IOCipher 1.0 community reboot
Posted on February 1, 2025
| Zoff
IOCipher update to version 1.0 We are thrilled to announce that a community contributor has picked up maintaining a fork of IOCipher and updated to IOCipher 1.0, designed to enhance your development experience and empower you to create more secure applications with ease. Here’s what’s new and why it matters to you:
1. Enhanced Features We introduced a few new features. Most notably IOCipher is also available on Desktop Java for Linux and Windows now.
[Read More]
A Look Back at 2024: F-Droid's Progress and What’s Coming in 2025
Posted on January 21, 2025
| Hailey Still
With 2024 now behind us, we wanted to take a moment to reflect on the growth and achievements we accomplished as a community last year, and celebrate the incredible support we received from the FOSS community throughout the journey.
This year has been a milestone for us, with significant strides in decentralizing app distribution, expanding the F-Droid ecosystem, and solidifying our infrastructure. All of these advancements were made possible thanks to donations, grants, our volunteers and regular contributors.
[Read More]
Using TLS ECH from Python
Posted on January 10, 2025
| irl
At first, the idea of encrypting more of the metadata found inside the initial packet (the “ClientHello”) of a TLS connection may seem simple and obvious, but there are of course reasons that this wasn’t done right from the start. In this post I will describe the flow of a connection using Encrypted Client Hello (ECH) to protect the metadata fields, and present a working code example using a fork of CPython built with DEfO project’s OpenSSL fork to connect to ECH-enabled HTTPS servers.
[Read More]
The future of our fdroid-compatible app repository
Posted on February 24, 2024
| eighthave
Guardian Project has been running its own fdroid-compatible app repository since 2012. Up until now, we worked to ensure that our repository had the same standards of free software as the official F-Droid repository. Therefore, the Guardian Project repository was included in the official F-Droid client app by default. A lot has changed since then, for the better. F-Droid has long since stopped shipping pre-built binaries from any provider. Back in the day, F-Droid shipped some binaries, like Mozilla’s Firefox APKs, and allowed some non-free libraries in apps.
[Read More]
Quick set up guide for Encrypted Client Hello (ECH)
Posted on November 10, 2023
| jochensp
The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project has developed an implementation of ECH for OpenSSL, and proof-of-concept implementations of various clients and servers that use OpenSSL, and other TLS libraries, as a demonstration and for interoperability testing.
[Read More]
DEfO - Developing ECH for OpenSSL (round two)
Posted on November 9, 2023
| Stephen Farrell
Encrypted ClientHello (ECH) plugs a privacy-hole in TLS, hiding previously visible details from network observers. The most important being the name of the web-site the client wishes to visit (the Server Name Indication or SNI). This can be a major privacy leak, like when accessing a dissident news source hosted on a Content Delivery Network (CDN). A visible domain name also provides a straightforward method for censors to block websites and internet services.
[Read More]
FIFA2023 Report
Posted on November 3, 2023
| Cacu, Happy and Paul
Forum on Internet Freedom in Africa (FIFAfrica) organized by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) took place in September 26-29, 2023 in Dar es Salaam, Tanzania at the Hyatt Regency Hotel.
The first two days - the 26th and 27th of September - were invite only. The rest of the days - 28th and 29th of September - were meant for all the other participating attendees.
[Read More]
Improving website resilience with LibResilient and IPFS
Posted on June 15, 2023
| uniq
We’re always looking for techniques to make services more resilient to all sorts of issues. That’s why we took special interest in LibResilient and mapped out it’s capabilities. It’s a JavaScript library for decentralized content delivery in web-browsers and markets itself as easy to deploy to any website. We’ve looked at LibResilient primarily in the context of static websites. While it should work with dynamic websites too, that was out of focus for us.
[Read More]
Arti, next-gen Tor on mobile
Posted on March 4, 2023
| uniq
For software projects with recurring bugs, efficiency or security issues there’s a joke making the rounds in the software industry: “Let’s re-write it in Rust!” It’s a fairly new low-level programming language with the declared goal to help developers avoid entire classes of bugs, security issues and other pitfalls. Re-writing software is very time consuming, so it rarely happens, especially when just one more fix will keep a project up and running.
[Read More]
Steps towards trusted VPNs
Posted on February 28, 2023
| Hans-Christoph Steiner
VPNs have become quite popular in recent years for a number of reasons, and more and more they are being touted as a privacy tool. The question is whether using a VPN does improve privacy. It is clear that VPNs are quite useful for getting access to things on the internet when direct connections are blocked. VPN providers include a number of tactics in both their client apps and server infrastructure to ensure that their users are able to make a connection.
