ProcessOne: On Signal Protocol and Post-Quantum Ratchets

Image

Signal improved its protocol to prepare encrypted messaging for the quantum era.

They call the improvement “Triple Ratchet” (or SPQR = Signal Post-Quantum Ratchet).

[Signal Protocol and Post-Quantum Ratchets\
\
We are excited to announce a significant advancement in the security … ⌘ Read more

ProcessOne: Europe’s Digital Sovereignty Paradox - “Chat Control” update

Image

October 14th was supposed to be the day the European Council voted to mandate scanning of all private communications, encrypted or not.

The vote was pulled at the last minute.

Germany withdrew support, creating a blocking minority that blocked the Danish Presidency&aposs hope to g … ⌘ Read more

@prologic@twtxt.net Where do I stand on “Chat Control”? How long of a response/rant do you want? 😅 It’s a disaster. As I understand it, they want to spy on me directly on my devices before encryption even happens – jfc, no, fuck off. And since there are so many devices, they want to automate the scanning, which is the worst idea you could possibly have.

High Court endorses use of encrypted phone app to monitor crime figures
The High Court has ruled on the use of information gathered through the AN0M app, which was developed by the Australian Federal Police for surveillance. ⌘ Read more

TESID: Textualised Encrypted Sequential Identifiers
Comments ⌘ Read more

Oh man, if the EU actually rolled out this horribd idea called ChatControl that actually threatens the security and privacy of secure e2e encrypted messaging like Signal™, fuck me, I’m out 🤦‍♂️ I’ll just rage quit the IT industry and become a luddite. I’m out.

I’m using #Filen (@filen@filen) for a while now and I’m very pleased with it!

«Affordable zero-knowledge end to end encrypted cloud storage made in Germany.» Works on #Linux, nice well thought features.

So I’m going to share a referral link because «For every friend you invite to Filen you receive 10 GB - and your friend also receives 10B. It’s that easy»:

https://filen.io/r/631ce32074f259f710691e4eec751eb9

I have been using #Filen (@filen@filen) for a while now and I’m very pleased with it!

«Affordable zero-knowledge end to end encrypted cloud storage made in Germany.» Works on #Linux, nice well thought features.

So I’m going to share a referral link because «For every friend you invite to Filen you receive 10 GB - and your friend also receives 10B. It’s that easy»:

https://filen.io/r/631ce32074f259f710691e4eec751eb9

JMP: Mitigating MITMs in XMPP
In October 2023, Jabber.ru, “the largest Russian XMPP messaging service”, discovered that both Hetzner and Linode had been targeting them with Machine-In-The-Middle (MITM) attacks for up to 6 months. MITM attacks are when an unauthorised third party intercepts traffic intended for someone else. At the point of interception, the attacker can inspect and even modify that traffic. TLS was created to mitigate this; all communication between the two parties is encrypted, so the third party sees … ⌘ Read more

JMP: Mitigating MITMs in XMPP
In October 2023, Jabber.ru, “the largest Russian XMPP messaging service”, discovered that both Hetzner and Linode had been targeting them with Machine-In-The-Middle (MITM) attacks for up to 6 months. MITM attacks are when an unauthorised third party intercepts traffic intended for someone else. At the point of interception, the attacker can inspect and even modify that traffic. TLS was created to mitigate this; all communication between the two parties is encrypted, so the third party sees … ⌘ Read more

How Let’s Encrypt reduced the impact of zombie clients
Comments ⌘ Read more

How to Enable iCloud Private Relay on Mac
iCloud Private Relay is a fantastic privacy feature that is part of the iCloud+ subscription that helps to protect your internet activity and browsing by obfuscating your IP address (via using a temporary IP address) and encrypting your DNS lookups, so that third parties can’t see what websites you’re visiting. The end result is that … Read More ⌘ Read more

How to Enable iCloud Private Relay on Mac
iCloud Private Relay is a fantastic privacy feature that is part of the iCloud+ subscription that helps to protect your internet activity and browsing by obfuscating your IP address (via using a temporary IP address) and encrypting your DNS lookups, so that third parties can’t see what websites you’re visiting. The end result is that … Read More ⌘ Read more

How to fix email encryption
Comments ⌘ Read more

[$] LWN.net Weekly Edition for May 29, 2025
Inside this week’s LWN.net Weekly Edition:

• Front: Glibc security; How we lost the Internet; Encrypted DNS; 6.15 Development statistics; Filesystem stress-testing; BPF verifier; Network access from BPF; OSPM 2025.

