-
6 votes
-
TOR Workshop - Sysadmin 101 for new relay operators - tonight, June 4th 2022 @ 19 UTC
3 votes -
Linux (In)security
10 votes -
Oildrop - A self-auditable userscript manager
13 votes -
Why does a completely local, self-contained html file need to access gstatic.com?
So, I'm a privacy advocate (or paranoiac, depending on your perspective). I run both uMatrix and NoScript plug-ins (among others) in my Firefox browser, so I can see when and where websites send...
So, I'm a privacy advocate (or paranoiac, depending on your perspective). I run both uMatrix and NoScript plug-ins (among others) in my Firefox browser, so I can see when and where websites send calls out to other locations, and block the ones I want ... google analytics, google fonts, google-apis, google tag manager, and gstatic are all ubiquitous out there, probably 99% of websites use at least one of them (PS: Tildes is in the 1%; yeay, Deimos).
And note ... there may well be nothing at all wrong with any of those sites/services ... but Google has a global all-encompassing Terms and Conditions policy that says, you use anything of Theirs, and They are allowed to harvest your personal data and make money off of it.
And I do not accept those terms.
Okay, that's the prologue. The deal is, I have a small piece of documentation, just basic "how to use this" info, for a WordPress plug-in. It is in .html format, with bundled bootstrap and jquery and a few other assets.
Nothing, anywhere in the entire folder, references gstatic. And yet when I open this local, on-my-computer-only html file ... my browser tells me that it is trying to connect to gstatic.com.
Anyone happen to know why/how that is happening?
4 votes -
Disclosure of a vulnerability in AI Dungeon that enabled accessing all users' private adventures, scenarios, and posts via its GraphQL API
16 votes -
Misinformation about Permissions Policy and FLoC
8 votes -
Automatic redaction of user data from logs and crash reports in CockroachDB
5 votes -
Is Firefox still a good (enough) browser for privacy?
Someone posted this on the privacy subreddit. I also ended up finding this and this after doing a bit of searching. As someone who isn’t in the CS/IT spheres (chemical engineering is my...
Someone posted this on the privacy subreddit. I also ended up finding this and this after doing a bit of searching. As someone who isn’t in the CS/IT spheres (chemical engineering is my background), Firefox has been my go-to browser for awhile, although I’m being made aware of the flaws of Firefox (most of which go over my head) and behavior of Mozilla. What can be done to fix this, especially considering that Firefox is the only FOSS browser with a significant user base?
22 votes -
Google should rotate their email DKIM keys periodically and publish past secret keys, in order to remove the unintended capability for authenticating years-old emails
16 votes -
EU Draft Council Declaration Against Encryption [pdf]
10 votes -
US Government Continues Encryption War
7 votes -
Replacing YouTube & Invidious
14 votes -
On not caring about your privacy
7 votes -
Create No-JavaScript friendly sites
22 votes -
Code is Speech?
10 votes -
Keybase, Zoom and Messaging
11 votes -
Why I Decided to Run a Tor Relay
9 votes -
Building a secure DNS infrastructure like SecureDNS.eu
5 votes -
Stripe is silently recording your movements on its customers' websites
14 votes -
MNT Reform open source, modular laptop crowdfunding campaign launches in February
9 votes -
Multiple Fortinet products communicate with FortiGuard services while only "encrypting" sensitive user data using XOR with a hardcoded key
9 votes -
How Facebook tracks you on Android
8 votes -
The PGP Problem
12 votes -
Notes on privacy and data collection of Matrix.org
12 votes -
An interesting study into how ads are fingerprinting your devices
16 votes -
How does Apple (privately) find your offline devices?
