sloppy_diffuser @ sloppy_diffuser @sh.itjust.works

Posts

0

Comments

263

Joined

2 yr. ago

I mean, I'll take their cake and share it around to be eaten, lol. Could care less about their bodies.

They created ECH. It makes what hosts you are visiting exclusive to them and browser companies when in use. You get marginal privacy through less companies being able to harvest your data.

Its marginal because that data is probably sold anyways.

That said, less competitors with the same data drives up the value when it does get sold which benefits, you guessed it, the author which is Cloudflare.

It's been a couple years since I was involved with ECH, but the implementations at the time were:

The one by the draft's authors in golang (Cloudflare). This is the actual test server. It uses Cloudflare's fork of golang with an enhanced crypto library. https://gist.github.com/cjpatton/da8814704b8daa48cb6c16eafdb8e402

BoringSSL used for chrome. There are nginx builds with BoringSSL, but I don't know if the setting are exposed.

https://boringssl.googlesource.com/boringssl/+/refs/heads/master/ssl/encrypted_client_hello.cc

WolfSSL which I never got around to playing with.

https://www.wolfssl.com/encrypted-client-hello-ech-now-supported-wolfssl/

NSS which is Mozilla's TLS library. There is a test server buried in there some place for unit testing.

https://firefox-source-docs.mozilla.org/security/nss/index.html

With that, you ALSO need a DNS server that supports DNS over HTTP (DoH) and HTTPS service binding records (https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/).

Bind9 had branches for both and I was able merge the two to satisfy that requirement.

When connecting to such a server, you MUST NOT use a DNS resolver hosted by any origination along the path from client to server as they can correlate the host from the DNS request with your encrypted client hello. You can actually man-in-the-middle ECH to decrypt the client hello by overriding the hosts record when controlling the DNS resolver. My project was testing this for parental controls.

Keep in mind, ECH really only benefits users connecting to a CDN. That is, when multiple services are behind the same IP. It masks which host the user is going to for any hop between the client and server.

Any data mining company worth their evils will have an IP to DNS index to figure out the host when only one is behind an IP.

This marginally gives some privacy to users. It hides the host from your ISP. It REALLY benefits browser companies and CDN hosts. What hosts a user is visiting now becomes exclusive data for those companies thereby driving up the value of the data. Assuming you aren't being stupid with your addons.

For the voters you maybe right. For the leaders, follow the money... It's as simple as wealth and power.

Keep us "plebs" fighting on stupid shit so we don't eat the rich. Terrorism recruiting strategy 101. Get people addicted to hate so it can be channeled against the opposition.

At least those are my insights.

Looks like it comes in spools.

https://www.ixblue.com/store/ixf-hcf-10-100-950/

I don't know the physics of it. I posted some info for the parent you responded to. My understanding is the applied physics is different from traditional fiber.

The main physical principle behind propagation of light in conventional optical fibers is total internal reflection (TIR). However, engineering of optical materials with features on the scale of the wavelength of light offers many new possibilities for manipulating light. In particular, some microstructured fibres make it possible to guide light by a mechanism different from total internal reflection. In these fibres, light is trapped in the core by an out-of-plane band-gap, which appears over a range of axial wavevectors and prevents propagation of light in the microstructured cladding [Cregan (1999)], allowing guided modes to form in the central hollow core.

https://mpl.mpg.de/research-at-mpl/russell-emeritus-group/research/about-pcf/hollow-core-pcf

Premade AppImage or self-contained binary, I'll usually drop it into ~/.local/bin.

Something I have to compile, I'll usually do in a dockerfile tracked in my dotfiles repo.

Only thing I've compiled from source on my host in the last year is https://github.com/werman/noise-suppression-for-voice.

Could just be my use cases now compared to 10 years ago, but I've just found I'm rarely compiling these days on the host system. At least the configure-make-install or ninja variety. I'm sure I install a package here or there that does it in the background. Numpy comes to mind or an AUR package with Arch.

Great to hear! They are awesome for system access before a password manager is available.

Looking to play with the fido2 function soon to unlock luks encrypted partitions for my headless media server after a power outage.

I don't know the physics well enough, but here is some general information.

https://en.m.wikipedia.org/wiki/Photonic-crystal_fiber

https://www.rp-photonics.com/hollow_core_fibers.html

High Group Velocity, Low Latency Signal Transmission

The group velocity of guided light is usually close to the vacuum velocity of light. This implies substantially lower latency for signal transmission through hollow-core fibers.