• Briefs: AlmaLinux 10.0; FESCo decision overturned; NixOS 25.05; Pocket, Launchpad retired; Quotes; …

• Announcements: Newsletters, conferences, security updates, … ⌘ Read more

[$] System-wide encrypted DNS
The increasing sophistication of attackers has organizations
realizing that perimeter-based security models are inadequate. Many
are planning to transition their internal networks to a zero-trust\
architecture. This requires every communication on the network to
be encrypted, authenticated, and authorized. This can be achieved in
applications and services by using modern communication
protocols. However, the world still depends on Domain Name Syste … ⌘ Read more

Red Hat Enterprise Linux 10 released
Red Hat has announced
the release of Red Hat Enterprise Linux (RHEL) 10. A blog post
accompanying the release provides details on some of the more notable
features, such as encrypted DNS, a developer preview of RHEL 10
for RISC-V,
and image\
mode for RHEL using [bootc](https://lwn.net/A … ⌘ Read more

@bender@twtxt.net It’s still a straight-through to the Eris backend that itself uses a Let’s Encrypt cert now. Haven’t tried to also terminate TLS at the Edge yet.

eBPF agent that captures pre-encrypted network traffic
Comments ⌘ Read more

Coin-Sized RA4M1-Zero Board Features 32-Bit RA4M1 MCU
The RA4M1-Zero is a compact development board based on Renesas’ 32-bit RA4M1 MCU. Running at 48 MHz with a built-in FPU, it features firmware encryption, secure boot, and a castellated design for easy integration into custom hardware. The board uses the R7FA4M1AB3CFM microcontroller from the RA4M1 family. It includes 256 KB of flash memory, 32 […] ⌘ Read more

Git With Me: Peer-to-peer, encrypted, ephemeral Git collaboration
Comments ⌘ Read more

@javivf@adn.org.es Go for it! You’re free to use it.
It’s been a community adventure to explore the whole DM/encryption thing. So the community can do with it whatever they want. 😎

Today I added support for Let’s Encrypt to eris via DNS-01 challenge. Updated the gcore libdns package I wrote for Caddy, Maddy and now Eris. Add support for yarn’s cache to support # type = bot and optionally # retention = N so that feeds like @tiktok@feeds.twtxt.net work like they did before, and… Updated some internal metrics in yarnd to be IMO “better”, with queue depth, queue time and last processing time for feeds.

Apple Encrypted Archive
Comments ⌘ Read more

NNCP: Encrypted, authenticated, onion-routed version of UUCP
Comments ⌘ Read more

I haven’t gotten very far with my experiments, yet. To be honest, I’m still not 100% sure if I want to trust that encryption. 😅 The target server will be completely out of my control … it is a real possibility that the (encrypted) data will leak at some point. Hm.

On top of my usual backups (which are already offsite, but it requires me carrying a hard disk to that other site), I think I might rent a storage server and use Borg. 🤔 Hoping that their encryption is good enough. Maybe that’ll also finally convince me to get a faster internet connection. 😂

my main itch with the DMs extensions is that these messages are intended to be private, not public information. That’s why other extensions make sense, but DMs are another kind of feature.
TwiXter, Mastodon, FB and some other services usually hide the DMs in another section, so they are not mixed with the public timeline.

I find the DM topic interesting, I even made an indie experiment for a centralized messaging system here https://github.com/eapl-gemugami/owl.
Although, as I’ve said a few times here, I’m not particularly interested in supporting it on microblogging, as I don’t use it that much. In the rare case I’ve used them, I don’t have to manage public and private keys, and finally none of my acquaintances use encrypted email.
Nothing personal against anyone, and although I like to debate and even fight, it’s not the case here. This proposal is the only one allowing DMs on twtxt, and if the community wants it, I’ll support it, with my personal input, of course.

A good approach I could find with a good compromise between compatibility with current clients and keeping these messages private is ‘hiding’ the DMs in comments. For example:
# 2025-04-13T11:02:12+02:00 !<dm-echo https://dm-echo.andros.dev/twtxt.txt> U2FsdGVkX1+QmwBNmk9Yu9jvazVRFPS2TGJRGle/BDDzFult6zCtxNhJrV0g+sx0EIKbjL2a9QpCT5C0Z2qWvw==

@andros@twtxt.andros.dev how often do you send a private message on the Fediverse? How often do you send PGP/SMIME encrypted emails? Are there other tools that are more suitable for the task? If implementing direct/private messages on twtxt scratches an itch (you know, that hobbyist itch we all get from time to time), then don’t give up so easily. Worse comes to worse, and your feed becomes too noisy, people can simply unfollow/mute.

