Privacy

45574 readers

213 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

Signal Contingency Plan (spoiler: it's Delta Chat) (signal-contingency-plan.info)

submitted 17 hours ago by glitching@lemmy.ml to c/privacy@lemmy.ml

25 comments fedilink hide all child comments

Do you use Signal for chatting securely with friends and loved ones? Us too! We endorse it wholeheartedly, and rely on it for nearly all our communication.

But the vibes are deteriorating here in the US, and we should have a communications contingency plan for if Signal goes down.

you are viewing a single comment's thread
view the rest of the comments

[–] Calmarius@lemmy.ml 2 points 11 hours ago* (last edited 10 hours ago)

You can move to any other service, but once it becomes popular enough to draw attention they might also get blocked as well. If it's centralized, then the central servers can be blocked and it's not longer working. If it's decentralized and peer to peer, then the bootstrap nodes can be blocked and it's no longer working.

Even if it's self hosted and not advertised, the adversary can run active probes to detect banned services and block it if it detects any.

The only thing that can work reliably is something that can be concealed and can't easily be detected.

A simple HTTPS website that runs a small blog, forum or an image board, can have a lot of bot traffic, and human traffic that makes the traffic analysis hard, it also provides plausible deniability if someone asks why you visit that site often, you can say that you are playing games or browse images there. Such website can have a secret interface that can be used as an interaction point for secure chatting (in a store and forward manner), which responds only if the requests are cryptographically signed by the participants, otherwise the server can play dumb and show a 404 error. Therefore an active prober can't easily detect that the website hosts that interface the first place, because they cannot produce a signed request unless they manage to compromise one of the participants.

Threat analysis:

Obviously if the endpoints are compromised, all bets are off.
The certificate authority (CA) that issued the certificate for the website can be compelled to issue certificates for man-in-the-middle (MITM) observation and then the MITM-er can detect the secret interface. But nowadays this is difficult to pull off due to certificate transparency (CT), TLS clients can be configured to not accept the cert if it's not logged by a CT provider, and domain owners can get an immediate alert if someone else issues a fraudulent and logged cert for their domains.

Someone should make an app that works this way. Only one tech savvy person of the given group need to set this up (preferably someone who alredy have a website), then others in the group can be invited into it and can use it without much friction.