• Resolved janadams76

    (@janadams76)


    We came up with a solution to encrypt the IPs in the Database and to return a hashed value in the backend output to make Wordfence GDPR Compliant. It’s just a basic variant, where the backend-output of the last 2 bytes are hashed (not xed or smth). It still looks like the real deal, but if you compare your actual ip adress you will see.

    `wp-content/plugins/wordfence/lib/wfUtils.php

    public static function inet_pton($ip) {
    // convert the 4 char IPv4 to IPv6 mapped version.
    $pton = str_pad(self::hasIPv6Support() ? @inet_pton($ip) : self::_inet_pton($ip), 16,
    “\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x00\x00”, STR_PAD_LEFT);
    //ahn
    $pton = substr($pton,0,14).substr(hash(‘md5’,$pton,true), 0,2) ;
    ///ahn
    return $pton;
    }`

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Wordfence Security

    (@mmaunder)

    Hi,

    Hashing the last two bytes of an IP address gives you entropy of 2^16. That means it’ll take just 65536 guesses to reverse the hash back to an IP address. That’ll take a few hundredths of a second per IP address.

    Even if you hash the entire IP, same issue. It’s 4294967296 guesses per IP and you can exclude a lot of the entire address space. So it won’t take long to reverse any individual IP or the whole lot.

    So hashing is just a measure that lets you pretend you aren’t storing the ip when in fact you are. You may as well ZIP compress them and claim you no longer have the IP address, because it’ll take about as long to reverse the IPs from hashes.

    Don’t confuse ‘encrypt’ with ‘obfuscate’, which is really what you’re doing here.

    One of our senior devs also commented that this will break a lot of things in the plugin because we use that function in a lot of areas for comparisons – so this will lead to false matches.

    Mark.

    Plugin Author Wordfence Security

    (@mmaunder)

    Marking as resolved.

    Plugin Author Wordfence Security

    (@mmaunder)

    Also it looks like you’re not using the full hash but just a few bytes. That would potentially cause collisions.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘GDPR Solution’ is closed to new replies.