Hans-Christoph Steiner @eighthave@librem.one

@dethos Use a Google- and Apple-free device and apps that respect privacy. I can recommend #CalyxOS for the system, and @Tutanota, #Signal, #Threema and others that have removed proprietary #push

@vitriolix that's a lot of hair

@U039b yeah, that's understandable. If there is any subset that you would like to receive, we could look into implementing that. For example, new releases for a specific app or a handful of apps.

@U039b would you want f-droid.org to automatically upload all releases to beta.pithus.org? If so, that is something I would like to setup.

#FDroid

@fennek @fdroidorg F-Droid is alive and well, but unfortunately the Community Council did not get off the ground. We'll still be moderating our forums of course, and welcome volunteers interested in helping there. I wish the two that left well, they both have contributed a lot.

@U039b FYI it should be possible for MITMproxy or things like it to work with ECH, but they will need to intercept the DNS and know how to process HTTPS RR types.

@U039b For HTTP that would require things work without the Host: header, I wonder if any CDNs would use the domain name from ClientHelloInner if Host: was missing?

@U039b ECH just affects ClientHello, the rest of the TLS session should remain the same. If the ClientHelloInner cannot be decrypted, then the actual domain name remains hidden. That could be important with CDNs, e.g. is the client app connecting to badtracker.com or cloudflare-ech.com? In that case, it might be possible to get the domain name by MITMing the DNS but not guaranteed. The client could store IP addresses to avoid leaking DNS to avoid detection. I think Facebook's app does this.

@U039b interesting, nice approach. Have you looked at how to do that with #ECH? It uses a new public key that is generated using https://www.rfc-editor.org/rfc/rfc9180.html

Also, will that work with apps that use #SafetyNet etc so they refuse to run on rooted devices? It seems for those apps, we still need a way to use something like #MITMproxy, e.g. inserting a custom CA cert. But the ECH key is not related to any CA cert.

If you have detailed questions about ECH, please ask here or on https://matrix.to/#/#ech-dev:matrix.org

One thing about #EncryptedClientHello (#ECH) that I'm a little worried about is that it will make #MITM inspection of #TLS traffic harder to the point where it might restrict lots of important kinds of inspection. When the software we use is not #FreeSoftware, then we cannot see what it is doing by reading the source code. We need to inspect the network traffic. So it is very important that it is possible to inspect traffic that uses ECH as well, despite that middleware companies will abuse this

#EncryptedClientHello (#ECH) plus private DNS will enable a nice privacy improvement in combination with a VPN: set the DNS nameserver to something other than the VPN provider's nameserver. For ECH-enabled sites, the VPN provider sees your IP and connections to the CDN. The CDN and the DNS nameserver sees the VPN's IP.

* VPN sees who (account, personal IP, etc.) and what (CDN)
* CDN sees where (domain name)
* DNS sees where (domain name)

Before ECH, the VPN could see who, what, and where

@a32 #PeerTube? You can also use YouTube Music via #ViMusic, which reduces the tracking a lot since there are no logins needed.