Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.
Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?
Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?
The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?
The sort of information they could gather from a site like this would be a list of license plates that somebody is worried about being tracked. I can think of several government organizations who would love that sort of information right now.
This site has data from the publicly shared information by Flock. I’m more than sure that any government organization already has the data. Also, your license plate is already public, meaning it’s visible on your car at any time. I don’t understand your fear about it being present on their database. (maybe I’m misunderstanding)
Yeah but do you think that a frontend that makes ten requests for tags, including somewhere between 3 and 6 tags in the db and between 3 and 6 tags not in the db with the actual tag the user wants to know about as well would add enough obfuscation to prevent that?
Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.
Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?
Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?
The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?
The sort of information they could gather from a site like this would be a list of license plates that somebody is worried about being tracked. I can think of several government organizations who would love that sort of information right now.
It’s a sort of Streisand effect
This site has data from the publicly shared information by Flock. I’m more than sure that any government organization already has the data. Also, your license plate is already public, meaning it’s visible on your car at any time. I don’t understand your fear about it being present on their database. (maybe I’m misunderstanding)
Yeah but do you think that a frontend that makes ten requests for tags, including somewhere between 3 and 6 tags in the db and between 3 and 6 tags not in the db with the actual tag the user wants to know about as well would add enough obfuscation to prevent that?