Posts by guardianproject@social.librem.one
(DIR) Post #AWwZHuHnHdWX3pP8u8 by guardianproject@social.librem.one
2023-06-22T08:18:36Z
0 likes, 1 repeats
Gathering technical details of unpatched vulns is dangerous, no matter who is doing it. The #EU Cyber Resilience Act should avoid making this a requirement, it will not make us safer.More info in the blog post:https://guardianproject.info/2023/06/11/eu-should-not-require-sharing-unpatched-vulnerabilities/
(DIR) Post #AY5K3TLd97Cj5t4dtY by guardianproject@social.librem.one
2023-07-26T11:32:26Z
0 likes, 1 repeats
"#Google's newest proposed web standard is... #DRM?" -- Google is proposing yet another user-hostile feature and aims to make it an web standard called "Web Environment Integrity API". This lets websites confirm the browser has limitations on what it can do, going against #UserFreedom. The #IETF internet standard RFC 8890 declares "The Internet Is For End Users". Google's API circumvents that.Thanks to Ron Amadeo for his a concise, cutting analysis:https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/
(DIR) Post #AZE2VQJwsUgMF5J7dQ by guardianproject@social.librem.one
2023-08-29T14:20:10Z
0 likes, 0 repeats
The main #Jitsi public instance https://meet.jit.si is now requiring logging in with a Google, Facebook or GitHub account in order to create new rooms. https://jitsi.org/blog/authentication-on-meet-jit-si/Apparently they feel that there was too much abuse of their terms of service, but they do not give any details at all.
(DIR) Post #AZFj99sXoojM444wpU by guardianproject@social.librem.one
2023-08-30T09:52:43Z
0 likes, 2 repeats
Nice to see the #EU #DigitalMarketsAct start to influence #BigTech's approach to their restrictive policies: looks like #Google is reconsidering allowing #ChromeOS users to install APKs outside of #GooglePlay. That gives users the freedom to use other app sources like #FDroid, easily debug apps, and more.* https://issuetracker.google.com/issues/206353953#comment69* https://bugs.chromium.org/p/chromium/issues/detail?id=1401666#c31Let's keep the pressure on them so they follow through!#DMA #Chrome #Chromebook
(DIR) Post #AZFkbuTcGJFseEgzhI by guardianproject@social.librem.one
2023-08-30T10:09:09Z
0 likes, 0 repeats
@eldelacajita yes indeed, only #BigTech data mining companies. Not great options given their professed interest in #privacy. Hopefully they improve on that.
(DIR) Post #AbYtb3uqGV4nZYjCDI by guardianproject@social.librem.one
2023-11-07T11:33:32Z
0 likes, 1 repeats
Apparently #iPhone's #WiFi MAC privacy protection never really worked as released in 2020, they apparently just fixed it in 17.1 after years of touting this privacy protection.https://arstechnica.com/security/2023/10/iphone-privacy-feature-hiding-wi-fi-macs-has-failed-to-work-for-3-years/
(DIR) Post #Abd5jc4V8PThu5vgu0 by guardianproject@social.librem.one
2023-11-09T12:08:13Z
0 likes, 0 repeats
@calyxinstitute's #CalyxOS developers did some review of their #Android-based project and found no leaks:https://gitlab.com/CalyxOS/calyxos/-/issues/1947
(DIR) Post #AbhS8BYTpnX4WmuiR6 by guardianproject@social.librem.one
2023-11-11T14:38:03Z
0 likes, 0 repeats
For anyone who is interested in implementing TLS Encrypted ClientHello (ECH), we have set up a new public room: https://matrix.to/#/#ech-dev:matrix.org or irc://irc.oftc.net/ech-dev
(DIR) Post #AbhS9d6EuUQ2FGOQue by guardianproject@social.librem.one
2023-11-11T14:38:28Z
0 likes, 0 repeats
For anyone who is interested in implementing #TLS Encrypted #ClientHello (#ECH), we have set up a new public room: https://matrix.to/#/#ech-dev:matrix.org or irc://irc.oftc.net/ech-dev#DEfO
(DIR) Post #AbhSBgkMJyyK8T8lZw by guardianproject@social.librem.one
2023-11-11T14:38:54Z
0 likes, 0 repeats
For anyone who is interested in implementing #TLS Encrypted ClientHello (#ECH), we have set up a new public room: https://matrix.to/#/#ech-dev:matrix.org or irc://irc.oftc.net/ech-dev#DEfO
(DIR) Post #Abl1NVFZgV8s1mqTBY by guardianproject@social.librem.one
2023-11-13T07:57:12Z
0 likes, 0 repeats
The first fully merged, audited and shipped bit of code from our https://defo.ie project is Hybrid Public Key Encryption (#HKPE RFC9180), it has been shipped by #OpenSSL https://www.openssl.org/blog/blog/2023/10/18/ossl-hpke/ It is a building block for #EncryptedClientHello #ECH and #MessagingLayerSecurity #MLS, providing standard methods for using public key cryptography to encrypt arbitrary blocks of data.