[Read More]
Scanning apps, off the record
Posted on September 28, 2022
| Hans-Christoph Steiner
Smart phones have brought us so many wonderful capabilities. They let people around the world access vast realms of information. They let app developers solve problems large and small in a way most relevent to their local context. They are personal computers for the world. They also have given surveillance capitalism an unprecedented reach into everyone’s lives. Repressive governments use them in ways that the East German Stasi secret police could only have dreamed of.
[Read More]
The Search for Ethical Apps: Let's start with governments
Posted on September 1, 2022
| Hans-Christoph Steiner
Governments across the world are moving services to mobile apps. The vast majority of these apps are only available in the Google Play store or in the Apple App store. Installing apps from these services requires users to agree to their terms of service. This means governments require their citizens to sign opaque and privacy invading contracts with foreign Big Tech in order to use digital services. This feeds ever more into Big Tech data control, filtering, and information bubbles.
[Read More]
Privacy Preserving Analytics in the Real World: Mailvelope Case Study
Posted on February 28, 2022
| John
We love Mailvelope. It’s a popular browser extension for encrypting email messages. Now, Clean Insights is helping Mailvelope understand which webmail providers are most popular with their users so they can prioritize their development efforts.
Anyone who has written software knows it takes hard work to craft a great user experience. That’s even more challenging in Mailvelope’s case. Their browser extension integrates with more than a dozen ever-changing third party webmail interfaces.
[Read More]
Spearphishing for developers
Posted on February 23, 2022
| Hans-Christoph Steiner
I received an interesting email that points to a new direction in targeting developers to exploit them. This email is a reply to a message that I actually wrote to an email list in 2012, that was posted on a public thread on a public list. It also uses the name of a person that posted on that thread: “Paul Eggers”. Oddly, it did not use that person’s actual email from the original thread.
[Read More]
Debian over HTTPS
Posted on December 8, 2021
| Hans-Christoph Steiner
Debian’s package manager apt has a time-tested method of securely providing packages from the network built on OpenPGP signatures. Even though this signing method works well for verifying the indexes and package files, there are new threats that have become relevant as man-in-the-middle attacks and data mining become ever easier. Since 2013, apt developers have supported encrypted transport methods HTTPS and Tor Onion Service. We have been recommending their use since 2013.
[Read More]
Implementing TLS Encrypted Client Hello
Posted on November 30, 2021
| Hans-Christoph Steiner
As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt.
[Read More]
New insights into clean analytics
Posted on March 2, 2021
| Hans-Christoph Steiner
There is a giant problem with the “collect it all” status quo that pervades on the Internet, this has been clear for a long time. Tracking people has become so widespread that organizations, communities, projects and university labs have sprung up dedicated to detecting and publicizing their presence. Data and analytics are clearly useful for software creators and funders, but they also easily lead to harming people’s privacy and well-being.
[Read More]
Usability: the wonderful, powerful idea that betrayed us
Posted on February 18, 2021
| Hans-Christoph Steiner
Usability triggered a revolution in computing, taking arcane number crunching machines and making them essential tools in so many human endeavors, even those that have little to do with mathematics. It turned the traditional design approach on its head. Initially, experts first built a system then trained users to follow it. User experience design starts with goals, observes how people actually think and act in the relevant context, then designs around those observations, and tests with users to ensure it fits the users’ understanding.
[Read More]
Clean Insights: February 2021 Update on Privacy-Preserving Measurement
Posted on February 10, 2021
| Nathan (n8fr8)
Greetings, all. I hope this finds you healthy and well, finding ways to enjoy the season (whichever it may be). While everyday still provides new challenges in the life of our team at Guardian Project, we continue to strive to be productive as productive as we can be in our professional and personal lives.
I’ve just posted an updated presentation on Clean Insights, reflecting on the symposium in May, and the work we have done since then.
[Read More]
New Data Sources: API Key Identifiers and BroadcastReceiver Declarations
Posted on December 15, 2020
| Hans-Christoph Steiner
A central focus of the Tracking the Trackers project has been to find simple ways to detect whether a given Android APK app file contains code which tracks the user. The ideal scenario is a simple program that can scan the APK and tell a non-technical user whether it contains trackers, but as decades of experience with anti-virus and malware scanners have clearly demonstrated, scanners will always contain a large degree of approximation and guesswork.
[Read More]