Document Correlation Attack #1116
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,84 @@ | ||||||
| --- | ||||||
| layout: post | ||||||
| title: "Privacy: Mitigating User Tracking By Third Parties" | ||||||
| lang: "en" | ||||||
| author: "rdica" | ||||||
| heading: "Privacy: Mitigating User Tracking By Third Parties" | ||||||
| --- | ||||||
|
|
||||||
| By default the Jamulus protocol does not map usernames to IP addresses in any publicly available data. | ||||||
| However it is possible to correlate connections to servers to achieve user<‐>IP mapping. | ||||||
| This was first reported to Jamulus developers here: [https://github.com/orgs/jamulussoftware/discussions/3545](https://github.com/orgs/jamulussoftware/discussions/3545) | ||||||
|
|
||||||
| <!--more--> | ||||||
|
|
||||||
| ## Scope | ||||||
|
|
||||||
| This document will attempt to summarize the problem, and provide mitigations for both users, and server admins. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
I go back and forth about how much it's a problem, but I agree it is not ideal. There are a few people who seek out IPs to taunt with them. I think ideally directories would gather IP addresses and use them to provide additional services that improve userbase optimizations like what I've done, and ideally, it would not be possible to derive a client's IP address. But problems are things we do mitigate so the words are kind of a pair. |
||||||
|
|
||||||
| ## The Problem - Pings and Join Events | ||||||
|
|
||||||
| ### Pings | ||||||
|
|
||||||
| When a user attempts to connect to a server, they open the Connect dialog window. The client will **start** sending “pings” to every server listed in that genre to report delay latency (basically network distance) to those servers. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
Genre might make more sense than directory. Either's fine. |
||||||
|
|
||||||
| Anyone running a server can capture those “pings” using tools like `tcpdump` or `tshark/wireshark` and view the IP addresses of the clients that are sending them. | ||||||
| **No username data is sent.** This is part of the Jamulus protocol, by design, to maintain a level of privacy and prevent others from finding the IP addresses of specific users. | ||||||
|
Contributor
There was a problem hiding this comment. There's nothing in the Jamulus protocol that leads me to believe they designed a private protocol. It's totally possible to do but they didn't do so here. Let's imagine what you're saying: Rather than ping, they could ping a... username? Do pings even have payloads like that? Security by obscurity is not security. You can't just say, oh, it's private because we didn't shove all the data in every ping. Can you tell me one way in which the Connect dialog's ping pattern promotes privacy? In MVP/V1 style, it shoves those pings out there, and then stops shoving them. You're saying their lack of explicit metadata payload is a privacy design? it's not. |
||||||
|
|
||||||
| ### Join Events | ||||||
|
|
||||||
| A user will either select a server from the list, or type in a server address:port, click Connect or hit Enter, and the client will then attempt to connect to the server. At this point the client **stops** sending the “pings” and the client typically completes the connection to the server. | ||||||
|
|
||||||
| Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
I think there's also a third website that does this. |
||||||
|
|
||||||
| Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
If the design intends to prevent IP-username correlation, then the design is broken.
Member
There was a problem hiding this comment. We try not to send IPs out if not necessary. The correlation is a side effect we didn't think about. My opinion: As long as users are aware of it and can opt out I'm mostly fine.
