
Ask HN: Does HN store IP addresses to identify users? - forgottenacc57
does HN store IP addresses for the purposes of identifying user accounts?<p>I wonder if HN was hacked if &quot;anonymous&quot; posts would be linked back to actual people even though no email address is on the account.<p>EDIT after comments: OK so maybe HN should be clear that anonymity is not likely if HN is hacked. HN sort of presents as being a &quot;safe&quot; place to post anonymously but it&#x27;s an illusion.
======
positr0n
I believe they have mod tools to help with voter ring detection and similar
problems. I would guess those rely on ip addresses for some of the
functionality.

~~~
tentaTherapist
I don't know whether to believe you or not.

------
savethefuture
They should not have to tell you that there are risks to using online
services, that should be a given...

------
pavement
IP address is most definitely part of the voting ring algo. I'm almost
positive about that much.

~~~
forgottenacc57
Is there a safer alternative such as using salted hashed ip addresses?

~~~
jwilk
Certainly not before IPv6 is widely adopted.

IPv4 address space is so small, any hashing can reversed with brute force.

------
type0
> does HN store IP addresses for the purposes of identifying user accounts?

They use cookies assuming you are logged in. I wish they do store IPs in order
to prevent password brute-forcing attacks.

> I wonder if HN was hacked if "anonymous" posts would be linked back to
> actual people even though no email address is on the account.

You should be more concerned about your email account being linked to your HN
username, fortunately you don't have to provide your email here.

> OK so maybe HN should be clear that anonymity is not likely if HN is hacked.
> HN sort of presents as being a "safe" place to post anonymously but it's an
> illusion.

It's pseudonymous forum, if you wish to be anon - head over to 4chan instead.

------
meowface
Even if the DB were dumped and all users' IP addresses were revealed, the
leaked IPs wouldn't be much of a security risk.

For one, an attacker would not necessarily get your current IP address.

But even if they did have your current IP address... so what? The most someone
could find from that is your general region; maybe your city or a city next to
yours if they're lucky. There's no way they're doxing you from that unless
they think they can successfully SE the ISP and don't mind risking jail for
it.

The real security risk would be the leaked password hashes. That would be
much, much more likely to result in people being doxed (and worse).

~~~
krapp
> Even if the DB were dumped and all users' IP addresses were revealed, the
> leaked IPs wouldn't be much of a security risk.

There's no DB, the site has always been described as storing everything in
memory using Lisp closures, and on flat files. I don't know whether that makes
Hacker News more or less secure than average, though.

~~~
meowface
Then replace DB with "data structure stored in a flat file". Doesn't really
matter.

------
ogdan
You can use Tor to post to HN anonymously.

------
ketralnis
> HN sort of presents as being a "safe" place to post anonymously but it's an
> illusion.

I don't think I've seen that represented anywhere, and I don't think a news
site really should be

------
nvr219
It does.

~~~
forgottenacc57
Ok so in the event of an HN hack, real users will effectively be indirectly
DOXed?

~~~
literallycancer
IP addresses (can) change all the time, so the attacker would also need to
have a way to find out who had which address at the time of the post.

~~~
krapp
Plus, I would expect any HN user to be smart enough to use a proxy for alt
accounts.

