First Time Using CalyxOS Review

 Posted on April 3, 2024  |  H. Still

“But how are you planning on using the phone?” he asked me. I paused, a bit confused. “As a replacement for my iPhone. I want to do everything with this phone that I can do with my iPhone, and use it as I normally would.” He took a beat to respond, “Wow, alright. Well let’s give it a shot.” I would describe myself as tech-curious, but the reality is I am not your typical CalyxOS user. [Read More]
Android  CalyxOS  F-Droid  microG  Mobifree  usability 

IETF119 Conference Report: Monday March 18, 2024

 Posted on March 18, 2024  |  David Oliver

It’s Opening Day of the 119th IETF meeting in Brisbane Australia. This post commences a daily rundown of privacy and Internet Freedom activities at this IETF meeting. For the rundown on IETF119 Hackathon, see my Hackathon report Dispatch IETF meetings don’t often kick off with the open dispatch but this time it happened. Dispatch sessions are meant to help specification authors find a home for their work if a home isn’t obvious. [Read More]
standards development  IETF  privacy 

IETF119 Conference Report: Hackathon March 17, 2024

 Posted on March 17, 2024  |  David Oliver

Hackathon Weekend at the 119th IETF meeting in Brisbane Australia. This post commences a daily rundown of privacy and Internet Freedom activities at this IETF meeting. IETF’s Hackathon, held at each face-to-face IETF meeting, is designed to encourage interoperability testing of standards under development. See this meeting’s wiki page for a description ofthis year’s twenty-four projects. The The HTTP Signature Authentication Scheme has been winding its way through the HTTPbis Working Group since being adopted as a Working Group draft in July 2022. [Read More]
standards development  IETF  privacy 

The future of our fdroid-compatible app repository

 Posted on February 24, 2024  |  eighthave

Guardian Project has been running its own fdroid-compatible app repository since 2012. Up until now, we worked to ensure that our repository had the same standards of free software as the official F-Droid repository. Therefore, the Guardian Project repository was included in the official F-Droid client app by default. A lot has changed since then, for the better. F-Droid has long since stopped shipping pre-built binaries from any provider. Back in the day, F-Droid shipped some binaries, like Mozilla’s Firefox APKs, and allowed some non-free libraries in apps. [Read More]
Android  F-Droid  fdroid  free software  net.opendasharchive.openarchive.release  open source  org.article19.circulo  org.havenapp.main  org.torproject.android  org.torproject.torbrowser  org.witness.proofmode  privacy 

Quick set up guide for Encrypted Client Hello (ECH)

 Posted on November 10, 2023  |  jochensp

The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project has developed an implementation of ECH for OpenSSL, and proof-of-concept implementations of various clients and servers that use OpenSSL, and other TLS libraries, as a demonstration and for interoperability testing. [Read More]
curl  DEfO  ECH  free software  nginx  open source  OpenSSL  privacy  resilience  TLS 

DEfO - Developing ECH for OpenSSL (round two)

 Posted on November 9, 2023  |  Stephen Farrell

Encrypted ClientHello (ECH) plugs a privacy-hole in TLS, hiding previously visible details from network observers. The most important being the name of the web-site the client wishes to visit (the Server Name Indication or SNI). This can be a major privacy leak, like when accessing a dissident news source hosted on a Content Delivery Network (CDN). A visible domain name also provides a straightforward method for censors to block websites and internet services. [Read More]
Apache  Conscrypt  curl  DEfO  ECH  F-Droid  free software  HAProxy  IETF  metadata  nginx  open source  OpenSSL  privacy  resilience  TLS 

FIFA2023 Report

 Posted on November 3, 2023  |  Cacu, Happy and Paul

Forum on Internet Freedom in Africa (FIFAfrica) organized by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) took place in September 26-29, 2023 in Dar es Salaam, Tanzania at the Hyatt Regency Hotel. The first two days - the 26th and 27th of September - were invite only. The rest of the days - 28th and 29th of September - were meant for all the other participating attendees. [Read More]
FIFAfrica  ButterBox  Circulo  Proofmode  Community  F-Droid 

Achieve Onion Layers of Security with the Triad of Apple-tizing Apps!