Contributor
There was a problem hiding this comment. I tried discussing an opt-out, but realized it relies on trusting me. The group of people exceedingly concerned about being geolocated but willing to trust me might be a group of zero users. I also don't want to provide a false sense of security. If I make opting out easy, that doesn't protect anyone from the underlying flaw. Would people falsely think the opt-out protects them from all use of a side-channel attack? |
||||||
|
|
||||||
| ### Correlation | ||||||
|
|
||||||
| Anyone can run servers **and** explorer instances. | ||||||
| Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the location of a specific user. | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ## Current Correlation (as of 20260202) | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ### Listeners | ||||||
|
|
||||||
|
Member
There was a problem hiding this comment. You should clarify that this are known IP addresses. There could be others. Also you should link to the site this IP belongs to. Users should be informed about this. Judging if this is good or bad lies in the eyes of the user and cannot be part of this page. |
||||||
| There are seven servers on public Jamulus space, one in each genre. They are named ***Duet***, and have a userlimit set at two. They all share the same IP and each sit on different ports. | ||||||
| These servers are “listening” for pings from clients, and packet capturing them to get the IP addresses of users clients. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ``` | ||||||
| Genre Name IP:port | ||||||
|
Contributor
There was a problem hiding this comment. This would probably look good as an actual table. |
||||||
|
|
||||||
| Any Genre1 Duet 24.199.107.192:22121 | ||||||
| Any Genre2 Duet 24.199.107.192:22122 | ||||||
| Any Genre3 Duet 24.199.107.192:22123 | ||||||
| Rock Duet 24.199.107.192:22124 | ||||||
| Jazz Duet 24.199.107.192:22125 | ||||||
| Classical/Folk Duet 24.199.107.192:22126 | ||||||
| Choral/Barbershop Duet 24.199.107.192:22127 | ||||||
| ``` | ||||||
|
|
||||||
| ### User Data | ||||||
|
|
||||||
| There is an explorer instance collecting lists of servers and users running from **`137.184.43.255`** | ||||||
|
Contributor
There was a problem hiding this comment. Somewhat I'm concerned that publishing the specific IP addresses will put this document out of date if I have to change IPs. I don't typically change IPs, but it can happen. Maybe I could present a page of these addresses that's always current.
Member
There was a problem hiding this comment. Agree. Best in machine readable form (like csv or json) |
||||||
| IP addresses of users collected from the listeners are being correlated with join events derived from the explorer instance to produce IP<‐>username mappings. IP addresses are processed to provide geolocation data of users. This geolocation data is being collected **and** displayed without express permission of users, and with no means to opt in or out. | ||||||
|
Contributor
There was a problem hiding this comment. I remember going through 4 iterations of making the geolocation less specific. So here it seems misleading to be so vague about the granularity of the disclosures. I believe there are ten million people in my state, which doesn't really narrow down which house is mine. |
||||||
|
|
||||||
| **This data is also being fed into AI for various analyses**, again with no express permission, and no means to opt in or out. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
There's nothing in the production software that involves AI. |
||||||
|
|
||||||
| ## Mitigations | ||||||
|
|
||||||
| ### Clients | ||||||
|
|
||||||
| When you open the Connect dialog window your client starts sending pings to every server in the list. **`24.199.107.192`** is the IP address of one of those servers. A server using **`24.199.107.192`** exists on each genre, their names are ***Duet***. | ||||||
|
|
||||||
| Blocking outgoing **UDP** traffic on your DAW or router to **`24.199.107.192`** will prevent the listeners from collecting your IP address and breaks correlation. This will help prevent you from being tracked. | ||||||
|
Member
There was a problem hiding this comment. Alternatively you can try to use the -c argument from the command line (add link to docs) to connect directly to the server by skipping directories. |
||||||
|
|
||||||
| ### Server Admins | ||||||
|
|
||||||
| Server admins can contribute to helping prevent user tracking by blocking the explorer probe. | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
Contributor
There was a problem hiding this comment. Well, they decided, and then they prevented. So "can prevent user tracking" seems clear enough. |
||||||
| If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks correlation. This will protect users on your server from being tracked while they use it. | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
Contributor
There was a problem hiding this comment. maybe "This will prevent users of your server from being tracked when they connect." |
||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| Updated information can be found here: [https://jamulusjams.com/block-user-tracking.html](https://jamulusjams.com/block-user-tracking.html) | ||||||
|
Member
There was a problem hiding this comment. This KB entry should be held up to date imo. |
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there anything in here about mitigating user tracking carried out by anyone but me? It kind of describes how anyone could do this, but it only explains how to mitigate one very particular website.