I really don’t care about direct messages here, but I might be on that bottom 1%!

I’m also thinking that some kind of tag might be needed to automatically hide twts from unknown extensions. For example our client doesn’t support DMs and always shows the !<nick url><encrypted_message> syntax which is meaningless.

[$] Taking notes with Joplin
Joplin is an open-source
note-taking application designed to handle taking many kinds of notes,
whether it is managing code snippets, writing documentation, jotting
down lecture notes, or drafting a novel. Joplin has Markdown support,
a plugin system for extensibility, and accepts multimedia content,
allowing users to attach images, videos, and audio files to their
notes. It can provide synchronization of content across devices using
end-to-end encryption, or users can opt to sti … ⌘ Read more

Istio: The Highest-Performance Solution for Network Security
Ambient mode provides more encrypted throughput than any other project in the Kubernetes ecosystem. Encryption in transit is a baseline requirement for almost all Kubernetes environments today, and forms the foundation of a zero-trust security posture…. ⌘ Read more

Apple to Support Encrypted RCS Messaging in Future Software Update
Apple says it will add support for a new Rich Communication Services ( RCS) specification that includes end-to-end encryption (E2EE) for messages sent over the protocol in future software updates.

Image

“End-to-end encryption is a powerful privacy and security technology that iMessage has supported since the … ⌘ Read more

Erlang Solutions: Top 5 IoT Business Security Basics
IoT is now a fundamental part of modern business. With more than 17 billion connected devices worldwide, IoT business security is more important than ever. A single breach can expose sensitive data, disrupt operations, and damage a company’s reputation.

To help safeguard your business, we’ll cover five essential IoT security basics: data encryption, strong password policies, regular security audits, employee awareness tr … ⌘ Read more

US Probes UK’s Apple Encryption Demand for Possible Treaty Violation
U.S. officials are looking at whether the United Kingdom violated a bilateral agreement by demanding Apple create a “backdoor” to access end-to-end encrypted iCloud data, according to a letter from National Intelligence Director Tulsi Gabbard (via Reuters).

![](https://images.macrumors.com/article-ne … ⌘ Read more

ameriDroid Opens Preorders for VPN Server with WireGuard and DietPi
The VPN Server by ameriDroid is a pre-configured device for secure remote access to home and small office networks. Built on the ODROID-C4, it runs a lightweight Linux-based system with WireGuard for encrypted VPN connections and minimal setup. The device is based on the ODROID-C4, a single-board computer released in early 2020 by Hardkernel, featuring […] ⌘ Read more

here is my progress so far: https://github.com/eapl-gemugami/twtxt-direct-message-php
The encryption part seems to work, if I decrypt it the message with OpenSSL.
I think it can help you for some key parts not well explained in OpenSSL documentation.

@andros@twtxt.andros.dev reading your spec I wrote a few notes here: https://github.com/eapl-gemugami/twtxt-direct-message-php/blob/main/direct_message_spec.md

@arne@uplegger.eu I haven’t check your repo yet, although you are using sodium, right?

@arne@uplegger.eu Here are the results of the german jury:

Known salt (B64): Tb9oj07UhwU= (8)
Known key (B64): MII0yj+MC0mHNx254Voar80bi9P7jmocs0+x+inaxBE=
Known iv (B64): l/PvkDjOKMFZe73KptrvWw== (16)
Shared Key (B64): ql8zvN03p6kroSwNrcKbxk4zSBQFkgQZEumvqVIDMAE=
** DECRYPT **
Encrypted Message: ...
Decoded Salt (B64): Tb9oj07UhwU= (8)
PBKDF2 KEY (B64): MII0yj+MC0mHNx254Voar80bi9P7jmocs0+x+inaxBE=
iv (B64): JanbU1jI30lb6yfjq/adjA== (16)
Decrypted Message: 

😭

@eapl.me@eapl.me Here is what I’ve got so far: https://github.com/upputter/testing-twtxt-dm

There is a “00_well_known_message.enc” file, which I have the encryption paremters for (https://github.com/upputter/testing-twtxt-dm/blob/9fdf3be6aa8fe810a4cb275375dbb3d4a2a958ee/wellknown_test.php#L28).

