrote a blog post last summer titled Overclocking SSL. Adam argues that on today’s hardware, SSL connections are not computationally expensive, and showed us some statistics from GMail’s switch to HTTPS by default. He doesn’t go so far as to outright encourage other sites to do the same for their users, but the message is strongly implied. Last week, Lori MacVittie of F5 wrote a blog post (which was at least partially a response to Adam’s post) entitled Dispelling the New SSL Myth, in which she argues that SSL is only inexpensive if you use 1024-bit certificates and easier-to-crack ciphers like RC4.