New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracker configId should be based on original IP, not on anonymised IP? #7778

Closed
tsteur opened this Issue Apr 28, 2015 · 5 comments

Comments

Projects
None yet
2 participants
@tsteur
Member

tsteur commented Apr 28, 2015

I just noticed the config id, used to identify a visitor, is based on the anonymised IP - if enabled: https://github.com/piwik/piwik/blob/2.13.0-rc2/core/Tracker/Settings.php#L78

I wonder if this is correct as we might sometimes generate the same configId for different users?

Implementation wise we'd probably only have to get the IP like $this->request->getIpString() instead of $this->ipAddres

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Apr 28, 2015

Member

+1 to use the raw original IP in the fingerprint hash - refs #7667

Member

mattab commented Apr 28, 2015

+1 to use the raw original IP in the fingerprint hash - refs #7667

@mattab mattab added this to the Piwik 2.14.0 milestone Apr 28, 2015

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Apr 28, 2015

Member

actually, I remove my +1 - changing this would be a privacy risk. In particular it would let an attacker brute force the md5 hash to get the raw IP address back from the config_id hash, even when IP was anonymised. we cannot leak the IP address in case it was anonymised in Piwik, so we must use the anonimised IP to build the hash.

edit: to brute force the config_id hash, attacker would need Piwik DB + Piwik config (for the salt)

Member

mattab commented Apr 28, 2015

actually, I remove my +1 - changing this would be a privacy risk. In particular it would let an attacker brute force the md5 hash to get the raw IP address back from the config_id hash, even when IP was anonymised. we cannot leak the IP address in case it was anonymised in Piwik, so we must use the anonimised IP to build the hash.

edit: to brute force the config_id hash, attacker would need Piwik DB + Piwik config (for the salt)

@mattab mattab closed this Apr 28, 2015

@mattab mattab added the wontfix label Apr 28, 2015

@tsteur

This comment has been minimized.

Show comment
Hide comment
@tsteur

tsteur Apr 28, 2015

Member

I would have expected to use useAnonymizedIpForVisitEnrichment setting as it is also used for location etc already anyway. I know it is still a different case but I think if someone wants to have complete privacy that person will have disabled that setting anyway.

Member

tsteur commented Apr 28, 2015

I would have expected to use useAnonymizedIpForVisitEnrichment setting as it is also used for location etc already anyway. I know it is still a different case but I think if someone wants to have complete privacy that person will have disabled that setting anyway.

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Oct 20, 2015

Member

I would have expected to use useAnonymizedIpForVisitEnrichment setting as it is also used for location etc already anyway.

👍

Member

mattab commented Oct 20, 2015

I would have expected to use useAnonymizedIpForVisitEnrichment setting as it is also used for location etc already anyway.

👍

@mattab mattab reopened this Oct 20, 2015

@mattab mattab removed the wontfix label Oct 20, 2015

@mattab mattab modified the milestones: 2.15.0, 2.14.0 Oct 20, 2015

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Oct 20, 2015

Member

by default, Piwik users have anonymisation enabled and they use the raw IP

        'useAnonymizedIpForVisitEnrichment' => array('type' => 'boolean', 'default' => false),
        'ipAddressMaskLength'               => array('type' => 'integer', 'default' => 2),

by making the config_id use the raw IP we would improve the tracker detection algorithm that will match many less visitors with colliding config_id

This will improve the detection of visitors in Piwik for the vast majority of Piwik users who use the default privacy settings 👍

Member

mattab commented Oct 20, 2015

by default, Piwik users have anonymisation enabled and they use the raw IP

        'useAnonymizedIpForVisitEnrichment' => array('type' => 'boolean', 'default' => false),
        'ipAddressMaskLength'               => array('type' => 'integer', 'default' => 2),

by making the config_id use the raw IP we would improve the tracker detection algorithm that will match many less visitors with colliding config_id

This will improve the detection of visitors in Piwik for the vast majority of Piwik users who use the default privacy settings 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment