Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.
Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?
Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?
The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?
The sort of information they could gather from a site like this would be a list of license plates that somebody is worried about being tracked. I can think of several government organizations who would love that sort of information right now.
Yeah but do you think that a frontend that makes ten requests for tags, including somewhere between 3 and 6 tags in the db and between 3 and 6 tags not in the db with the actual tag the user wants to know about as well would add enough obfuscation to prevent that?
Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.
Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?
Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?
The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?
The sort of information they could gather from a site like this would be a list of license plates that somebody is worried about being tracked. I can think of several government organizations who would love that sort of information right now.
It’s a sort of Streisand effect
Yeah but do you think that a frontend that makes ten requests for tags, including somewhere between 3 and 6 tags in the db and between 3 and 6 tags not in the db with the actual tag the user wants to know about as well would add enough obfuscation to prevent that?