Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gruez 4 days ago

It's still strictly worse than the privacy you get with ivp4 + NAT. Even with privacy addresses, a device has its own unique (but rotating) address, so it can be uniquely identified. Contrast this with ipv4 + NAT where all devices share the same address, and the only identifying characteristic is the port, which changes on a per-connection basis. On a typical home networking scenario this is handy, because it means advertisers can distinguish traffic coming from your daughter's phone between traffic coming from your PC. With ipv4 they're mixed under one IP address, and you need to resort to various forms of fingerprinting to distinguish them. On a public VPN server this basically kills privacy, which is probably why all the VPNs I've encountered are ipv4 only.

WorldMaker 3 days ago | parent | next [-]

The trick is in that rotating part, I believe. IPv6 is large enough devices could (can/do) rotate regularly. Sure every device is a unique snowflake, but it becomes a snowflake in a blizzard. Things like advertisers are going want to bucket things quickly and so they are still just as likely to use something like /64 subnet as the first pass identifier and your PC and daughter's PC are going to be hundreds or thousands of data points per month in different IPv6 addresses under that subnet. The Pigeon Hole Principle applies at least as well in that case of subnet hashing as NAT44 does. They are going to start with a "bucket" (your subnet) that resembles your whole household, and then filter from there.

The related flip side, though is that NAT44 isn't a privacy solution, it's an over-reliance on the Pigeon Hole Principle and hoping that's enough privacy. An advertiser already has way more data to work with than just IP Address: os/browser combos, user agent strings, cookies, timing habits (device hits website x first thing in the morning), and so much more. NAT44 is absolutely not sufficient for privacy. It is a defense in depth sure, but huge scale difference of IPv6 is a different defense in depth with similar Pigeon Hole Principle properties, it's not necessarily a loss of depth on its own.

boredatoms 3 days ago | parent | prev | next [-]

If you really want to, you can NAT the v6 just like you do with v4

justsomehnguy 3 days ago | parent | prev [-]

CGNAT exists which is "much privacy" by your logic. So anyone interested, starting with Google, is already fingerprinting you anyway, so the whole idea what "ipv4+NAT is more private than ipv6" is moot at best.

NB: your useragent already sends enough info to effectively distinguish your from the other users behind the same ipv4 address

gruez 3 days ago | parent [-]

>CGNAT exists which is "much privacy" by your logic. So anyone interested, starting with Google, is already fingerprinting you anyway, so the whole idea what "ipv4+NAT is more private than ipv6" is moot at best.

It's still an extra fingerprinting signal, and all things being equal you'd want less fingerprinting vectors. Otherwise you fall into defeatist line of "google already probably knows my interests quite well, so I might as well not bother trying to obfuscate my advertising history".

It's an extra signal that's basically impossible to spoof

>NB: your useragent already sends enough info to effectively distinguish your from the other users behind the same ipv4 address

???

User-agent provides very limited set of information. Two chrome users on windows have the same user agent. Unless you think everyone in a household uses a different browser/OS combo, user agent isn't enough to distinguish users. You'd need to get into canvas/webgl fingerprinting to uniquely identify a device, and even then that can't distinguish identical devices (eg. two people using iPhone 16)

justsomehnguy 3 days ago | parent [-]

> It's still an extra fingerprinting signal, and all things being equal you'd want less fingerprinting vectors

Yes, but it's value to the interested party is minuscule, precisely because it's not a permanent and distinguish enough signal. They already have a lot more stronger signals so ditching ipv6 for ipv4+nat would not improve your privacy in any meaningful way.

> User-agent provides very limited set of information

Yes. But if you have two 'users' in your ipv4+NAT network and the one is using an Apple device while the other uses some Android device - you already, without providing any 'extra fingerprinting signal' like a ipv6 address, gave a signal strong enough to distinguish between those users.

> You'd need to get into canvas/webgl fingerprinting to uniquely identify a device

No need for that to distinguish between different users behind a NAT. Your cookies, your UA, your logged in accounts, your requests to fonts.google.com for a fancy website - they all give enough information to do that already. I remind the original point about CGNAT - it's massive amount of users who are intermingled on the same IPv4 pool and even sometimes change the used address in process.

Ad platforms already need to work with an 'non-identifiable' IP:port combo datapoint in the first place, so they do their work to identify you from the every breadcrumb they can leave on your device.

And by the way, if you have any 'cloud enabled' app on your device the big boys already knows where and who you are. Eg: any app what uses Firebase, or Location APIs or bazillion of other 'cloud' things...