Microsoft, Revolut, ODoH, OPAQUE, ECH, Cyph, Tor
Microsoft's attitude towards sabotaging devices using bad software updates is sickening. I've currently got four "broken" laptops, each of those got completely fixed by installing Linux. One computer was running Windows so I can use Teams, but... When I replaced it with Linux, I had to installed #Microsoft #Teams for Linux as well. Awesome, everything seemed to work fine, until the test call was finished. There were no way to terminate or exit the call, other than killing the Teams process. So much joy! - It was kind of fun to hit forums like Reddit and Twitter and see that many many people are complaining about the exactly same issues.
Revolut Web App, requires user selfies. I really can't seriously stop hating this company. They're also using webcam authentication. First I thought it would be a joke and they're just trying to troll me. But nope, it's real stuff.
Oblivious DoH (ODoH) (@ blog.cloudflare.com), OPAQUE passwords (@ blog.cloudflare.com), Encrypted Client Hello (ECH) (@ blog.cloudflare.com), Cloudflare's protocol proposals to protect privacy: Next Generation Privacy Protocols (@ blog.cloudflare.com).
ODoH comments: pretty obvious solution. Yet I'm bit worried about the extra complexity. Systems are already quite brittle and falling a part. Also older protocols like DNSSEC / ESNI aren't often used and or are broken due to complexity. I dropped DNSSEC validation, because it failed to often, by widely used sites. ODoH performance chart compeltely lacked the old good DNS over UDP as comparison. In general I like ODoH concept, I'll suggest running a realy to a few privacy oriented tech/nerd organizations in Finland. - Yet the general response was like: Yay, yet another mostly useless (proxy, relay, vpn, gateway). If you wan't privacy, use Tor.
OPAQUE comments: idea is nothing new, but the implementation seems quite complex. I wonder if same end result could be achievable with simpler implementation? Final thought, it's kind of interesting how many different good solutions we've got, but which aren't being actually used. Same approach applies to so many things. Instead of user storing the private keys, the private keys are stored in encrypted format on server side. Pretty deep solution which touches lot of areas, making it really hard and slow to implement. - Probably the solution won't be ever used do to complexity. Close enough (read similar*) results can be achieved (afaik) with a lot simpler solutions only requiring basic hashing. Yet this was interesting read. *) Mutual secure authentication and shared secret derivation without revealing the user password. Ref: OPAQUE-EA (@ datatracker.ietf.org)
ECH comments: Very welcome development, at least with Firefox the ESNI wasn't mostly workign anyway. I think I never got it to work with Cloudlare ESNI client checker. The ECH post is good, I like it. Flow charts and backgrounds explained very well. All this is good for preventing some exposure to passive traffic analysis. In this sense, cloud providers and CDN providers (like Cloudflare) work as reverse VPN in some way. Allowing clients to connect the CDN, without anyone else knowing what content they're actually accessing. kw: ClientInner, EncryptedClientHello, ClientHelloInner, ClientHelloOuter, 0-RTT, DNS SVCB, HTTPS RRs
Tested cyph.app (@ cyph.app). Hmm, yet another similar service. But they're right, when KeyBase got sold, it kind of lost some of it's trust. Yet I even before that deeply hated the aspects where they asked to run all kind of scripts on your system, install all kind of software, and preferably giving your private keys for them. Nope, all of that, is something I'm not willing to do. - Also verification process is clearly lacking. I can just upload any public keys under my profile, they do no effort trying verify the keys in any way. Part of KeyBase's process was especially verifying the information at least on some level. I did read a few comments about this service, and it turned out to be about as bad as I've thought. Getting things implemented in a secure way is challenging, and so easy to fail.
Tor in 2021 (@ blog.torproject.org) ARTI (Rust Tor implementation) sounds like a good plan to me. As well as the user friendly development approach has been very important. So many projects end up being academic projects, which nobody actually bothers to use at all. Another nice thing is the positive approach towards IPv6. Yet currently it isn't possible to run IPv6 only relay or bridge.