Question: Would business and society suffer “harm” as a consequence of provision of “lawful access”, or “exceptional access”, for end-to-end encrypted communication, as proposed?


I would say that business and society already and currently does suffer from such harm, because although we know what chilling effects we have experienced in past — restrictions upon access to cryptography — nonetheless we don’t know what Internet we could have had without such chilling effects. We cannot price the opportunity cost we have suffered from chilled, never-built privacy innovations that would address current-day problems by means which we have not yet realised.

What does “secure communication” achieve?

The purpose of any kind of “communications security” is to divide the universe into two parts:

Governments continue, as they have for the past 30 years, to rail against the adoption of strong encryption. In 2020, having seen what happens when Governments try to coerce platforms, we have a fairly clear understanding:

The master copy of this document resides at:


All users and operators of .onion websites, especially (but not limited to) sites containing "mixed content" HTTPS and HTTP.


TorBrowser leaks “secure” cookies that were issued over HTTPS into cleartext HTTP channels that may be observable by third parties in backend deployments.

This risk is not visible to the end-user.

How to determine if you are impacted

Site Users

Contact your site operators to ask if they are impacted.

Site Owners: Onion Services

Check all instances of tor.conf on your deployed systems; if there is a configuration line for port 80 that looks like one of the following:

HiddenServicePort 80…

This is the first document for a new project called DoHoT DNS, which I hope will grow to help people recoup some privacy in places where they have previously not considered it lacking.

Note for Medium.COM readers: the master copy of this essay can always be found at


I set up a DNS stub resolver using DNS over HTTPS over Tor at home. For four months — during the UK COVID-19 lockdown / shelter-in-place — my partner and I have lived with it exclusively. …

So there’s this thread, by this guy, who is pitching that “WhatsApp isn’t open-source so it must be bad in [various hypothetical ways]”.

Mike, the argument you’re making is quite literally anti-security; let’s start:

let’s see if Mike can see the irony in “prove you’re not a bot”

Part of the fallacy of Mike’s argument is in bandying around the concepts of “guarantees” — which later come back as:

Alec, you built E2EE into Facebook stuff but…

[context: I just posted this to a maillist that I participate in]

Germany FTW

By now I would have expected someone on [this group] to have picked-up and excitedly posted the latest Facebook conspiracy theory: some chap called Kalev Leetaru at Forbes, who is serially:

…pushing the theory that a video about Facebook’s newsfeed moderation and spam/hate/violence-detection:

…he claims presages the drilling of holes in end-to-end encryption.

Apparently because Germany, since Germany is far more influential upon Facebook than, say, America is.

I believe the above to be not merely bullshit, but actually arrant bullshit of the highest creative…

Condensed from a couple of emails I made, earlier today, regarding a document put in front of the Applications Doing DNS working group.

The email thread, and the content of the proposal, is regarding a proposed mechanism by which cafes, corporations, ISPs and governments could force users of DNS-over-HTTPS to disable it, “for security purposes” … under the auspices that such “security” includes using DNS filtration and censorship to protect the unaware user from harm.

Backplot Twitter thread at:

Re: [Add] draft-grover-add-policy-detection-00

Rather than snark, I would like to raise the negative example of “Haystack”, a failed security and anonymity tool from…

for v2 and v3 onion addresses; updated 26 jun 2019

Congratulations! You are setting up an Onion site! And you want a vanity onion address! There is lots of software out there that you can use to generate them!

I’m not going to make strong software recommendations, because it’s a matter of what you have at your disposal already, and what fits the hardware that you have access to.

*even if it means initially using Google or Cloudflare for DNS for a while

A friend posted to a maillist:

The amount of dns fuckery in the UK already is high enough that is now the top suggestion on my chrome browser homepage, as I have to load it every time I get on a train to get their middle-boxes out of my way. Is DoH going to make this even more cumbersome?

It’s a fair question, but taking a step back — and having seen a lot of slightly fearmongering posts about DNS-over-HTTPS (DoH) of late, I responded…

Chatting over a little whisky last night, a friend asked my opinion on how to help Chinese dissidents gain access to secure communication. I gave a perspective, and I wasn’t totally happy with how I managed to communicate it at the time, so I’ve written this short essay to clarify my thinking.

The Answer?

My take is that I am not qualified to tell a Chinese (or any other) dissident, what tools they need in order to communicate securely. …

Alec Muffett

Security Researcher. Recovering Cynic.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store