I would say that business and society already and currently does suffer from such harm, because although we know what chilling effects we have experienced in past — restrictions upon access to cryptography — nonetheless we don’t know what Internet we could have had without such chilling effects. We cannot price the opportunity cost we have suffered from chilled, never-built privacy innovations that would address current-day problems by means which we have not yet realised.
The purpose of any kind of “communications security” is to divide the universe into two parts:
Governments continue, as they have for the past 30 years, to rail against the adoption of strong encryption. In 2020, having seen what happens when Governments try to coerce platforms, we have a fairly clear understanding:
The master copy of this document resides at:
All users and operators of
.onion websites, especially (but not limited to) sites containing "mixed content" HTTPS and HTTP.
TorBrowser leaks “secure” cookies that were issued over HTTPS into cleartext HTTP channels that may be observable by third parties in backend deployments.
This risk is not visible to the end-user.
Contact your site operators to ask if they are impacted.
Check all instances of
tor.conf on your deployed systems; if there is a configuration line for port 80 that looks like one of the following:
This is the first document for a new project called
DoHoT DNS, which I hope will grow to help people recoup some privacy in places where they have previously not considered it lacking.
Note for Medium.COM readers: the master copy of this essay can always be found at https://github.com/alecmuffett/dohot
I set up a DNS stub resolver using DNS over HTTPS over Tor at home. For four months — during the UK COVID-19 lockdown / shelter-in-place — my partner and I have lived with it exclusively. …
So there’s this thread, by this guy, who is pitching that “WhatsApp isn’t open-source so it must be bad in [various hypothetical ways]”.
Mike, the argument you’re making is quite literally anti-security; let’s start:
Part of the fallacy of Mike’s argument is in bandying around the concepts of “guarantees” — which later come back as:
Alec, you built E2EE into Facebook stuff but…
[context: I just posted this to a maillist that I participate in]
By now I would have expected someone on [this group] to have picked-up and excitedly posted the latest Facebook conspiracy theory: some chap called Kalev Leetaru at Forbes, who is serially:
…pushing the theory that a video about Facebook’s newsfeed moderation and spam/hate/violence-detection:
…he claims presages the drilling of holes in end-to-end encryption.
Apparently because Germany, since Germany is far more influential upon Facebook than, say, America is.
I believe the above to be not merely bullshit, but actually arrant bullshit of the highest creative…
The email thread, and the content of the proposal, is regarding a proposed mechanism by which cafes, corporations, ISPs and governments could force users of DNS-over-HTTPS to disable it, “for security purposes” … under the auspices that such “security” includes using DNS filtration and censorship to protect the unaware user from harm.
Backplot Twitter thread at: https://twitter.com/AlecMuffett/status/1149298840450867200
Rather than snark, I would like to raise the negative example of “Haystack”, a failed security and anonymity tool from…
for v2 and v3 onion addresses; updated 26 jun 2019
Congratulations! You are setting up an Onion site! And you want a vanity onion address! There is lots of software out there that you can use to generate them!
I’m not going to make strong software recommendations, because it’s a matter of what you have at your disposal already, and what fits the hardware that you have access to.
Scallion(C# or Mono, GPU accelerated),
Eschalot; go for the latest versions of each.
*even if it means initially using Google or Cloudflare for DNS for a while
A friend posted to a maillist:
The amount of dns fuckery in the UK already is high enough that neverssl.com is now the top suggestion on my chrome browser homepage, as I have to load it every time I get on a train to get their middle-boxes out of my way. Is DoH going to make this even more cumbersome?
It’s a fair question, but taking a step back — and having seen a lot of slightly fearmongering posts about DNS-over-HTTPS (DoH) of late, I responded…
Chatting over a little whisky last night, a friend asked my opinion on how to help Chinese dissidents gain access to secure communication. I gave a perspective, and I wasn’t totally happy with how I managed to communicate it at the time, so I’ve written this short essay to clarify my thinking.
My take is that I am not qualified to tell a Chinese (or any other) dissident, what tools they need in order to communicate securely. …
Security Researcher. Recovering Cynic.