Its a type of fiber optic cable where the center of the cable is literally hollow. Normal fiber uses a glass core. Light passing through glass also travels about 2/3 the speed of the light since the speed of light is only constant in an empty vacuum. With hollow core, light is no longer passing through glass so its speed is much closer to the actual speed of light.

AppImage and Docker has resolved a lot of that for me if its not in my distros package manager. It's my goto for the same reason of just not wanting to deal with it.

For the low price of billions and a decade of work they could build out hollow core fiber coast to coast to get the last 1/3 c.

My son does tmodloader via steam, but I think its native Linux. Works without issue.

I play WoW and run Trade Skill Master (in the same wine bottle prefix). I also run RaiderIO/WoW Up/CurseForge (Linux native).

I had issues with mods for The Forest and Sons of the Forest. Never got them working.

FF XIV DPS meter worked after a lot of tinkering. Had to go to a specific discord to get the info as the modders didn't keep their READMEs in GitHub up to date. Wish that shit was searchable.

So, it's a mixed bag in my experience...

Thanks! Also trying out these just to evaluate this past week, lol.

• EteSync - Contact sync since Proton won't integrate natively with android (grr). Probably self host this one when I get time to rebuild my server also.
• Jmp.chat - More of a curiosity, but thought it was cool I could get a number with voice/text over XMPP (native dialer integration, tex t in XMPP client) plus a data eSIM all with Monero and without giving any info. Not private due to the calls/text come in the clear. Could be anonymous if you get a phone not tied to your name. Obviously you can be narrowed down to a tower you're connecting to also. Using a free xmpp server now but want to self host this one also.
• Frugal Usenet / NZBgeek - Bought with crypto over VPN and no personal info. Working on rebuilding my mini-pc server as an *arr stack, then look into self hosting everything else.

Yah I loved my 3 coming from a stock nexus 6. Upgraded to 6t and it was meh. In screen fingerprint was cool I guess.

Now I'm on Graphene which only supports pixel and love it. Did away with all the easy unlock methods as I upped my security game.

I do miss the V to toggle the flashlight though.

Only segment of his show I ever saw was Bill Burr calling him a Knuckle Scrapper when masks were brought up, lol.

Some third party tools you might find useful.

I do use rclone but I'm pretty happy with b2 storage. I did a small test with proton and it seemed to work.

https://rclone.org/protondrive/

VPN in docker with port forwarding. Didn't have any luck routing host traffic through it but I didn't dig too deep. Might be useful for a web based torrent docker container.

https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/protonvpn.md

Proton Pass is useful for aliases that don't count against your total addresses. Passwords go into BitWarden though.

I am annoyed it requires an app or browser extension though. No native web interface I could find.

Because I convinced my work to get me a linux laptop on the condition I would not get any IT support.

I don't abuse the privilege, but I can at least check my bank account without the man-in-the-middle TLS spyware or remote monitoring software.

I can't access anything on the corporate network because I don't have the root certs. Everything is in the cloud now so I'm not really missing much.

I was a happy OnlyKey customer until I wanted some spares a couple months ago and they were out of stock. That's when I got a Mooltipass. The OnlyKeys are back in stock this month so I did get some more as backups.

OnlyKey is lower tech which I honestly think makes it more reliable. It also supports a longer pin.

Mooltipass input is the scroll wheel which you push to click. Pin is only 4 digits but supports all hex characters where OnlyKey is only 1-6.

Passwords are stored on device with the OnlyKey. With the Mooltipass its on a card you can swap out, clone, etc.

OnlyKey is powered through USB. Mooltipass has a battery. Battery needs to be cycled often so I use it as my daily driver for that reason. I'd probably use the OnlyKey if it were not for that. I feel it is faster for my workflow since I can pick 1 of 12 passwords in one short or long press on the device. Mooltipass I have to go through a couple menus and confirmations.

I can see the attraction to the additional features of the Mooltipass but I just don't use them (at least yet).

Either are great though. The extra input requirements of the Mooltipass are not that bothersome.

I use a memorized passphrase with a random string stored on a mooltipass or onlykey. I use both interchangeably for vendor diversity.

They are both pin protected and act as USB keyboards (how I use them). They have more features like FIDO2 (both), WebAuthN (moolti), Bluetooth (moolti), etc.

I only store my computer decryption and account password plus my bitwarden password on them (random part for use with memorized passphrase). After that I just use bitwarden once I'm logged in.