Encrypted ClientHello (ECH) plugs a privacy-hole in TLS, hiding previously visible details from network observers. The most important being the name of the web-site the client wishes to visit (the Server Name Indication or SNI). This can be a major privacy leak, like when accessing a dissident news source hosted on a Content Delivery Network (CDN). A visible domain name also provides a straightforward method for censors to block websites and internet services.
[Read More]
Scanning apps, off the record
Smart phones have brought us so many wonderful capabilities. They let people around the world access vast realms of information. They let app developers solve problems large and small in a way most relevent to their local context. They are personal computers for the world. They also have given surveillance capitalism an unprecedented reach into everyone’s lives. Repressive governments use them in ways that the East German Stasi secret police could only have dreamed of.
[Read More]
The Search for Ethical Apps: Let's start with governments
Governments across the world are moving services to mobile apps. The vast majority of these apps are only available in the Google Play store or in the Apple App store. Installing apps from these services requires users to agree to their terms of service. This means governments require their citizens to sign opaque and privacy invading contracts with foreign Big Tech in order to use digital services. This feeds ever more into Big Tech data control, filtering, and information bubbles.
[Read More]
Debian over HTTPS
Debian’s package manager apt has a time-tested method of securely providing packages from the network built on OpenPGP signatures. Even though this signing method works well for verifying the indexes and package files, there are new threats that have become relevant as man-in-the-middle attacks and data mining become ever easier. Since 2013, apt developers have supported encrypted transport methods HTTPS and Tor Onion Service. We have been recommending their use since 2013.
[Read More]
Implementing TLS Encrypted Client Hello
As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt.
[Read More]
New insights into clean analytics
There is a giant problem with the “collect it all” status quo that pervades on the Internet, this has been clear for a long time. Tracking people has become so widespread that organizations, communities, projects and university labs have sprung up dedicated to detecting and publicizing their presence. Data and analytics are clearly useful for software creators and funders, but they also easily lead to harming people’s privacy and well-being.
[Read More]
Tracking usage without tracking people
One thing that has become very clear over the past years is that there is a lot of value in data about people. Of course, the most well known examples these days are advertising and spy agencies, but tracking data is useful for many more things. For example, when trying to build software that is intuitive and easy to use, having real data about how people are using the software can make a massive difference when developers and designers are working on improving their software.
[Read More]
HOWTO: get all your Debian packages via Tor Onion Services
Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections.
[Read More]
Experimental app to improve privacy in location sharing
As part of the T2 Panic effort, I’ve recently been diving deep into the issues of sharing location. It is unfortunately looking really bad, with many services, including Google, frequently sharing location as plain text over the network. I’ve started to write up some of the issues on this blog.
As part of this, I’ve put together an experimental Android app that aims to act as a privacy filter for all ways of sharing location.
[Read More]
Sharing your location privately
Facebook location sharing embeds the location in every single message, providing a detailed log to the recipient, Facebook, and anyone Facebook shares that data with One handy feature that many smartphones give us is the ability to easily share our exact position with other people. You can see this feature in a lot of apps. Google Maps lets you click “Share” and send a URL via any method you have available.
[Read More]
A Weather Report On Security
How’s the weather outside? Sunny with a chance of IP blocking.
We recently launched a new initiative we’re calling: The Weather Repo. The goal of the project is for organizations to have a more accurate method of understanding whether the apps they’re using are “safe”. It’s hard to know whether apps that claim to be secure really are. Have they been vetted by a third party? Are there existing case studies?
[Read More]
Carrier Grade, Verizon and the NSA
Last week Glenn Greenwald at The Guardian broke the news that Verizon has been providing the NSA with metadata about all of the calls over a subsidiary’s network. This subsidiary is called Verizon Business Network Services. It is a privately held company that “owns, operates, monitors, and maintains data and Internet networks in North America, Europe, Asia, Latin America, Australia, Japan, and Africa. The company provides converged communication solutions, such as local and long-distance voice, messaging, and Internet access services.
[Read More]
Introducing InformaCam
These are interesting times, if you go by Times Magazine as an indicator. The magazine’s person of the year for 2011 was The Protester, preceded in 2010 by Facebook founder Mark Zuckerberg. Both entities partners with equal stake in freely sharing the digital content that shows the world what’s going on in it, at any time, from behind any pair of eyes.Also casting in their lot with the others is Time Magazine’s 2006 person of the year, You: the You that puts the “you” in “user-generated content;” the You whose miasma of bits, bytes, and the powerful images they express are becoming increasingly problematic.
[Read More]