It’s probably also media’s fault for this. They only publish when a bad person does a bad thing on the internet with it, not all the millions of users who don’t do bad things. That would be boring.
It’s the scratchpad script where you copy/paste into the about:config console. I just did it for the new v.115 release. I’ve done it previously but I don’t have any set schedule. I guess 1x every six months (2x/year) seems sufficient but I wanted to see what others do.
I am a newcomer to the space and want to know some stuff about the mentioned mobile browsers. Information on them seems a little sparse to me. I am aware of Brave, however on my current device it is very buggy and I do not like the company’s reputation. I am aware of Firefox and it’s derivatives and the benefit they bring...
Keep in mind Google Workspace has a significantly different privacy policy to Gmail and other consumer services. Data is not used for advertising purposes and is owned by you. They also warn you if you leave to a consumer service like YouTube.
Best bet would be to simply have a separate browser you’re not logged into your account with. Don’t do personal browsing with a company owned/educationally owned institution device.
I know with standard setttings my isp see everything, but if i will use some encrypted dns what they will see exactly
Basically the same thing.
Encrypted DNS is not for privacy, it is for stopping someone from altering your queries basically, because normal DNS is not encrypted. Domains are exposed through other various methods we explain. Please see our website where we’ve gone to the effort to explain this www.privacyguides.org/en/advanced/dns-overview/ we have a flow chart that characterizes the above methods of obtaining the domains you’re requesting.
By reading about the new inclementations on Google I decided to leave from Google services entirely, already stoping using Windows for 6 month and Chrome, but sttil dont sure about a gmail(Some important things are signed in gmail accont) and some services like Youtube and some android telemetry(already rooted)
We do think their phones are very pricey for what they are and not nearly as secure as something like GrapheneOS, ie lack of verified boot etc. Their cloud service is also not E2EE as far as I can tell, which you’d really expect from a “privacy service”.
Better to focus on using good products than be obsessive about Google.
Make sure you don’t depend on features like email clients. You also can’t use encryption like PGP so, that will mean that you’ll only have E2EE if you’re sending to other Skiff users. (There is no external E2EE with Skiff).
Don’t be obsessive about “degoogling” to the point where you pick worser alternatives that don’t have the features you require. Always test something out before doing a mass migration of “all your email” for example.
No, they do not read your email, they’re very clear about this, that is mostly FUD pushed by privacy providers who lack ethical marketing standards.
We do not scan or read your Gmail messages to show you ads
If you have a work or school account, you will never be shown ads in Gmail.
When you use your personal Google account and open the promotions or social tabs in Gmail, you’ll see ads that were selected to be the most useful and relevant for you. The process of selecting and showing personalized ads in Gmail is fully automated. These ads are shown to you based on your online activity while you’re signed into Google, however we do not process email content to serve ads.
To remember which ads you’ve dismissed, avoid showing you the same ads, and show you ads you may like better, we save your past ad interactions, like which ads you’ve clicked or dismissed.
The place where Google makes the money is on the sites you visit with Google Adsense and your search terms being associated with a logged in Google account. Most people want to stay logged into their email (and thus their Google account), so that’s where the behavioral/adsense analytics comes in. Much fewer people use email clients these days.
I always understood it as they don’t parse the actual details of emails (the body) to generate an add profile. It doesn’t mean they don’t track what websites you’re visiting whilst logged in though.
My guess to this is that it’s not accurate, for example email chains, or someone mentioning something that you have no intention of buying. As the email body is very unstructured it would be quite difficult to interpret whether those keywords should be added as an interest, having said that, with advanced AI that can parse context of a sentence they may just start doing that again if they can with accuracy.
One of the things I dislike about KeepassXC is that it exports to a unstructured CSV file, whereas Bitwarden exports to JSON. It’s a lot easier to use something like jq to parse a JSON structure, if you want to import it somewhere as opposed to dealing with CSV files.
I also found the importer for Keepass CSV in Bitwarden didn’t import my “notes” and I had to individually check that for each record.
XMPP is not a private protocol either. In a lot of cases data is not E2EE, there is no reference clients and there’s a mess of standards that very few if any clients fully implement.
E2EE works well enough within rooms and that is likely where private data is to be anyway. As long as you Matrix and assume that everyone can see your Matrix ID and room IDs you’ll be okay.
Yes, but Matrix leaks way more metadata to other servers
FUD, Matrix doesn’t leak any more data than XMPP in that regard. Admins of either service can know what rooms you’re in and information about events such as time they were sent.
OMEMO encrypts text messages for VOIP you need DTLS-SRTP encryption or Jingle session encryption. OMEMO has no concept of cross signing, ie one device being trusted and therefore the others either if they do an authentication with each other. Device verification has to be done each session which is a massive pain.
warns you your message content is unencrypted if this is disabled
The point is that Matrix 1:1 calls are always encrypted and soon with MSC3401: Native Group VoIP Signalling 1:many VOIP calls will be as well. Having foot guns about what might be encrypted or not in a client isn’t very private at all.
Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).
I’ve used Nheko and that’s pretty good. Last time I checked the XMPP clients that existed had a lot of rough edges and feature inconsistency.
I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.
That is definitely your opinion, Matrix has shown to be very feasible in a commercial sense as there are many providers and commercial clients using it, french, german government etc. There are also quite a few clients using EMS. They claim: “Matrix is an open network for secure, decentralised communication, connecting 80M+ users over 80K+ deployments.”
Which is probably a lot more than XMPP.
Matrix really can be quite lightweight enough that it will be entirely possible to run a homeserver locally in WASM which is what the Matrix P2P project is about. arewep2pyet.com has more details about that. It’s also possible to have very light Matrix servers Breaking the 100bps barrier with Matrix, meshsim & coap-proxy. The reason that a lot of public Matrix servers are quite “heavy” is because they have many numbers of users, and activity. Synapse has also made huge gains in this regard to what it was originally, and we know that Dendrite uses a lot less resources (that I’ve tested privately).
The point is a lot of testing and thought goes into these things.
metadata-leaking
You’re pretending XMPP doesn’t have metadata between servers, it certainly does it’s really no more private than Matrix.
This is what Matthew Hodgson (Arathorn) - CEO of Element had to say about it in March 13, 2022:
Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.
For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.
We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.
Yes the article is FUD and sloppy. This is what Matthew Hodgson (Arathorn) had to say about it:
Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.
For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.
We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.
As for the metadata leaking, while metadata is obviously available to the admins of the servers you and you recipient are using, these chat histories are not synced in their entirely,
Maybe so, but for a public room it really means nothing because they could just join it anyway. Every client has a copy. The point is neither system has deniability in terms of “I was never talking to this person”. I do think there is more utility in Matrix’s future with P2P accounts however, that don’t depend on a single Matrix server and can be rotated. Anything you aim to be anonymous with should be regularly rotating accounts as we suggest. Take a look at XMPP: Admin-in-the-middle. Admins can get more than enough.
SimpleX chat addresses most of Matrix and XMPP’s shortcomings
Except there is no desktop client, and I’m not sure how it will work at scale. It does not have anywhere near the feature set of Matrix. The whole “spaces” thing is the beginning and I suspect they’ll be doing a lot more there, specifically: “Spaces effectively gives us a way of creating a global decentralised filesystem hierarchy on top of Matrix”.
I hope it can one day replace them.
I honestly doubt that will ever happen they aren’t really competing products. Matrix is really meant for large scale networks, a bit like a whole social media platform, whereas SimpleX is more like a competitor to Signal or Session.
I would like to see Decentralised user accounts and I think they may be still looking at this because it would be nice to be able import your account somewhere else if a home server you’re on shuts down or something.
For instance my phone number isn’t tied to my Matrix account
It isn’t for anyone using any client unless they optionally decide to provide it.
They talk of Matrix being centralized but that only really applies if you use the Matrix home server, there are many alternatives
Indeed: joinmatrix.org/servers/ and that’s not even getting started on the private ones or unlisted ones.
is it betetr than Discord for privacy and security ?
100% Discord has no privacy no encryption, the company sees absolutely everything.
Discord is clsoed source so nobody knows what it gives up or does in the background
That doesn’t necessarily impact privacy, and we know exactly what it does in the background based on their privacy policy, which in itself is quite ambiguous in parts. They’re quite happy there to admit they will tie identities together if you use social media logins and features like that.
No closed source program can be trusted over a FOSS option
I would say be careful here, because something is open source doesn’t necessarily mean anyone cares about what the code is actually doing. In the case of Matrix it is a very active project with a lot of community engagement and a well thought out specification so that everyone can “get up to speed”. That is extremely important. Nobody is going to sift through a tarball of source code “it’s open source”, if the development is not. It’s also totally possible for a patched version to be running in production that doesn’t reflect the source code.
That is why it’s very important not to confuse FOSS with privacy.
If the audits are public and they are actually funded with proper scope that may very well be better than some very small project nobody can be bothered looking at. I’m not saying having source is a bad thing, quite the opposite. Privacy is generally gained through security controls, and just because something is open source doesn’t mean it is secure, likewise if something is closed source that doesn’t necessarily mean it is insecure as this post describes.
I am sure that Tutanota does not use any custom encryption algorithm. It is clearly stated in the FAQ that they use RSA (with PFS) and AES to encrypt emails exchanged between Tutanota users. tutanota.com/encryption
These are only primitive algorithms, the actual implementation is custom and specific to Tutanota, which mean it will only work with Tutanota as nothing else will implement it.
