I am writing software that should uniquely identify several different machines. I planned to use / etc / machine -id for this.
While reading the docs for the machine id, I came across this passage:
This identifier uniquely identifies the host. It should be considered βconfidentialβ and should not be exposed in untrusted environments, in particular on a network. If a stable unique identifier associated with a machine is required for any application, the machine identifier or any part of it should not be used directly. Instead, the machine identifier should be hashed using a cryptographic key hash function using a fixed application key.
Is this really so? If so, what can an attacker use with a machine identifier? I am not very good at d-bus, but I got the impression that this is only for IPC, and therefore I'm not sure why this really matters if the remote attacker knew the machine ID. I planned to send / store these unencrypted, but probably will not, if this is a security issue.
Edit: This question was answered here by someone familiar with the problem. Basically, the recommendation on the man page is just the reasons for privacy, and not because of any actual security problems.
source
share