According to my finding, I assume, that the saltsize in openssl is “8” and the PBKDF2 algo is “sha256”.

@andros@twtxt.andros.dev Could you share (perhaps in the extension document) the private key for alice?

I want to compare that I can read the encrypted message both from OpenSSL CLI and from the PHP OpenSSL library, following the spec.

trying to implement it quickly, I get the same questions than you

# https://www.php.net/manual/en/function.openssl-pbkdf2.php
    $password = $sharedKey;
    $salt = openssl_random_pseudo_bytes(16);  # What's the salt length ?
    $keyLength = 20;  # What's the key length here ?
    $iterations = 100000;
    $generatedKey = openssl_pbkdf2($password, $salt, $keyLength, $iterations, 'sha256');
    echo bin2hex($generatedKey)."\n";
    echo base64_encode($generatedKey)."\n";

    $iv = openssl_random_pseudo_bytes(16); // AES-256-CBC requires 16-byte IV
    $cipherText = openssl_encrypt($message, 'aes-256-cbc', $generatedKey, OPENSSL_RAW_DATA, $iv);
    return base64_encode($iv . $cipherText);

I haven’t taken a look into that extension, although I think you could use the OpenSSL library: https://www.php.net/manual/en/function.openssl-encrypt.php

@arne@uplegger.eu With the OpenSSL option -p one can get an output of salt, key and iv. My stupid PHP-code can get everything right from the encrypted data (from OpenSSL) - except the iv! Damn “evpKDF” 😔

@arne@uplegger.eu Well, just for my understanding. The command:
echo "Lorem ipsum" | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -out message.enc -pass file:shared_key.bin
will take the input string from echo to openssl. It then will

1. use the content of shared_key.bin as password
   
2. use PBKDF2 with an iteration of 100000 to generate a encryption key from the given password (shared_key.bin)
   
3. use the PBKDF2 generated key for an aes-256-cbc encryption
   

The final result is encrypted data with the prepended salt (which was generated by runtime), e.g.: Salted__q�;��-�T���"h%��5�� ....

With a dummy script I now can generate a valide shared key within PHP ‘openssl_pkey_derive()’ - identical to OpenSSL.
I also can en-/decrypt salted data within my script, but not with OpenSSL. There are several parameters of PBKDF2 unknown to me.

Question:

1. Is the salt, used by aes-256-cbc and PBKDF2 the same, prepended in the encrypted data?
   
2. Witch algorithm/cipher is used within PBKDF2: sha1, sha256, …?
   
3. What is the desired key length of PBKDF2 (https://www.php.net/manual/en/function.openssl-pbkdf2.php)?
   

To be continued …

UK Authorities Demand Back Door Access to iCloud Backups Globally
The British government has demanded that Apple give it blanket access to all user content uploaded to the cloud, reports The Washington Post.

Image

The undisclosed order is said to have been issued last month, and requires that Apple creates a back door that allo … ⌘ Read more

@andros@twtxt.andros.dev How about putting the whole encrypted conversation into a sperate twtxt-file. Just like the archive feature (?). That way, the general clients don’t have to cope with the decrytption stuff and it won’t break the general public conversations.

I made a draft of an “encrypted public messenger”, which was basically a Feed for an address derivate from the public ket, let’s say ‘abcd..eaea’

Anyone could check, “are there any messages for my address?” and you get a whole list of timestamps and encrypted stuff.

Inside the encrypted message is a signature from the sender. That way you ‘could’ block spam.

Only the owner of the private key could see who sent what, and so…

And even with that my concussion was that users expectations for a private IM might be far away from my experiment.

It’s ok for most encrypted protocols (In salty you can fetch other messages but can’t decrypt). Btw i think recipient can be removed so if someone seen message they tried to decypt, if can’t - its not message to you

I haven’t read the entire specification, but I think there is a fundamental design problem. Why would someone put an encrypted message on a public feed that is completely useless to everybody other than the one recipient? This doesn’t make sense to me. It of course depends on the threat model, but wouldn’t one also want to minimize the publicly visible metadata (who is communicating with whom and when) when privately messaging? I feel there are better ways to accomplish this. Sorry, if I miss the obvious use case, please let me know. :-)

another one would be to allow changing public keys over time (as it may be a good practice [0]). A syntax like the following could help to know what public key you used to encrypt the message, and which private key the client should use to decrypt it:

!<nick url> <encrypted_message> <public_key_hash_7_chars>

Also I’d remove support for storing the message as hex, only allowing base64 (more compact, aiming for a minimalistic spec, etc.)