There is no way to do key distribution outside of Tutanota’s service.
Plus their unwillingness to open source it and not sharing the audits just doesn’t inspire my confidence.
The server side isn’t open source, and you can’t verify that is what is actually running in production. While we do recommend it I don’t personally use their products.I like the use of email clients, particularly customized to my needs.
Nested folders was only a very recent feature added tutanota.com/blog/posts/subfolders and without that I wouldn’t even consider a provider as I use this for organization. Of course as you can’t use your own email client, downloading email from Tutanota can be a bit of a pain too, you can only export per-folder into Mbox.
which has been proven to be less than 100% airtight and secure.
I don’t believe that has been proven. There has been criticism of it 1, 2 from prominent cryptographers though.
Telegram’s MTProto protocol isn’t obviously broken in a practical way, concedes Matt Green, a cryptographer at Johns Hopkins University who has consulted for Facebook on encrypted messaging systems. But it’s uniquely “weird,” he says, in a way that suggests its inventors don’t understand tried-and-true cryptography practices and raises his suspicions that it may yet have undiscovered vulnerabilities.
Their response was even more dodgy trying to somehow inject some sort of “nationalistic”, “america bad” into it:
Telegram’s Ravdonikas argues that “Telegram encryption relies on classical algorithms, because we consider some approaches promoted by US-based cryptographers after 9-11/the Patriot Act (which your sources refer to as ‘state of the art cryptography’) questionable."
At the end of the day math is math regardless where it comes from. Secret chats also only work with the mobile client, have to be manually turned on and do not work for group chats and as it’s a centralized server you can’t host your own.
A lot of privacy guides suggest avoiding Telegram. I understand that in its default mode there’s no E2EE (and no E2EE for groups at all). If people I know don’t wanttko use Signal, isn’t Telegram the lesser evil given it’s nicer privacy policy (than other popular ones)?...
Probably another point is that the encryption for Matrix/Element has undergone multiple audits, one in 2016 and another one of their newer rust library. Whereas telegram just has not. There was this also a not too long ago. MTProto is also used nowhere else, whereas a lot of encryption has been influenced by the Double Ratchet which is well understood.
The other thing worth noting is that Matrix is the foundation for other products which many governments use for secure communications.
The reason is they have proper build infrastructure managed by the Brave. With Ungoogled Chromium the binaries are produced by third parties, vary in version etc. People claim they would only use “open source software” but they do download binary versions nevertheless and don’t compile that code themselves. This increases the risk of a supply chain attack, where a malicious binary is submitted and nobody has really knows until it is too late. The other issue is they disable CRLSets because of “google hate” which we think actually increases the likelihood of a MiTM attack occurring because rogue certificates are not detected and invalidated as quickly as they could have been.
The reason we don’t recommend Ungoogled Chromium and instead recommend Brave on the privacyguides.org website is because they have proper build infrastructure managed by the Brave. With Ungoogled Chromium the binaries are produced by third parties, vary in version etc. People claim they would only use “open source software” but they do download binary versions nevertheless and don’t compile that code themselves. This increases the risk of a supply chain attack, where a malicious binary is submitted and nobody has really knows until it is too late. The other issue is they disable CRLSets because of “google hate” which we think actually increases the likelihood of a MiTM attack occurring because rogue certificates are not detected and invalidated as quickly as they could have been.
Even Windows or Chrome OS, provides quite a bit of “control” it’s just that a lot of it is “opt out”. Google does, for example record what YouTube videos you look at against a logged in account by default. Windows does have targeted advertising enabled by default.
I think privacy is really more about what you do on such platforms. If you use products (sites) that clearly have bad policies in regard to privacy then no OS is going to provide really all that much improvement.
I love the idea of having privacy in independence from all the tech giants’ services. I have a server at home that hosts my storage, media, synchronization, and backups, along with some other random services. Since all these services are basically my life, I sometimes read about better security practices to replace whatever I...
Stopped reading at “storing my passwords on a db”. Even if you encrypt the data, is it not just plain better to use a generative algorithm for passwords instead that needs no cloud?
There are quite a few reasons why we don’t recommend deterministic password managers and I have been meaning to write an article about it. There is a summary and further discussion in that thread.
This idea is interesting to me because hell making my own stuff is fun. I have access to quite a few usb keys already so technically I might have the material available. Also my threat model is pretty low so I’m interested in security mostly for fun....
Generally we’d say no, not really, and certainly not with the highest security.
The whole point of a security key is that it is supposed to be impossible to extract the key material, that simply isn’t going to be the case for a DIY solution. They have shields, and light sensors to prevent decapping/forensic inspection.
Google, Amazon, Bing extensions have been added to Firedragon browser. These do not show up under “Addons and Themes”. I only found them in “about:debugging”...