13 votes -
Tech veganism
19 votes -
Metadata Investigation: Inside Hacking Team
4 votes -
Tor Browser for Android 8.5 offers mobile users privacy boost
3 votes -
Apple arms web browser privacy torpedo, points it directly at Google's advertising model
4 votes -
Tracking cursor movement in browsers without JavaScript enabled
@davywtf: Here's a PoC that confirms my hunch. *Neither* of these windows use JavaScript but the position of the cursor in the left window is sent to the right window. This works on Tor Browser with JS disabled. https://t.co/cnfOy5OkUj
11 votes -
Timeliner: A personal data aggregation & personal data backup utility for Facebook, Google, Twitter, etc…
9 votes -
Intelligent Tracking Protection 2.1 in WebKit
4 votes -
OnionShare 2 released
7 votes -
Inrupt releases React SDK for Solid
6 votes -
Defcon 21 - Stalking a City for Fun and Frivolity [45:19]
7 votes -
4 critical tips for creating and implementing a privacy plan
5 votes -
Comparison between several messenger systems
9 votes -
GnuPG can now be used to perform notarial acts in the state of Washington
15 votes -
Reverse-engineering "Adware Doctor", the #4 app in the Mac App Store that's been surreptitiously stealing users' browser history
17 votes -
DNS Privacy
11 votes -
How I recorded user behaviour on my competitor’s websites
32 votes -
Docker for Mac and Windows requires Docker Store login
24 votes -
How many of you host your own email server? Do you recommend hosting one?
I was thinking of setting up my own email server, just for learning and privacy stuff. Which VPS provider would you recommend? What are the major challenges one might face while hosting own email?
24 votes -
Why the "I have nothing to hide." argument is flawed.
24 votes -
Best for Privacy: Local Recursive DNS vs Cloudflare's DNS over HTTPS
I'm trying to decide what option I prefer here in terms of privacy. I'm curious of other's opinions on the issue, and if anyone has a better solution to offer more privacy. Option 1: Hosting a...
I'm trying to decide what option I prefer here in terms of privacy. I'm curious of other's opinions on the issue, and if anyone has a better solution to offer more privacy.
Option 1: Hosting a local recursive DNS
I currently have a device running Pi-hole on my local network. I recently set it up as a recursive DNS server using unbound. This allows me to no longer rely on a public DNS such as GoogleDNS, OpenDNS, Cloudflare, etc. for my queries, and just point straight to the root servers.
Pro: I removed a "pair of eyes" (Public DNS) out of the equation
Con: All my queries are not encrypted so my ISP (and potentially others) can still see my DNS queries
Option 2: Using DNS over HTTPS (DoH) using Cloudflare's client
With this option I would use Cloudflare's cloudflared daemon they provide on their website. This would allow all my queries to be encrypted when sending them to Cloudflare.
Pro: Encrypted DNS queries from my local network -> Cloudflare's servers. My ISP can no longer see my DNS queries
Security Pro: Helps prevent MitM attacks
Con: I now have a Public DNS back in the equation, which I have to put some trust into. Also, my queries are most likely only encrypted from my local network -> Cloudflare's network. When Cloudflare has to do the recursion, those queries may be not encrypted (my assumption is they will most likely be not encrypted)
Possible Con: Does Server Name Indication (SNI) "leaking" apply to DNS queries at all? If so, then my query is revealed anyways right?
As a note, I am nowhere near an expert on the specifics of DNS, so some of my assumptions on how things work may be super wrong!
6 votes -
The Google H1 Fritz Chip
7 votes -
How well has John Perry Barlow's "Declaration of the Independence of Cyberspace" Aged?
Link: https://www.eff.org/cyberspace-independence Full Text: A Declaration of the Independence of Cyberspace by John Perry Barlow Governments of the Industrial World, you weary giants of flesh and...
Link: https://www.eff.org/cyberspace-independence
Full Text:
A Declaration of the Independence of Cyberspace
by John Perry BarlowGovernments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.
We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.
You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.
You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don't exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.
Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.
We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.
Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.
Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.
In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.
You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.
In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.
Your increasingly obsolete information industries would perpetuate themselves by proposing laws, in America and elsewhere, that claim to own speech itself throughout the world. These laws would declare ideas to be another industrial product, no more noble than pig iron. In our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. The global conveyance of thought no longer requires your factories to accomplish.
These increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. We must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. We will spread ourselves across the Planet so that no one can arrest our thoughts.
We will create a civilization of the Mind in Cyberspace. May it be more humane and fair than the world your governments have made before.
Davos, Switzerland
February 8, 19966 votes -
Firefox 62 Nightlies: Improving DNS Privacy in Firefox
Firefox recently introduced DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) in nightly builds for Firefox 62. DoH and TRR are intended to help mitigate these potential privacy and...
Firefox recently introduced DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) in nightly builds for Firefox 62.
DoH and TRR are intended to help mitigate these potential privacy and security concerns:
- Untrustworthy DNS resolvers tracking your requests, or tampering with responses from DNS servers.
- On-path routers tracking or tampering in the same way.
- DNS servers tracking your DNS requests.
DNS over HTTPs (DoH) encrypts DNS requests and responses, protecting against on-path eavesdropping, tracking, and response tampering.
Trusted Recursive Resolver (TRR) allows Firefox to use a DNS resolver that's different from your machines network settings. You can use any recursive resolver that is compatible with DoH, but it should be a trusted resolver (one that won't sell users’ data or trick users with spoofed DNS). Mozilla is partnering with Cloudflare (but not using the 1.1.1.1 address) as the initial default TRR, however it's possible to use another 3rd party TRR or run your own.
Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected.
Additionally, Cloudflare will be doing QNAME minimization where the DNS resolver no longer sends the full original QNAME (foo.bar.baz.example.com) to the upstream name server. Instead it will only include the label for the zone it's trying to resolve.
For example, let's assume the DNS resolver is trying to find foo.bar.baz.example.com, and already knows that ns1.nic.example.com is authoritative for .example.com, but does not know a more specific authoritative name server.
- It will send the query for just baz.example.com to ns1.nic.example.com which returns the authoritative name server for baz.example.com.
- The resolver then sends a query for bar.baz.example.com to the nameserver for baz.example.com, and gets a response with the authoritative nameserver for bar.baz.example.com
- Finally the resolver sends the query for foo.bar.baz.example.com to bar.baz.example.com's nameserver.
In doing this the full queried name (foo.bar.baz.example.com) is not exposed to intermediate name servers (bar.baz.example.com, baz.example.com, example.com, or even the .com root nameservers)
Collectively DNS over HTTPs (DoH), Trusted Recursive Resolver (TRR), and QNAME Minimization are a step in the right direction, this does not fix DNS related data leaks entirely:
After you do the DNS lookup to find the IP address, you still need to connect to the web server at that address. To do this, you send an initial request. This request includes a server name indication, which says which site on the server you want to connect to. And this request is unencrypted.
That means that your ISP can still figure out which sites you’re visiting, because it’s right there in the server name indication. Plus, the routers that pass that initial request from your browser to the web server can see that info too.So How do I enable it?
DoH and TRR can be enabled in Firefox 62 or newer by going to about:config:- Set network.trr.mode to 2
- Here's the possible network.trr.mode settings:
- 0 - Off (default): Use standard native resolving only (don't use TRR at all)
- 1 - Race: Native vs. TRR. Do them both in parallel and go with the one that returns a result first.
- 2 - First: Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
- 3 - Only: Only use TRR. Never use the native (after the initial setup).
- 4 - Shadow: Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
- 5 - Off by choice: This is the same as 0 but marks it as done by choice and not done by default.
- Here's the possible network.trr.mode settings:
- Set network.trr.uri to your DoH Server:
- Cloudflare’s is https://mozilla.cloudflare-dns.com/dns-query
(but you can use any DoH compliant endpoint)
- Cloudflare’s is https://mozilla.cloudflare-dns.com/dns-query
- The DNS Tab on about:networking will show which names were resolved using TRR via DoH.
Links:
A cartoon intro to DNS over HTTPS
Improving DNS Privacy in Firefox
DNS Query Name Minimization to Improve Privacy
TRR PreferencesI'm not affiliated with Mozilla or Firefox, I just thought ~ would find this interesting.
13 votes