Governments continue, as they have for the past 30 years, to rail against the adoption of strong encryption. In 2020, having seen what happens when Governments try to coerce platforms, we have a fairly clear understanding:

• For good or ill, social media and social networking exist, and will continue to exist. Two, perhaps three, billion people share that space.
• As such: social networks represent enormous honeypots of data, vast banks of private conversation and personal context, ripe for “hacking”.
• Adoption of end-to-end encryption leads naturally to distribution — the “two-billion-person honeypot” will gradually break into two billion individual jars of…

• v1.0–27 July 2020, alec.muffett@gmail.com

The master copy of this document resides at:

• https://github.com/alecmuffett/eotk/blob/master/docs.d/security-advisories.d/001-torbrowser.md

Audience

All users and operators of .onion websites, especially (but not limited to) sites containing "mixed content" HTTPS and HTTP.

Impact

TorBrowser leaks “secure” cookies that were issued over HTTPS into cleartext HTTP channels that may be observable by third parties in backend deployments.

This risk is not visible to the end-user.

How to determine if you are impacted

Site Users

Contact your site operators to ask if they are impacted.

Site Owners: Onion Services

Check all instances of tor.conf on your deployed systems; if there is a configuration line for port 80 that looks like one of the following:

HiddenServicePort 80…

This is the first document for a new project called DoHoT DNS, which I hope will grow to help people recoup some privacy in places where they have previously not considered it lacking.

Note for Medium.COM readers: the master copy of this essay can always be found at https://github.com/alecmuffett/dohot

TL;DR

I set up a DNS stub resolver using DNS over HTTPS over Tor at home. For four months — during the UK COVID-19 lockdown / shelter-in-place — my partner and I have lived with it exclusively. …

So there’s this thread, by this guy, who is pitching that “WhatsApp isn’t open-source so it must be bad in [various hypothetical ways]”.

Mike, the argument you’re making is quite literally anti-security; let’s start:

• there IS no such thing as perfect security
• there ARE no such things as ubiquitous threat models
• and people ARE empowered to make their own choices (with admittedly, varying degrees of informed-ness) and choose and act accordingly.

Part of the fallacy of Mike’s argument is in bandying around the concepts of “guarantees” — which later come back as:

Alec, you built E2EE into Facebook stuff but…

[context: I just posted this to a maillist that I participate in]

By now I would have expected someone on [this group] to have picked-up and excitedly posted the latest Facebook conspiracy theory: some chap called Kalev Leetaru at Forbes, who is serially:

https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/

https://www.forbes.com/sites/kalevleetaru/2019/05/28/facebook-is-already-working-towards-germanys-end-to-end-encryption-backdoor-vision/

…pushing the theory that a video about Facebook’s newsfeed moderation and spam/hate/violence-detection:

https://developers.facebook.com/videos/2019/applying-ai-to-keep-the-platform-safe/

…he claims presages the drilling of holes in end-to-end encryption.

Apparently because Germany, since Germany is far more influential upon Facebook than, say, America is.

I believe the above to be not merely bullshit, but actually arrant bullshit of the highest creative…

Condensed from a couple of emails I made, earlier today, regarding a document put in front of the Applications Doing DNS working group.

The email thread, and the content of the proposal, is regarding a proposed mechanism by which cafes, corporations, ISPs and governments could force users of DNS-over-HTTPS to disable it, “for security purposes” … under the auspices that such “security” includes using DNS filtration and censorship to protect the unaware user from harm.

Backplot Twitter thread at: https://twitter.com/AlecMuffett/status/1149298840450867200

Re: [Add] draft-grover-add-policy-detection-00

Rather than snark, I would like to raise the negative example of “Haystack”, a failed security and anonymity tool from…

for v2 and v3 onion addresses; updated 26 jun 2019

Congratulations! You are setting up an Onion site! And you want a vanity onion address! There is lots of software out there that you can use to generate them!

I’m not going to make strong software recommendations, because it’s a matter of what you have at your disposal already, and what fits the hardware that you have access to.

• for v2: Onions: Scallion (C# or Mono, GPU accelerated), Shallot, or Eschalot; go for the latest versions of each.
• for v3 Onions: I have no idea of the standout tools, please…

*even if it means initially using Google or Cloudflare for DNS for a while

A friend posted to a maillist:

The amount of dns fuckery in the UK already is high enough that neverssl.com is now the top suggestion on my chrome browser homepage, as I have to load it every time I get on a train to get their middle-boxes out of my way. Is DoH going to make this even more cumbersome?

It’s a fair question, but taking a step back — and having seen a lot of slightly fearmongering posts about DNS-over-HTTPS (DoH) of late, I responded…