If you’re going to use Arch use Arch. It is incredibly dangerous to be blindly trusting things in AUR, when they can be contributed by anyone.
However, it then goes on to say that only moderate or advanced users should use Arch
Yes because there is less QA, there is nobody testing those things before they are released to you. It also requires you to make a lot of selections which unless you know what components to choose (I also use Arch) would be not great for a newbie user.
I find this funny as many corporate servers use Debian, and I don’t really see any huge security issues since the 90’s waving red flags of warnings and issues.
A lot of them are Ubuntu these days, or Centos. In a corporate environment you tend to be running a lot of containerized workloads because you want redundancy, and high availability.
By following this guide, it really leaves no option for beginner linux enthusiasts. I (we) recommend not folloing this guide as it reads like privacy paranoia propaganda piece.
TLDR being there is no reason to look beyond Fedora or Ubuntu for a newbie user. That is the point that it makes. These other obscure distributions don’t provide anything that you need.
For a while now I’ve been quite happy running LibreWolf, with Bitwarden and some other privacy extensions. I’ve also switched over from Google to Kagi as a search engine; doesn’t keep me anonymous, but I do love not being the product for once.
Keep in mind LocalCDN will make your fingerprint more unique. HTTPS Everywhere is unmaintained and no longer needed… and you certainly don’t need Decentraleyes, thats a duplicate of LocalCDN and is also unmaintained.
Tor’s shadowy reputation will only end if we all use it (www.engadget.com)
How often do you use arkenfox-cleanup.js?
It’s the scratchpad script where you copy/paste into the about:config console. I just did it for the new v.115 release. I’ve done it previously but I don’t have any set schedule. I guess 1x every six months (2x/year) seems sufficient but I wanted to see what others do.
Google DRM / WEI
With Google’s proposed DRM / Web Environment Integrity project looming, will there be any change to PG’s recommended browsers?...
Cromite and Vanadium
I am a newcomer to the space and want to know some stuff about the mentioned mobile browsers. Information on them seems a little sparse to me. I am aware of Brave, however on my current device it is very buggy and I do not like the company’s reputation. I am aware of Firefox and it’s derivatives and the benefit they bring...
How can I protect my privacy when using Google Classroom
Hello everyone,...
deleted_by_author
leaving google
By reading about the new inclementations on Google I decided to leave from Google services entirely, already stoping using Windows for 6 month and Chrome, but sttil dont sure about a gmail(Some important things are signed in gmail accont) and some services like Youtube and some android telemetry(already rooted)
How safe is Bitwarden?
I’m currently using 1Password but I’m no longer satisfied with it.
What are your opinions on Matrix?
I was sold on Matrix as a viable alternative to Discord but recently read this article which made it look not so good.
Tutanota vs Proton Mail
I’ve been using Tutanota for a while now. Been interested in people’s opinions about Tutanota and Protonmail.
Should it really be Telegram? (tim.kicker.dev)
Is Telegram really that bad and should i look more into it or is sticking to signal really the best option?
Aside from the lack of E2EE, why is Telegram not trustworthy?
A lot of privacy guides suggest avoiding Telegram. I understand that in its default mode there’s no E2EE (and no E2EE for groups at all). If people I know don’t wanttko use Signal, isn’t Telegram the lesser evil given it’s nicer privacy policy (than other popular ones)?...
The shady world of Brave selling copyrighted data for AI training (stackdiary.com)
From the article:...
Noob Question: If you aren't willing to deal with custom OSes like Linux (for computers) and Android Custom Roms (for phones), do you just not have any privacy at all?
cross-posted from: lemmy.dbzer0.com/post/609404...
Kind of a Rant
I love the idea of having privacy in independence from all the tech giants’ services. I have a server at home that hosts my storage, media, synchronization, and backups, along with some other random services. Since all these services are basically my life, I sometimes read about better security practices to replace whatever I...
DIY security key. Can it be made with a regular usb drive?
This idea is interesting to me because hell making my own stuff is fun. I have access to quite a few usb keys already so technically I might have the material available. Also my threat model is pretty low so I’m interested in security mostly for fun....
YSK: Garuda Lunux default browser (FireDragon) contains problematic extensions (lemmy.one)
Google, Amazon, Bing extensions have been added to Firedragon browser. These do not show up under “Addons and Themes”. I only found them in “about:debugging”...
So ive heard a lot of people say that vpns are not worth it anymore, what else do I use to hide my data from my isp and be able to torrent safely? (kbin.social)
thank you :)
Can't choose a secure email provider!
Hi All,...
What browser / extensions do you make use of?
For a while now I’ve been quite happy running LibreWolf, with Bitwarden and some other privacy extensions. I’ve also switched over from Google to Kagi as a search engine; doesn’t keep me anonymous, but I do love not being the product for once.