Hacker News new | comments | ask | show | jobs | submit login

> The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources.

How is this protecting users? They are outright lying here, if I understand correctly. Also why are they asking for my location?


> How is this protecting users?

Its protecting users from getting visits from Kazakhstan's security services for covertly communicated with foreign entities. That is, presuming that the content of their traffic isn't unwelcome by the security services, since otherwise, even with the use of the MitM certificate, they'll still get visits.

It's a really backwards way to customize a phone number on their site. They POST your geocode to their server and based on the city you're in change the area/country code. Quite a strange way to do it, but hey.

Remember they have your location anyway from your IP address.

The location associated with the IP address they see may not be your physical location by quite some margin.

If you are connecting via a mobile phone the address is likely to be registered as at one of the phone company's locations which could potentially be in a different state. For many home/office serving ISPs this is similar. Also, if you are using a VPN of some sort the address you present to the web server is quite disconnected from your physical location.

If on the other hand they request your location via your web access client and you agree, it will be using localisation APIs that may well know your location with some precision: using GPS if your device has it and has it turned on, or via wireless AP availability based lookups otherwise.

Then they think I am from London, my IP is But no, I am 200 miles away.


That makes it only more interesting. However, I assume, IP-based location isn't that granular?

It's very surprisingly granular. I logged dropped packets from my router's firewall for a week and looked up the origin locations with geoip for fun. Just plugging in the coordinates to google maps would zoom directly in on peoples' houses (sometimes in the middle of nowhere). I'm not sure it's 100% accurate, of course, but it sure seemed specific.

The actual data source will provide a country, state or sometimes even city and zipcode. Then whatever tool you're using to map drops a pin in the middle of that region. If you zoom in, you get whatever happens to be at the geographic center of whatever the mapping tool (probably Google Maps) thinks is the center. eg if it says "United States" and no other data, you get some random ass place in the middle of Kansas. Sometimes there can be more specific data, but just because you can keep zooming in doesn't mean that that's actually where it is

You're describing GeoIP derived from "public" information sources such as the physical address of the assigned entity or the location information provided to the registrar by the block owner.

However, there is a different kind of GeoIP that has the potential to be much more specific as to the location, based on a join between Internet traffic and transactions that target a specific location. e.g. when you purchase a physical item from an online vendor, with your house as the delivery address, they now have both your IP and location. Obviously for this to work it depends on a) the IP address remaining the same for some period of time and b) sharing of the necessary information to allow the join. afaik both are often true.

This just means that it's precise, not necessarily accurate.

I tried checking my current ip. It points me to some hotel in Helsinki. I'm about 500 km away from there.

On the other hand, my ip "resolves" via geoip to a city about 500 kilometers away so I guess it depends on what database you use and what country.

The city it resolves to is where my isp has their HQ.

In US (or is it just Comcast) - it is exact!

Seems Comcast maps IP (which they issue) to postal address to exact Geo coordinate.

Basically that and... I'd say when you don't share the location, they only have what's available publicly from GeoIP (via ISPs). Wen you do, your user agent actively tries to give them the best possible results (using GPS or anything else), that's the way I would put it.

Try normal Geo-IP (Maxmind) and it will show the local telco exchange.

I am sure the NSA does better but Kazakhstan? I have been inside one of their embassies to be shocked that they were watching the news on a black and white CRT TV!!!

Probably because they got sick of embassy staff stealing the TVs they kept buying for them. 8)

They have a location, it may or may not be related to your location.

Without in any way condoning the move, there is a lot of protection you can add with decrypted traffic. Malware analysis, DLP, etc.

But obviously the security as a whole has to consider the increased risk due to the centralized cert, disregarding entirely the fact that you're trusting a totalitarian government with all of your secrets...

At least they are honest - spying and not hiding it ;)

Well technically that's your browser blocking their location request and asking you if you want to let it go through. If they were honest they would say something like "we're about to request your location for x very useful thing that justifies giving up this piece of sensitive data"

pretty much anything saying "for your protection", "for your safety" or "for your convenience" is a lie. it's a pretty common euphemism in the us too.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact