DEfO - Developing ECH for OpenSSL (round two)

 Posted on November 9, 2023  |  Stephen Farrell

Encrypted ClientHello (ECH) plugs a privacy-hole in TLS, hiding previously visible details from network observers. The most important being the name of the web-site the client wishes to visit (the Server Name Indication or SNI). This can be a major privacy leak, like when accessing a dissident news source hosted on a Content Delivery Network (CDN). A visible domain name also provides a straightforward method for censors to block websites and internet services. [Read More]
Apache  Conscrypt  curl  DEfO  ECH  F-Droid  free software  HAProxy  IETF  metadata  nginx  open source  OpenSSL  privacy  resilience  TLS 

Scanning apps, off the record

 Posted on September 28, 2022  |  Hans-Christoph Steiner

Smart phones have brought us so many wonderful capabilities. They let people around the world access vast realms of information. They let app developers solve problems large and small in a way most relevent to their local context. They are personal computers for the world. They also have given surveillance capitalism an unprecedented reach into everyone’s lives. Repressive governments use them in ways that the East German Stasi secret police could only have dreamed of. [Read More]
Android  F-Droid  GitLab  issuebot  metadata  privacy  The Search for Ethical Apps  Tracking the Trackers 

The Search for Ethical Apps: Let's start with governments

 Posted on September 1, 2022  |  Hans-Christoph Steiner

Governments across the world are moving services to mobile apps. The vast majority of these apps are only available in the Google Play store or in the Apple App store. Installing apps from these services requires users to agree to their terms of service. This means governments require their citizens to sign opaque and privacy invading contracts with foreign Big Tech in order to use digital services. This feeds ever more into Big Tech data control, filtering, and information bubbles. [Read More]
Android  apkeep  EFF  Exodus Privacy  F-Droid  ITUJ  LfDI-BW  metadata  mobilsicher  NGI0-discovery  NLnet  Pithus  privacy  TechLore Plexus  The Search for Ethical Apps  tracking  Tracking-the-Trackers 

Debian over HTTPS

 Posted on December 8, 2021  |  Hans-Christoph Steiner

Debian’s package manager apt has a time-tested method of securely providing packages from the network built on OpenPGP signatures. Even though this signing method works well for verifying the indexes and package files, there are new threats that have become relevant as man-in-the-middle attacks and data mining become ever easier. Since 2013, apt developers have supported encrypted transport methods HTTPS and Tor Onion Service. We have been recommending their use since 2013. [Read More]
Debian  metadata  privacy  TLS 

Implementing TLS Encrypted Client Hello

 Posted on November 30, 2021  |  Hans-Christoph Steiner

As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt. [Read More]
Android  Apache  BoringSSL  Conscrypt  DEfO  ECH  ESNI  IETF  metadata  nginx  OpenSSL  privacy  TLS 

New insights into clean analytics

 Posted on March 2, 2021  |  Hans-Christoph Steiner

There is a giant problem with the “collect it all” status quo that pervades on the Internet, this has been clear for a long time. Tracking people has become so widespread that organizations, communities, projects and university labs have sprung up dedicated to detecting and publicizing their presence. Data and analytics are clearly useful for software creators and funders, but they also easily lead to harming people’s privacy and well-being. [Read More]
analytics  Clean Insights  metadata  PII  privacy  tracking 

Tracking usage without tracking people

 Posted on June 8, 2017  |  Hans-Christoph Steiner

One thing that has become very clear over the past years is that there is a lot of value in data about people. Of course, the most well known examples these days are advertising and spy agencies, but tracking data is useful for many more things. For example, when trying to build software that is intuitive and easy to use, having real data about how people are using the software can make a massive difference when developers and designers are working on improving their software. [Read More]
Apache  bazaar  Clean Insights  data  F-Droid  fdroid  metadata  nginx  privacy  tor  tracking 

HOWTO: get all your Debian packages via Tor Onion Services

 Posted on July 31, 2016  |  Hans-Christoph Steiner

Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. [Read More]
anonymity  debian  distribution  howto  metadata  privacy  security  tor  tor hidden service  tor onion service 

Experimental app to improve privacy in location sharing

 Posted on January 29, 2015  |  Hans-Christoph Steiner

As part of the T2 Panic effort, I’ve recently been diving deep into the issues of sharing location. It is unfortunately looking really bad, with many services, including Google, frequently sharing location as plain text over the network. I’ve started to write up some of the issues on this blog. As part of this, I’ve put together an experimental Android app that aims to act as a privacy filter for all ways of sharing location. [Read More]
Android  anonymity  geo  geouri  location  metadata  panic  preview  privacy  prototype 

Sharing your location privately

 Posted on January 23, 2015  |  Hans-Christoph Steiner

Facebook location sharing embeds the location in every single message, providing a detailed log to the recipient, Facebook, and anyone Facebook shares that data with One handy feature that many smartphones give us is the ability to easily share our exact position with other people. You can see this feature in a lot of apps. Google Maps lets you click “Share” and send a URL via any method you have available. [Read More]
Android  anonymity  facebook  google  location  metadata  mobile  openstreetmap  osmand  panic  privacy  t2 

A Weather Report On Security

 Posted on June 14, 2013  |  mark

How’s the weather outside? Sunny with a chance of IP blocking. We recently launched a new initiative we’re calling: The Weather Repo. The goal of the project is for organizations to have a more accurate method of understanding whether the apps they’re using are “safe”. It’s hard to know whether apps that claim to be secure really are. Have they been vetted by a third party? Are there existing case studies? [Read More]
api  metadata  privacy  security  weatherrepo 

Carrier Grade, Verizon and the NSA

 Posted on June 12, 2013  |  lee

Last week Glenn Greenwald at The Guardian broke the news that Verizon has been providing the NSA with metadata about all of the calls over a subsidiary’s network. This subsidiary is called Verizon Business Network Services. It is a privately held company that “owns, operates, monitors, and maintains data and Internet networks in North America, Europe, Asia, Latin America, Australia, Japan, and Africa. The company provides converged communication solutions, such as local and long-distance voice, messaging, and Internet access services. [Read More]
metadata  ostel  ostn  voice  voip 

Introducing InformaCam

 Posted on January 20, 2012  |  harlo

These are interesting times, if you go by Times Magazine as an indicator. The magazine’s person of the year for 2011 was The Protester, preceded in 2010 by Facebook founder Mark Zuckerberg. Both entities partners with equal stake in freely sharing the digital content that shows the world what’s going on in it, at any time, from behind any pair of eyes.Also casting in their lot with the others is Time Magazine’s 2006 person of the year, You: the You that puts the “you” in “user-generated content;” the You whose miasma of bits, bytes, and the powerful images they express are becoming increasingly problematic. [Read More]
encryption  informaCam  metadata  obscuracam  pgp  privacy  securesmartcam  witness