[0] https://www.brandonchecketts.com/archives/its-2023-you-should-be-using-an-ed25519-ssh-key-and-other-current-best-practices

my first thought is that encrypting messages with Elliptic keys is not as easy as with RSA, although I tried doing something similar a few months ago with ECIES
https://github.com/eapl-gemugami/owl/blob/main/src/app/controller/ecies_demo.php

WhatsApp to Drop Support for These iPhones Starting May 2025
WhatsApp is set to end support for iOS versions older than iOS 15.1 from May next year, removing the chat platform’s compatibility with several iPhone models in the process.

Image

From May 5, 2025, WhatsApp will no longer be compatible with iPhone 5s, iPhone 6, and iPhone 6 Plus models. Users with those devices won’t be able to access the encrypted chat se … ⌘ Read more

[WTS] [$1.5K USD] Encrypted Graphene OS Pixels Fully Setup

PIXEL 6, 6a, 6 Pro, 7a, 7, 7 Pro, 8a, 8 Pro

Link: https://moneromarket.io/listing/e6cd0a03-238b-434f-9a25-382e8da30725

u/Encrypto84 (MoneroMarket.io) ⌘ Read more

Cloud Native Computing Foundation Announces cert-manager Graduation
Open source security project automates highly secure, encrypted data communications in cloud native environments SALT LAKE CITY, Utah – KubeCon + CloudNativeCon North America – November 12, 2024 – The Cloud Native Computing Foundation® (CNCF®), which… ⌘ Read more

Oof, is it any wonder some of us don’t want to just give out our info online willy-nilly.

Also that credit card ‘encryption’ will likely land that company in very hot water, no doubt far away from PCI DSS requirements.

Lol. “Lighty Encrypted” https://www.pcmag.com/news/hot-topic-breach-confirmed-millions-of-credit-cards-email-addresses-exposed

Lol. “Lighty Encrypted” https://www.pcmag.com/news/hot-topic-breach-confirmed-millions-of-credit-cards-email-addresses-exposed

Malleable Encryption - Computerphile ⌘ Read more

Malleable Encryption - Computerphile ⌘ Read more

Encryption matters
Community post by Ronald Petty and Tom Thorley of the Internet Society US San Francisco Bay Area Chapter (original post) When you hear the word encryption, what comes to mind? Take a moment… Upon asking this question to… ⌘ Read more

@prologic@twtxt.net a signature IS encryption in reverse. If my private key becomes compromised then they can impersonate me. Being able to manage promotion and revocation of keys needed even in a system where its used for just signatures.

@prologic@twtxt.net a signature IS encryption in reverse. If my private key becomes compromised then they can impersonate me. Being able to manage promotion and revocation of keys needed even in a system where its used for just signatures.

Gajim: Gajim 1.9.2
Gajim 1.9.2 brings an important OMEMO encryption fix, native notifications on Windows, usability improvements, and many bugfixes. Thank you for all your contributions!

For some versions now, Windows offers a native notification system, including a notification center for unread notifications, notification settings, etc. If you are running Windows 10 (specifically build 10240) or later versions, Gajim will now use these native notifications.

Thanks to our contributor [@nico … ⌘ Read more

AES GCM (Advanced Encryption Standard in Galois Counter Mode) - Computerphile ⌘ Read more

@shreyan@twtxt.net What do you mean when you say federation protocol?

• Either use webfinger for identity like mastodon etc. or use ATproto from Bluesky (or both?)

• We can use webmentions or create our own twt-mentions for notifying someones feed (WIP code at: https://github.com/sorenpeter/timeline/tree/webmention/views)

I’m not sure we need much else. I would not even bother with encryption since other platforms does that better, and for me twtxt/yarn/timeline is for making things public

how would that work with your encryption keys? you send them to a server that hopefully you control?

how would that work with your encryption keys? you send them to a server that hopefully you control?