(DIR) Post #AblAVpuNf2ie0ByqYa by guardianproject@social.librem.one
2023-11-13T09:39:38Z
0 likes, 0 repeats
We are looking for feedback about how to help interested devs start messing around with #TLS #EncryptedClientHello #ECH. What are your blockers and interests?
(DIR) Post #AblB4kcVJZpBjhGdlo by guardianproject@social.librem.one
2023-11-13T09:45:55Z
0 likes, 1 repeats
We just created a #HOWTO for how to set up dev/test servers using our #TLS #EncryptedClientHello #ECH enabled forks of #OpenSSL #nginx and #curl running on #Debian. It should be very quick to get started using a new domain: https://guardianproject.info/2023/11/10/quick-set-up-guide-for-encrypted-client-hello-ech/
(DIR) Post #AbtKzKJmlyQmxAqN8K by guardianproject@social.librem.one
2023-11-17T08:14:41Z
0 likes, 2 repeats
We have started the second round of our partnership https://defo.ie to ensure that the new #TLS standard called #EncryptedClientHello (#ECH) works for public interest use cases. We also are working to reduce the pressure towards #centralization inherent to the #privacy improvements of hiding the domain name. You can find more details in our project announcement: https://guardianproject.info/2023/11/09/defo-developing-ech-for-openssl-round-two/
(DIR) Post #Ac1hBd9wIeMH7TBoxM by guardianproject@social.librem.one
2023-11-21T09:01:05Z
0 likes, 0 repeats
#Wireshark can now present some of the details of #EncryptedClientHello in #TLS streams, as of v4.2.0. For example, it can dissect the #ECH config data that comes from DNS. https://gitlab.com/wireshark/wireshark/-/merge_requests/12260
(DIR) Post #Ac1kQDelhUGwELG2Yi by guardianproject@social.librem.one
2023-11-21T09:37:23Z
1 likes, 0 repeats
@johanvos very cool! Do you have any more information about how far you got with it? By the way, we're part of the https://defo.ie/ project to help people implement ECH. Reach out if you get stuck: https://social.librem.one/@guardianproject/111392426169230785
(DIR) Post #AcUZ6070sspeWHSnMu by guardianproject@social.librem.one
2023-12-05T07:17:04Z
0 likes, 0 repeats
We hit a major new milestone our DEfO partnership project to accelerate adoption of #TLS Encrypted ClientHello (#ECH): Stephen Farrell made a pull request to #OpenSSL with a complete, working implementation: https://github.com/openssl/openssl/pull/22938
(DIR) Post #AcXLmFfwauOR4Dw036 by guardianproject@social.librem.one
2023-12-06T15:31:58Z
0 likes, 0 repeats
Our #HKPE (RFC9180) implementation shipped by #OpenSSL has been audited, and passed with flying colors: "Auditors did not identify any directly exploitable vulnerabilities". Nice work, Stephen Farrell!https://7asecurity.com/blog/2023/12/defo-2-openssl-hpke-pr-security-audit/https://www.opentech.fund/security-safety-audits/defo-2-openssl-hpke-pr-security-audit/#EncryptedClientHello #ECH #MessagingLayerSecurity #MLS,
(DIR) Post #AcXRLXBfyeRNHkQ72u by guardianproject@social.librem.one
2023-12-06T16:34:24Z
0 likes, 0 repeats
"Unidentified governments are surveilling smartphone users via their apps' push notifications".https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/#Push services from #Google and #Apple are used in many messaging apps, letting those companies see a lot of about what the users are doing on their #mobile devices. It is clearly a rich source of #metadata with huge #privacy concerns.
(DIR) Post #B2hvtSBDeTvKAwONEW by guardianproject@social.librem.one
2026-01-27T09:39:03Z
1 likes, 1 repeats
There are many ways that #WhatsApp could implement methods for getting users' messages while still using #EndToEndEncryption. The #mobile app could take a command to send messages to #Meta before they are encrypted (via an #E2EE channel still). This is why #FreeSoftware and #OpenSource are essential for #privacy. Anyone can then inspect what the app is actually doing. #Proprietary #software means blinding trusting the developer's claims.https://www.pcmag.com/news/lawsuit-alleges-that-whatsapp-has-no-end-to-end-encryption#lawsuit #FOSS #FLOSS