It really bothers me that not needing a phone number for registration is now a feature, and not a basic requirement for anything claiming to be anonymous/private…
The fact that there is no mandatory phone reg. puts Session above Signal. But Session is still very dicey:
www.getsession.org is a CloudFlare site, which indicates that the staff on that project lack some basic knowledge about privacy - or they just don’t care. (note that Signal also uses CloudFlare)
the developers have some kind of alt-right tendencies: chaos.social/ The problem is not just ethical but conservatives inherently do not value privacy. They value money very much. This is a bad combination for a platform that wants to be privacy-centric.
they put a lot of energy into having a professional appearance. This is consistent with corporations with profit-driven intentions and atypical of charitible free software projects. Their org chart has everyone’s photo (not characteristic of privacy advocates) and every single means of contact of every staff member is through Microsoft or Twitter.
website has links to privacy abusers (Facebook, MS Github, Twitter) and not a single link to any social networking service that self-respecting privacy proponents can use.
their email address traverses Google’s servers and has no PGP key.
their project is managed on Microsoft Github.
BTW @AgreeableLandscape, itsfoss.com is not a good site to publicize; it’s also jailed in CloudFlare walled garden (thus calling into question the extent to which that site genuinely respects freedom).
The only useful effect of Session is that it serves as a PR jab at Signal for requiring phones. And if it helps divide or shrink the Signal community that’s a good thing.
Could you elaborate on your point of them using Cloudflare ?
My understanding is that their websites would be behind Cloudflare for their CDN and anti-DDoS services, maybe WAF as well. Solely looking at CDN services essentially the options come down to Cloudflare or Akamai who have a global domination of the market.
NB: Can’t believe I had to register here with an e-mail address to comment about privacy…
Problem I have with searx is it does no regional searches at all - I just can’t find what I’m looking for in my own country. Results seem to be .com results. I see a Github issue was opened for that about 4 years ago and is still open.
I notice that DDG does allow users to set their search method to POST requests and support redirects to prevent search leakage. Partly the problem of browser and OS etc identity is our own browsers that are sending this info? DDG does do good regional search too.
So my big challenge is give me a metasearch engine that can at least do regional searches. For someone living in the US they probably don’t have a problem with “global” results, but outside the US we need results for locally in Botswana, South Africa, Egypt, etc and language is no good to filter on.
NB: Can’t believe I had to register here with an e-mail address to comment about privacy…
Supplying an email address on Lemmy used to be optional. Has that changed?
Problem I have with searx is it does no regional searches at all
I think that’s determined by the searx instance. Some instances let you choose your UI language, as well as the results language. You can also do “site:de” if you want to search *.de sites for example.
I notice that DDG does allow users to set their search method to POST requests and support redirects to prevent search leakage.
Why would POST prevent leakage? As long as the site is HTTPS, the query is encrypted regardless of whether it’s HTTPPOST or HTTPGET.
There was never a problem with the ThinkPad business lineup. The Superfish thing happened with consumer lineup products.
You should pick an AMD variant over Intel ones, they are great machines for privacy, Linux and hardware compatibility and in all factors. The keyboard on my L470 is a pleasure to use. T serie makes me hard :3
Guys, I use and love both XMPP and Matrix however I don't see masses adopting them in fact I can't even convince my immediate family to use them. People want reliable push notifications and cute stickers :-) I think Signal is a good compromise, I know it's US based (I discuss this in the post) however it's zero knowledge. The code is open source if there were vulnerabilities we would probably know by now...
The problem is that you as average user have no way to confirm that the app on your phone is actually compiled from the published source code. In that regard it would help if Signal was distributed through F-Droid, which compiles directly from source, but the Signal developers have explicitly forbidden that.
The thing to remember is that cryptography is very tricky business, and even when an algorithm is sound on paper that does not guarantee that it’s implemented in a secure way. A famous example is when NSA “helped” develop the Diffie-Hellman cryptographic key exchange standard and introduced a vulnerability that nobody noticed for a very long time.
Any standard that’s been developed in conjunction with US agencies should be considered compromised in my opinion.
Protonmail is just the “latest” (it’s been open for a few years now) in the technocratic “online privacy” bubble. They probably willingly give backdoors to the NSA.
Basically they sell you the peace of mind, not really any actual security as far as anyone can tell. Until their code is open-source and can be independently reviewed, it’s worthless. That they are based in Switzerland doesn’t mean much because backdoors are meant to be secret. Like in any other country, there is no official organ in Switzerland that will evaluate your app and say “yes, this app is secure. We give it five stars”. However if you find they don’t respect Swiss law you have to open a lawsuit, retain a Swiss lawyer, travel there for the court date, and at that point you start to realize they’re based over there more to protect themselves than you.
There has been another encryption company operating since the 50s in Switzerland that was somewhat recently found to just be a front for the CIA. So clearly being based in Switzerland is not a gage of quality.
Their support of the Hong Kong protest was also kinda suspicious because as far as I’m aware, they’ve never been that interested in any other event. And it wasn’t just a press release that gets picked up by a few hobbyist magazines; it was a full-length email sent to every protonmail customer, even those like me who hadn’t used their account in years.
