Why doesn’t every computer have 256 char domain name, along with a private key to prove it is the sole owner of the address?
Edits: For those technically inclined: Stuff like DHCP seems unnecessary if every device has a serial number based address that’s known not to collide. It seems way more simple and faster than leasing dynamic addresses. On top of that with VOIP I can get phone calls even without cell service, even behind a NAT. Why is the network designed in such a way where that is possible, but I can’t buy a static address that will persist across networks endpoint changes (e.g. laptop connecting to a new unconfigured wifi connection) such that I can initiate a connection to my laptop while it is behind a NAT.
- Yes, it would be a privacy nightmare, I want to know why it didnt turn out that way
- When I say phone number, I mean including area/country code
- AFAIK IP addresses (even static public ones) are not equivlent to phone numbers. I don’t get a new phone number every time I connect to a new cell tower. Even if a static IP is assigned to a device, my understanding is that connecting the device to a new uncontrolled WiFi, especially a router with a NAT, will make it so that people who try to connect to the static IP will simply fail.
- No, MAC addresses are not equivalent phone numbers. 1. Phone numbers have one unique owner, MAC addresses can have many owners because they can be changed at any time to any thing on most laptops. 2. A message can’t be sent directly to a MAC address in the same way as a phone number
- Yes, IMEI is unique, but my laptop doesn’t have one and even if it did its not the same as an eSim or sim card. We can send a message to an activated Sim, we can’t send a message to an IMEI or serial number
You have some misconceptions about how phone numbers actually work. I’d say the closest thing to a phone number computers have is a domain name.
IPv4 used to hand out uniquely addressable IP addresses to every computer. Then IPv4 ran out of address space too fast, because it was too successful and blocks of millions of IP addresses were sold off in the first few years to big companies, and IPv6 was invented. Unfortunately, early IPv6 lacked a lot of features and NAT trash become the norm instead.
With IPv6, every household can have a couple billion IP addresses. It’s very hard to run out of IPv6 addresses. With modern IPv6 privacy enhancements, you typically have multiple addresses (a static one for receiving traffic and a bunch of random ones for outgoing traffic so you can’t get tracked as easily) with at least one derived from your network adapter’s MAC address.
Computer connected to cell networks (embedded LTE modems and such) actually have phone numbers. Most of the time they’re just administrative numbers that don’t do anything, but they’re still there.
You do seem to have some misconceptions about phone numbers, though. They can be spoofed easily, for one. They can also be shared between hundreds of people (your average call center) or exist but be unroutable. They’re not tied to your SIM at all, they’re actually tied to your current session (which is derived from identifiers such as IMEI and IMSI, the latter of which can be dynamic, the former of which can be spoofed). You also don’t own a phone number; your carrier does, and many offer portability, but you don’t own the number yourself.
In theory they can even be duplicate: phone numbers in two countries can be exactly the same. You’d say “but there’s a country code prefix”, but the prefix you need to add in front of a phone number is different for every country. In most of the world, prepending a call with “00” (aka “+”, in the +12223334445 phone numbers) followed by a country code will make an international number, but in some countries, you would dial the American number “222 333 4445” by calling “810 1 222 333 4445” while in most of the world that’d be “00 1 222 333 4445”. This makes international phone numbers variable, depending on where the other party is calling from, and introduces potential conflicts. Consider a country where the IDD is 810: someone could theoretically have a local phone number “00 1 222 333 4445”, which looks like an North American international phone number, but isn’t!
Most web developers assume the IDD is always +/00 and that’s wrong. An international phone number is not always reachable through a 00 prefix and if you write a dialer, you’ll end up calling different people depending on what country you run your dialer in.
You also don’t need a phone number to call another phone in internet telephony. Sending a couple of SIP packets to the right IP address can set up a call to many home lines without paying a dime to any carrier, for instance. To do so, you need to know the IP address and SIP user of the remote party (typically a “land-line” modem) and the remote side needs to not have firewalled off their SIP port, but there are many cases in which you can enter steve1234@1.2.3.4 into dialer software and call someone without even having a phone number of your own.
As for your edits:
the privacy nightmare still exists in IPv6 without privacy extensions
dynamic phone numbers are completely possible, just not common
MAC addresses are more akin to IMEI numbers. IP addresses are more akin to IMSI numbers
The closest thing to a phone number for computers is probably a domain name: something someone can reserve, gets routed to the right session (IMSI), and can be shared, non-existent, and spoofed. It’s registered with a service provider for routability (whoever sets up DNS servers) just like with phone numbers (phones don’t have DNS, but SS7 access will allow you to make a phone number reachable even if you don’t own it!).
Unlike phone networks, computers don’t need domain names to address each other. We’ve mostly skipped the “paying money to register a name” part of computer networks because we didn’t need to. For some applications, like email, XMPP/Matrix, and the Fediverse, this was very much necessary; for machine to machine interaction, it apparently wasn’t.
Thank you for such a long and detailed post! I indeed did not know about things beyond the SIM, and I didn’t know about the extra details about the country codes either. That is extremely interesting to me.
With the phone spoofing though, does that mean two factor with a phone number is basically useless? If I had authentication based on a MAC address, it would take seconds to break it. But I think, and sure hope, that auth based on phone numbers is more secure.
I think your domain name answer – that for the most part computers didnt need them – is a very satisfying answer.
Spoofing is mostly done outbound. Anyone with enough money to buy SS7 line access can redirect almost any phone line in the world, though. It’s not cheap to get access to a network like that, but it’s also far from impossible. SIM jacking is a lot cheaper and just as effective, though.
Phone 2FA is better than nothing, but worse than almost all other options. Turn it on if it’s the only 2FA method, better leave it off if you can use TOTP or another 2FA mechanism.
Wow that’s super interesting to know. So its still got some resistance, but a lot less than I thought. Thanks again for sharing!
Phone number 2FA isn’t useless, insomuch as it’s better than no 2FA at all, but it is easily the worst form of 2FA because SIM jacking (usually involves a scammer tricking a customer service agent into migrating your phone number to their device instead of yours in order to intercept the 2FA messages) is laughably simple using easily acquired info such as your DOB, address, and last 4 of your SSN.
If phone 2FA is the only option, use it. But don’t use it if you have any other option.