Molly now officially supports #UnifiedPush with a separate app, available for download on GitHub and F-Droid through Molly's FOSS repository. Say goodbye to relying on Google for #Signal push notifications. Setting up your MollySocket server is all you need to start receiving notifications. 📡 Big thanks to @S1m for making this possible! ❤️ https://github.com/mollyim/mollysocket
Unidentified governments are surveilling smartphone users via their apps' push notifications, a U.S. senator warned : https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/
That's why it's important to offer your users alternatives.
We invite you to nominate a FOSS project for the Bluehats prize. There are four prizes of €10.000 each, to be spent freely.
Bluehats are civil servants who promote the use and development of Free Software in public administrations.
The French public administration has established the Bluehats prize for maintainers of critical Free Software. To be eligible the software must be in use by at least one agency of the French administration.
Seems google/apple's push notifications services are regularly queried by state authorities for obtaining user data -- see this german #netzpolitik article https://netzpolitik.org/2023/push-dienste-behoerden-fragen-apple-und-google-nach-nutzern-von-messenger-apps/ --
#deltachat only uses apple's push notifications on iOS for "heartbeat" services -- otherwise it's too hard to ensure the app can show messages for their user (and many users are asking for tighter integration). On Android and Desktop platforms no push notifications are used or needed, also no heartbeat ones.
"Unidentified governments are surveilling smartphone users via their apps' push notifications".
https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/
#Push services from #Google and #Apple are used in many messaging apps, letting those companies see a lot of about what the users are doing on their #mobile devices. It is clearly a rich source of #metadata with huge #privacy concerns.
Been a good day in #Brussels. Attending the #DigitalCompetitionDay event.
I believe that the Digital Markets Act (#DMA), has the potential to make a significant difference.
Explained a bit what I have experienced over the years with #Microsoft , #Apple and #Google.
Talked about the importance of not leaving holes through not designating products, such as #edge
Talked about the importance of regulating use of data. Data may be the new oil and oil is ruining the planet. We can allow use of data for services, without saying that the data can be used for profiling and marketing as well!
Got great feedback, so happy about that.
We couldn't be happier that one of the most recognized human rights organizations has adopted an onion service to provide greater online protections for those seeking information, support, and advocacy. Amnesty's choice to offer an onion version of their website underlines the role of this open source privacy technology as a vital tool in our shared work of advancing human rights.
🧅 amnestyl337aduwuvpf57irfl54ggtnuera45ygcxzuftwxjvvmpuzqd.onion
ℹ️https://blog.torproject.org/amnesty-international-launches-onion-service/
Our #HKPE (RFC9180) implementation shipped by #OpenSSL has been audited, and passed with flying colors: "Auditors did not identify any directly exploitable vulnerabilities". Nice work, Stephen Farrell!
https://7asecurity.com/blog/2023/12/defo-2-openssl-hpke-pr-security-audit/
https://www.opentech.fund/security-safety-audits/defo-2-openssl-hpke-pr-security-audit/
We hit a major new milestone our DEfO partnership project to accelerate adoption of #TLS Encrypted ClientHello (#ECH): Stephen Farrell made a pull request to #OpenSSL with a complete, working implementation: https://github.com/openssl/openssl/pull/22938
TOR support for Debian bullseye and buster have been marked End-of-Life (EOL). Consider upgrading to bookworm to continue receiving TOR support and updates. https://lists.debian.org/debian-lts/2023/11/msg00019.html https://micronews.debian.org/2023/1701658911.html?utm_source=dlvr.it&utm_medium=mastodon
Later today, I am finally going to live-present a conference paper again: "Anonymously Publishing Liveness Signals with Plausible Deniability", mostly by Michael Sonntag and in cooperation with Stefan Rass and me. The topic is a cryptographic protocol for verifying that whistleblowers and other secrets holders are still alive and well, that is, generating and verifying binary signals (without further information content) sent (semi-) regularly.
The most interesting aspects follow from the goal of plausible deniability: as a prover (whisteblower) or verifier, being able to plausibly claim to hold the respective other role or being part of an interaction that has already become inactive before, because stored data does not allow deciding either way when provided with the wrong decryption passphrase. Tools we use are Tor onion services and hash chains (totally not a Blockchain), prototyped as a Java library and Android app.
Details at https://link.springer.com/chapter/10.1007/978-3-031-48348-6_1, preprint soon so be available at https://www.digidow.eu/publications/.
So there is a lack of accessibility to folks in the #GlobalSouth in particular. These Motorolas cost around half of what the budget versions of Pixel phones cost and are sold in many countries in continents where Pixels are not, including in #SouthAmerica #Asia and #MENA
Thank you to #StartSmall and jack dorsey for believing in us, and for the funding that made this possible ! And a BIG thank you to our friends at @LineageOS for their work on platform support for the Motorola phones
Huge announcement ! @calyxos is now available for the Motorola G32, G42 and G52 ! Why is this a big deal ? Because it helps us further our mission of making #PrivacyByDesign available to the maximum amount of people around the world as we can..
Google Pixel phones are the default and easiest phones to support while maintaining the #Android security model with a locked boot loader and full verified boot. But they are only sold in around a dozen countries around the world...
EFF's latest report shows that many of the internet's ills have one thing in common: they're based on the business model of widespread corporate surveillance online. https://www.eff.org/deeplinks/2023/11/address-online-harms-we-must-first-do-privacy
Oh, and lastly, this whole Mastodon thread as a much more convenient blog post 😜:
@johanvos very cool! Do you have any more information about how far you got with it? By the way, we're part of the https://defo.ie/ project to help people implement ECH. Reach out if you get stuck: https://social.librem.one/@guardianproject/111392426169230785
I hacked some ECH (encrypted client hello) support in the JDK network stack the other day (in TLS 1.3).
https://github.com/johanvos/jdk/tree/ech2
Hey, so #RFC9460 HTTPS/SVCB records are neat, right?
They...
- speed up your time-to-first-packet (by basically stuffing the Alt-Svc HTTP header / ALPN TLS extension into the #DNS);
- let you do redirection on the zone apex without using CNAMEs;
- allow for simple DNS load distribution and failover;
- obviate HSTS and the cumbersone preloading process;
- enable stronger privacy protections via Encrypted Client Hello aka #ECH
People, apps and code you can trust