Show more

All you need to know about #oil & #climate is the Saudis opening the spigot by another 1m barrels/day last week, and Putin getting the royal treatment in Abu Dhabi today, all while Dubai is hosting #COP28
axios.com/2023/12/06/oil-produ

Upcoming releases of F-Droid will change how repositories are added. We are interested in feedback about this overhaul.

Please tell us (if you already have the latest F-Droid or F-Droid Basic 1.19.0-alpha installed):

* Does adding repos still work for you?
* And did adding repos became easier or harder?

If you don't have 1.19.0 yet: Note that this is still in beta, so brave users need to install this manually (enable Beta updates for the app or from Client expert settings).

@U039b yeah, that's understandable. If there is any subset that you would like to receive, we could look into implementing that. For example, new releases for a specific app or a handful of apps.

We hit a major new milestone our DEfO partnership project to accelerate adoption of Encrypted ClientHello (): Stephen Farrell made a pull request to with a complete, working implementation: github.com/openssl/openssl/pul

Google's war on ad-blockers continues! Google will slow down the update process for third-party extensions by requiring them to be reviewed by the Chrome Web Store. 🚫

This means YouTube can counter ad-blockers while slowing their release of workarounds. 🤢

This David and Goliath situation looks to be even more unbalanced than previously thought.
👉 tuta.com/blog/google-search-mo

@U039b would you want f-droid.org to automatically upload all releases to beta.pithus.org? If so, that is something I would like to setup.

@fennek @fdroidorg F-Droid is alive and well, but unfortunately the Community Council did not get off the ground. We'll still be moderating our forums of course, and welcome volunteers interested in helping there. I wish the two that left well, they both have contributed a lot.

@U039b FYI it should be possible for MITMproxy or things like it to work with ECH, but they will need to intercept the DNS and know how to process HTTPS RR types.

@U039b For HTTP that would require things work without the Host: header, I wonder if any CDNs would use the domain name from ClientHelloInner if Host: was missing?

@U039b ECH just affects ClientHello, the rest of the TLS session should remain the same. If the ClientHelloInner cannot be decrypted, then the actual domain name remains hidden. That could be important with CDNs, e.g. is the client app connecting to badtracker.com or cloudflare-ech.com? In that case, it might be possible to get the domain name by MITMing the DNS but not guaranteed. The client could store IP addresses to avoid leaking DNS to avoid detection. I think Facebook's app does this.

@U039b interesting, nice approach. Have you looked at how to do that with ? It uses a new public key that is generated using rfc-editor.org/rfc/rfc9180.htm

Also, will that work with apps that use etc so they refuse to run on rooted devices? It seems for those apps, we still need a way to use something like , e.g. inserting a custom CA cert. But the ECH key is not related to any CA cert.

If you have detailed questions about ECH, please ask here or on matrix.to/#/#ech-dev:matrix.or

@eighthave It is one of the many reasons why in PiRogue Tool Suite we decided to use another technique enabling TLS traffic decryption. Instead of using MITM proxy, we retrieve encryption keys directly from the device's memory: pts-project.org/guides/g8/#tls

One thing about () that I'm a little worried about is that it will make inspection of traffic harder to the point where it might restrict lots of important kinds of inspection. When the software we use is not , then we cannot see what it is doing by reading the source code. We need to inspect the network traffic. So it is very important that it is possible to inspect traffic that uses ECH as well, despite that middleware companies will abuse this

() plus private DNS will enable a nice privacy improvement in combination with a VPN: set the DNS nameserver to something other than the VPN provider's nameserver. For ECH-enabled sites, the VPN provider sees your IP and connections to the CDN. The CDN and the DNS nameserver sees the VPN's IP.

* VPN sees who (account, personal IP, etc.) and what (CDN)
* CDN sees where (domain name)
* DNS sees where (domain name)

Before ECH, the VPN could see who, what, and where

@a32 ? You can also use YouTube Music via , which reduces the tracking a lot since there are no logins needed.

🕵️ 🇨🇳 In #China, social media platforms #Weibo, #WeChat, #Douyin, #Zhihu, #Xiaohongshu, and #Kuaishou now require users to reveal their real names to the public. People are quitting as a result.

restofworld.org/2023/weibo-leg

#privacy #surveillance #SurveillanceCapitalism

is not a messenger, it really had become the next generation of . It has all the pieces in place: masses of users, massive groups where anyone can join, , etc. The only real difference is that they have to put some of the logic in the client app, because servers see message , but not content.

As a company, Facebook only knows how to do so it is no wonder that they turn everything into spying machines to us.

@Werhaus What is relatively new is that masses of people followed the same stupid route all while -ing and -ing away about it. The police had to physically block the route to stop the sheeple stream

Show more
image/svg+xml Librem Chat image/svg+xml