 Posted on July 25, 2023  |  Intern Alfred

Our summer intern Alfred just graduated high-school and is preparing to attend a major university to focus on a technical degree. He has a personal interest in privacy and security, and is working with us on a variety of projects this summer as part of a broad, crash-course in all things Guardian Project! Last week, I worked with three different apps for the iPhone that, when they work together, allow for a secure and private mobile internet experience. [Read More]
usability  torproject  orbot  ios  iphone  apple 

Improving website resilience with LibResilient and IPFS

 Posted on June 15, 2023  |  uniq

We’re always looking for techniques to make services more resilient to all sorts of issues. That’s why we took special interest in LibResilient and mapped out it’s capabilities. It’s a JavaScript library for decentralized content delivery in web-browsers and markets itself as easy to deploy to any website. We’ve looked at LibResilient primarily in the context of static websites. While it should work with dynamic websites too, that was out of focus for us. [Read More]
censorship  censorship circumvention  circumvention  filecoin  free software  IPFS  open source  resilience 

EU should not require sharing unpatched vulnerabilities

 Posted on June 11, 2023  |  EDRi.org

We, the undersigned organisations, write to express our concern with vulnerability disclosure requirements under the proposed Cyber Resilience Act (CRA). The CRA’s objective to encourage software publishers to patch vulnerabilities and report cyber incidents is salutary. However, the CRA’s mandatory disclosure of unmitigated vulnerabilities will undermine the security of digital products and the individuals who use them. The CRA would require organisations to disclose software vulnerabilities to government agencies within 24 hours of exploitation (Cyber Resilience Act, Articles 11. [Read More]
security  vulnerability 

Improving Usability of Tor on Smartphones in Latin America

 Posted on June 2, 2023  |  Fabiola, Carrie, and Nathan

Between 2022 and 2023 Guardian Project, with support from Okthanks and the Tor Project, organized and participated in a total of 12 workshops in Ecuador, Mexico and Brazil with the participation of 161 people. The workshops focused both on the broad topic of “Tor for Smartphones”, while also taking deeper dives into specific topics like virtual private networks VPNs) and anonymous web browsing. Through a variety of methods, we gathered feedback from the participants in each of those sessions. [Read More]
usability  torproject  orbot  latinamerica 

IETF116 Conference Report: Friday March 31, 2023

 Posted on April 4, 2023  |  David Oliver

Day Five of the 116th IETF meeting in Yokohama Japan. For the rundown on Day Four, see my daily report. With a lot of focus on privacy with respect to Internet protocols, novel new cryptography schemes are an important requirement for new protocol designs. For example, Privacy Preserving Measurement is relying on new cryptography to support distributed aggregation of a wide range of measurements in the advertising domain as well as application telemetry. [Read More]
standards development  IETF  privacy 

IETF116 Conference Report: Thursday March 30, 2023

 Posted on March 30, 2023  |  David Oliver

Day Four of the 116th IETF meeting in Yokohama Japan. For the rundown on Day Three, see my daily report. The IETF is getting serious about interoperability among messaging services (this might have had something to do with it). The charter for the Messaging Layer Security Working Group (MLS) specifically excluded interoperability, though the group organized a draft that addressed the basic concepts that would allow MLS-compatible systems to federate. In early 2023, a new Working Group - More Instant Messaging Interoperability (MIMI) - was chartered to expand on the MLS federation work. [Read More]
standards development  IETF  privacy 