Go Gin 框架與 Let’s Encrypt 集成指南
本文將深入探討如何在 Go 語言的 Gin 框架中集成 Let’s Encrypt，以實現自動化管理 SSL/TLS 證書。Let’s Encrypt 作爲一個免費、自動、開放的證書頒發機構，能讓 HTTPS 部署變得簡單便捷。通過該教程，您將瞭解到如何配置 Gin 以支持 HTTPS 服務，並自動從 Let’s Encrypt 申請和續簽證書，確保 Web 應用的安全可靠性。爲什麼需要 Let’ ⌘ Read more

@lyse@lyse.isobeef.org I have read the white papers for MLS before. I have put a lot of thought on how to do it with salty/ratchet. Its a very good tech for ensuring multiple devices can be joined to an encrypted chat. But it is bloody complicated to implement.

@lyse@lyse.isobeef.org I have read the white papers for MLS before. I have put a lot of thought on how to do it with salty/ratchet. Its a very good tech for ensuring multiple devices can be joined to an encrypted chat. But it is bloody complicated to implement.

Scientist Claims Quantum RSA-2048 Encryption Cracking Breakthrough
Mark Tyson reports via Tom’s Hardware: A commercial smartphone or Linux computer can be used to crack RSA-2048 encryption, according to a prominent research scientist. Dr Ed Gerck is preparing a research paper with the details but couldn’t hold off from bragging about his incredible quantum computing achievement (if true) on his LinkedIn profil … ⌘ Read more

@movq@www.uninformativ.de yeah, it worked fine when It installed from mirror :) I had same issue in virtualbox. I suspect its the same problem. But now I have it installed the way I like it, encrypted, and lxqt desktop on my laptop.

Lost in Translation: Encrypted Alien Messages with Neil deGrasse Tyson and Charles Liu ⌘ Read more

Ignite Realtime Blog: Certificate Manager plugin for Openfire release 1.1.1
The Ignite Realtime community is happy to announce a new release of the Certificate Manager plugin for Openfire.

This plugin allows you to automate TLS certificate management tasks. This is particularly helpful when your certificates are short-lived, like the ones issued by Let’s Encrypt.

This release is a maintenance release. It adds translations. More details are available in the [changelog] … ⌘ Read more

The End of Encryption with Michio Kaku and Neil deGrasse Tyson ⌘ Read more

An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:

• Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

• Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

• Signal: date and time of account creation and date of last connection.

• Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

• Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

• Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

• WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

• WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.

• Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:

• Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

• Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

• Signal: date and time of account creation and date of last connection.

• Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

• Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

• Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

• WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

• WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.

• Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

I setup Joplin with caddy as the WebDAV server. Works okay. The e2e encryption can get messed up sometimes. Supports markdown and images.

I setup Joplin with caddy as the WebDAV server. Works okay. The e2e encryption can get messed up sometimes. Supports markdown and images.

@mckinley@twtxt.net Yeah, that’s more clear. 👌

Systems that are on all the time don’t benefit as much from at-rest encryption, anyway.

Right, especially not if it’s “cloud storage”. 😅 (We’re only doing it on our backup servers, which are “real” hardware.)

Gajim: Gajim 1.8.0
Gajim 1.8.0 comes with integrated OMEMO encryption! Integrating the OMEMO plugin brings tighter integration and better user experience. We also rearranged the chat menu and added some quick buttons for convenience. Both Gajim’s message search and conversation view received some important changes and fixes. Thank you for all your contributions!

In the past, we moved the most popular plugins into Gajim’s core: image preview, plugin installer, HTTP file upload, syntax highligh … ⌘ Read more

Rebooting a LUKS Encrypted System Without Typing The Passphrase: https://mckinley.cc/blog/20230526.html

Hm, encrypted private messages on twitter is for those who pay for twitter blue only.. not that this was unexpected, but still..

Kaidan: Kaidan 0.9: End-to-End Encryption & XMPP Providers

Image

It’s finally there: Kaidan with end-to-end encryption via OMEMO 2, Automatic Trust Management and support of XMPP Providers!
Most of the work has been funded by NLnet via NGI Zero PET and NGI Assure with [public … ⌘ Read more

One thing I did in another project was to use sqlite that had encryption. I might do that here as well. That would work well for this.

**RT by @mind_booster: 1/3 🚨Recent @POLITICOEurope leak revealed that US & EU officials have agreed to cooperate on measures to turn public opinion against #encryption.