I also just read that ProtonMail would start using Google infrastructure. While the actual usage of Google’s services would be “limited”, again Proton does not explain the exact nature of this partnership and which services will be routed through Google.
I don’t believe there is any way to be completely secure on the Internet unfortunately. Snowden showed how far backdoors run. So whether you want to keep using protonmail is up to you, but outside of a decentralised p2p system, I don’t think we could fully be anonymous and secure. Maybe though it would be possible to open your own email service – you just have to rent a space on a shared server like you would when hosting a website, and then encrypt it if possible… or open your own mail server in your basement lol. Email doesn’t consume a lot of resources.
Basically they sell you the peace of mind, not really any actual security as far as anyone can tell.
Is demonstrably false, as their encryption methods for emails at rest as well as other options (PGP) are tested. They’re also upfront with their threat protection model ("the ProtonMail threat model document specifically states that, “we cannot guarantee your safety against a powerful adversary.”) and as far as coming from Google or another free provider is concerned are a definitive step in the right direction. A good overview if OP is interested is this writeup here: techspot.com/…/82776-protonmail-review-secure-ema…
Personally I’d be hesitant to recommend self-hosting email unless really necessary (since that has it’s own risks/threat model) and think OP would do well to start off with Tutanota or Protonmail.
As an aside if we’re alluding to Protonmail being a honey pot with the Hong Kong riots I’d rather see it stated as such; this is the second place on Lemmy I’ve seen such criticism levied when a company that has a privacy/security based product and did a statement on the protests and I don’t find it that suspect that they would be interested in furthering their brand or “putting their money where their mouth is” by coming out in support of anti-censorship/CCP measures.
support for the riots is not “support of anti-censorship”. it had nothing to do with censorship. a brief summary of how things began:
a man murdered his pregnant girlfriend while on holiday in taiwan
taiwan wanted the man extradited to face charges but hong kong did not have an extradition treaty with taiwan
an extradition bill is introduced in hong kong listing 46 crimes for which extradition may be requested by taiwan, macau, and the PRC. nine crimes listed were financial (these were later removed)
angry rich kids realized they would not be able to commit the same financial crimes their parents did
it was never about being censored. it was about wanting to continue to exploit others without consequence.
protonmail didn’t just “come out and support” the color revolution by merely making a statement. i’m not making the assertion that their support means that they are a honey pot. i am asserting, however, that their support means that, unlike their claims, they are decidedly not “pro-freedom” (unless, of course, their definition of “freedom” is getting away with murder).
Because Google, Bing (less prominently Yandex and Baidu) have an oligopoly on how most of the world searches things.
Search engine indexing takes years, and open source engines lack the infrastructure to speed up web crawling. SearX is just an instance hoster, a proxy. We have Yacy, Wiby, Mojeek, Metager and some other niche search engines. Then we have Qwant, that indexes its own and supplies results using Bing that it has not indexed yet. Then there is DuckDuckGo with its own indexing but is USA based. Then there is System1’s StartPage, essentially a Google proxy with no self indexing that is hostile to Tor users.
Then there are others.
I settled on using Qwant for searching and Yandex via VPN for reverse image searching. Startpage is used extremely rarely and with VPN.
I don’t see why we can’t just have something like a blockchain based search engine where crypto is given based on how much indexing (crawling) is done. Of course this is just an idea right now. But have an incentive to people to do crawling of it through something like blockchain. This ensures that there won’t be any centralization and search result manipulation with things such as psyops (brain washing the population through search results)
Blockchain is a meme. It is the same buzzword lalaland meme that is AI in phone software these days.
LokiNet and Adamant are probably the only serious attempts I have seen in a while, and even they did not get me interested to check them out. If something does not get me tingly in the sack, it is not worth.
A few years ago (2017?) I decided I would move messenger apps. The aim (and what I’ve achieved) was all my messaging going through a secure, private app.
Signal was never an option.
In 2017, Signal really was the only option. Element (Riot, back then) was really bad and didn’t feature e2ee (which only got enabled by default last year!). XMPP was and remains difficult to use (not even many people here use it, how could I expect “normal people” to use it?)
I made the choice to use Signal, and I don’t regret it. I only regret that it has taken until now that we are starting to see a glimmer of a real competitor, in the form of Matrix. But a really competitor to Whatsapp and the like, back in 2017, just didn’t exist outside of Signal.
Another big problem with Signal is the fact that it's centralized with the server being located in US. Even if the protocol itself is secure with the server not having access user data, this presents a huge risk since US government can simply force Signal to shut down the service at any time. The server can also potentially collect metadata about the users providing US security agencies with user connection graphs.
I think that Matrix approach is much more sound, and would always recommend it over Signal.
I wrote about both issues, and why Matrix isn't a perfect solution, previously: part 1, part 2. Starring WhatsApp, Firefox, Signal, XMPP, Email, and Matrix.
Signal's problem is being a closed platform; Matrix suffers primarily from complexity. Both enable dependence on a single small group, and therefore enable user domestication. That being said, Matrix is considerably less bad than Signal.
For large public rooms, IRC continues to be the best option. All its issues are client-side; IRCv3 supports history, multiple devices, authentication without NickServ, and even typing notifications. All these features are supported on Oragono. For small, private E2EE rooms, all existing solutions have major trade-offs.
privacy
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.