IETF116 Conference Report: Wednesday March 29, 2023

 Posted on March 30, 2023  |  David Oliver

Day Three of the 116th IETF meeting in Yokohama Japan. For the rundown on Day Two, see my daily report. The long-running work on MASQUE - proxying all network-layer datatypes over QUIC (HTTP/3) - is nearing completion, with the specification for Proxying IP in HTTP in IESG review. With these components in place, the original MASQUE concept - a non-probable relay for client traffic providing privacy guarantees - has been revived, now defined within the new framework and leveraging HTTP Unprompted Authentication. [Read More]
standards development  IETF  privacy 

IETF116 Conference Report: Tuesday March 28, 2023

 Posted on March 29, 2023  |  David Oliver

Day Two of the 116th IETF meeting in Yokohama Japan. For the rundown on Day One, see my daily report. The OHAI Working Group has submitted the core draft of Oblivious HTTP Application Intermediation to the RFC Editor for editorial finalization and publication. OHAI is designed to support transational uses of the HTTP protocol that seek IP address privacy (by means of a relay pair, one associated with the client and one associated with the target resource). [Read More]
standards development  IETF  privacy  OpenSSL 

IETF116 Conference Report: Monday March 27, 2023

 Posted on March 28, 2023  |  David Oliver

This post begins a daily blog, live from the 116th meeting of the Internet Engineering Task Force in Yokohama, Japan, March 25-31, 2023. We’re focusing on standards activities of importance to the Internet Freedom community. Since IETF114 (report), the Privacy Preserving Measurement Working Group has been deliberating over two distinct proposals offering very different technical methodologies for undertaking measurement activities while respecting user privacy. STAR offers an approach called k-anonymity - reporting a measurement value only if k or more parties are also reporting the same value. [Read More]
standards development  privacy-preserving measurement  IETF  privacy 

Arti, next-gen Tor on mobile

 Posted on March 4, 2023  |  uniq

For software projects with recurring bugs, efficiency or security issues there’s a joke making the rounds in the software industry: “Let’s re-write it in Rust!” It’s a fairly new low-level programming language with the declared goal to help developers avoid entire classes of bugs, security issues and other pitfalls. Re-writing software is very time consuming, so it rarely happens, especially when just one more fix will keep a project up and running. [Read More]
Android  Tor  Privacy  open source  pluggable transports  rust 

Steps towards trusted VPNs

 Posted on February 28, 2023  |  Hans-Christoph Steiner

VPNs have become quite popular in recent years for a number of reasons, and more and more they are being touted as a privacy tool. The question is whether using a VPN does improve privacy. It is clear that VPNs are quite useful for getting access to things on the internet when direct connections are blocked. VPN providers include a number of tactics in both their client apps and server infrastructure to ensure that their users are able to make a connection. [Read More]
Android  circumvention  F-Droid  free software  MASQUE  open source  OpenVPN  privacy  security  Tor  VPN  WireGuard 

Scanning apps, off the record

 Posted on September 28, 2022  |  Hans-Christoph Steiner

Smart phones have brought us so many wonderful capabilities. They let people around the world access vast realms of information. They let app developers solve problems large and small in a way most relevent to their local context. They are personal computers for the world. They also have given surveillance capitalism an unprecedented reach into everyone’s lives. Repressive governments use them in ways that the East German Stasi secret police could only have dreamed of. [Read More]
Android  F-Droid  GitLab  issuebot  metadata  privacy  The Search for Ethical Apps  Tracking the Trackers 

The Search for Ethical Apps: Let's start with governments

 Posted on September 1, 2022  |  Hans-Christoph Steiner

Governments across the world are moving services to mobile apps. The vast majority of these apps are only available in the Google Play store or in the Apple App store. Installing apps from these services requires users to agree to their terms of service. This means governments require their citizens to sign opaque and privacy invading contracts with foreign Big Tech in order to use digital services. This feeds ever more into Big Tech data control, filtering, and information bubbles. [Read More]
Android  apkeep  EFF  Exodus Privacy  F-Droid  ITUJ  LfDI-BW  metadata  mobilsicher  NGI0-discovery  NLnet  Pithus  privacy  TechLore Plexus  The Search for Ethical Apps  tracking  Tracking-the-Trackers