Experts’ statements by @edri & @globalencrypt have called out against this plan

➡️https://edri.org/our-work/eu-us-plan-offensive-to-legitimise-police-access-to-data-civil-society-responds-amid-growing-fears-press-release/
➡️https://www.globalencryption.org/2023/04/statement-on-eu-us-cooperation-against-encryption/**
1/3 🚨Recent [@POLITICOEurope](https … ⌘ Read more

@abucci@anthony.buc.ci anyone can run a exit node. Show me a case where a hidden service was taken over without regular investigation etc.
The biggest darknet markets where taken down due to misconfigurations or mistakes leading them to leak IP and such , not because tor is compromised or that some agency ran a exit node.
A hidden service’s traffic never goes through a exit node, only passes through middle nodes and everything stays encrypted.

My cheap alternative to Ngrok
Since GoBlog has an Auto-HTTPS feature that can automatically retrieve HTTPS certificates via ACME from e.g. Let’s Encrypt, I need a public IP address with which I can reach my test instance of GoBlog via port 80 and 443. ⌘ Read more

JMP: SMS Account Verification
Some apps and services (but not JMP!) require an SMS verification code in order to create a new account.  (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v … ⌘ Read more

decided to boot it again. turns out I typed the wrong encryption password yesterday, and instead of saying that it printed that error. booted fine now :)

It booted fine! currently creating partitions etc. I like that you could enable encryption. when its done I’ll go through my usual routine and set up all development tools etc and get some stuff compiled.

Jérôme Poisson: Libervia progress note 2022-W45
Hello, it’s time for a long overdue progress note.

I’ll talk here about the work made on ActivityPub (AP) gateway and on end-to-end encryption around pubsub.

Oh, and if everything goes well, this blog post should be accessible from XMPP and ActivityPub (and HTTP and ATOM feed), using the same identifier goffi@goffi.org.

The work made on the AP gateway has been possible thanks to a NLnet/NGI0 grant (w … ⌘ Read more

@mckinley@twtxt.net Thank you! I didn’t even know about signing and encrypting XML documents. Right, RSS is a little bit messy.

Unfortunately, the autodiscovery document in one of your linked resources does not exist anymore. What annoys me in Atom is the distinction between <id> and <link>. I always want my URL also to be my ID, so I have to duplicate that – unnecessarily in my opinion.

Also, never found a good explanation why I should add <link rel="self" … /> to my feeds. I just do, but I don’t understand why. The W3C Feed Validation Service says:

[…] This value is important in a number of subscription scenarios where often times the feed aggregator only has access to the content of the feed and not the location from which the feed was fetched.

This just sounds like a very questionable bandaid to bad software architecture. Why would the feed parser need access to the feed URL at this stage? And if so, why not just pass down the input source? Just doesn’t make sense to me.

Also, I just noticed that I reference the http://purl.org/rss/1.0/modules/syndication/ namespace, but don’t use it in most of my feeds. Gotta fix that. Must have copied that from my yfav feed without paying attention what I’m doing.

Your article made me reread the Atom spec and I found out, that I can omit the <author> in the <entry> when I specify a global <author> at <feed> level. Awesome! Will do that as well and thus reduce the feed size.

Encryption & Entropy - Computerphile ⌘ Read more

How GitHub converts previously encrypted and unencrypted columns to ActiveRecord encrypted columns
This post is the second part in a series about ActiveRecord::Encryption that shows how GitHub upgrades previously encrypted and unencrypted columns to ActiveRecord::Encryption. ⌘ Read more

PSA: DMs on social media sites are not truely PMs. This is why we have a separate tool for private messaging from yarn. Always remember, if you don’t own the infra (or the parts at the ends of e2e encryption) you don’t own the data. and the true owners can view it any way they want!

https://twitter.com/TinkerSec/status/1587040089057759235?t=At-8r9yJPiG6xF17skTxwA&s=19

PSA: DMs on social media sites are not truely PMs. This is why we have a separate tool for private messaging from yarn. Always remember, if you don’t own the infra (or the parts at the ends of e2e encryption) you don’t own the data. and the true owners can view it any way they want!

https://twitter.com/TinkerSec/status/1587040089057759235?t=At-8r9yJPiG6xF17skTxwA&s=19

JMP: SMS Account Verification
Some apps and services (but not JMP!) require an SMS verification code in order to create a new account.  (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v … ⌘ Read more

Encryption
⌘ Read more

Why and how GitHub encrypts sensitive database columns using ActiveRecord::Encryption
You may know that GitHub encrypts your source code at rest, but you may not have known that we encrypt sensitive database columns as well. Read about our column encryption strategy and our decision to adopt the Rails column encryption standard. ⌘ Read more