- 0 Posts
- 35 Comments
This is not terribly new, and requires more investigation. One of the bugs appears to be due to Mullvad, other is potentially an Android bug.
Can you elaborate on “third party?” To me, that means not the system app, but a user installed one. I’ve used my system camera (app.grapheneos.camera) and one not originally part of my OS (user app) that I’ve installed from the Play Store (com.google.android.GoogleCamera) and they both backed up automatically.
They’re obviously talking about the sheer number of users. Windows has something like 10x as many, which most people know. From Wikipedia:
For desktop and laptop computers, Microsoft’s Windows is the most used at 69%, followed by Apple’s macOS at 21%, and Google’s ChromeOS at 3.7% (in the US up to 7.9% ), and desktop Linux at 3.2%, so on traditional PCs Linux sums up to 7% share (ChromeOS is a different OS, but regular Linux can be added to it).
So Linux only wins if 100% of their users use it and only 10% of Windows use it, which won’t happen. Of a company has limited resources, they’re obviously going to focus their efforts on where they can attract the most number of users (and most money). In this/most cases, that’s Windows.
Which one do you trust?
As I’ve said before: myself. Using unbound as a recursive resolver and cutting out the middlemen of CloudFlare, Quad9, Google, etc.
Edit: or do you want the authoritative name/root servers my recursive resolver asks? Ok. I didn’t give these as that’s who everybody asks, to include Google, Quad9, etc…hence me harping on saying cutting out those middlemen and asking the root servers directly. https://www.iana.org/domains/root/servers
And…who do you trust?
Trust me, I fully get it. You are trying to be pedantic and “technically correct,” Um Actually style. I am speaking from the perspective of this sub (privacy and enhancing it). You are your network. You are not a middleman in the context of yourself or your network. You are not losing privacy in relation to yourself. That’s being ridiculous. It’s like saying “I didn’t cook this steak at my house, um actually, my stove and pan did. Well, they (and I and the butter/oil) were the middleman. Let’s not forget the fire. Etc.” Again, ridiculous.
Also, you’re right in that you have to ask a DNS server to resolve a name to an IP. But in this context, DNS servers ask the root name server. Those DNS servers are the middlemen, rootname is not. With Unbound and recursive, you are asking the authoritative root name server. They are not a middleman to themselves…they are the authority in DNS (it’s in the name). Also, Unbound as Recursive does answer the question of OP which was “what DNS to use?” When you configure a recursive resolver, you don’t (shouldn’t) change it away from the root nameservers and insert a middleman (someone/something you don’t control), and it doesn’t do it by default. OP was clearly asking about non-authoritative DNS servers to use aka “should I use Quad9, CloudFlare, etc?” And my answer was…none. Cut out those middlemen that don’t need to be there/asked (which takes away some privacy as you’re asking a person who doesn’t need asked), and ask the root nameservers yourself via Unbound recursively.
You seem to be stuck talking from the perspective of the client/PC. Next, are you gonna say “you’re not actually going to the site. You’re going to the switch, then the router, and a firewall, maybe traversing a DMZ, could be a proxy in there, then going through the core backbone routers of the internet, down into their network. Of course, if there’s a VPN in there, that changes things. Let’s not forget the middleman of your own NIC and CPU, not to mention the keyboard, motherboard, mouse, etc. Oh, of course fiber and cabling. Those are all middlemen.” Do you see how fundamentally ridiculous that is?
tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.
You don’t cut the middle man, you create the middle man with Unbound.
Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…which is the same as cutting out the middle man as you (rather, your server) are you.
And Unbound needs to ask other DNS servers on the internet to resolve DNS queries.
It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.
Here’s an explanation by Cloudflare: A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver…Most Internet users use a recursive resolver provided by their ISP, but there are other options available; for example Cloudflare’s 1.1.1.1.
I copy/pasted the above quote from the article you linked. Again, Unbound (your machine) is asking the DNS nameserver. You’re saying you are your own middleman lol. I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound. Did you read the article I linked?
With Unbound, you can set it up as a recursive DNS server. Hence, cutting out the middle man. https://docs.pi-hole.net/guides/dns/unbound/
A backdoor would imply some sort of external control I’d think…
Yes, technically a backdoor listens: https://csrc.nist.gov/glossary/term/backdoor
Being able to command a device to send you info or perform tasks is different than the device sending info of its own accord.
In this context, where it’s implied to send without the owner’s knowledge (ignoring the fact it’s documented), not really. The article screams “gotcha!” when in reality it didn’t, so they’re trying to backtrack and downplay their initial response. But I do appreciate their update, it’s just got a PR spin to it.
Edit: if the article was initially written as more of a “did you know” and/or expanding on existing documentation, wouldn’t be an issue. It’s the “it’s secretly stealing” that implies malice which is part of the definition of malware… that’shares a category with backdoor. So splitting hairs in the name of PR.
Everything must blow your mind.
Just people in a privacy community advocating for even less privacy than Google, who is decidedly anti-privacy, wants. The company who detests privacy and wants to collect data on everyone said, “this might be private and we shouldn’t go with it,” and you go “nope, it’s not, give it over?” I feel like Google is a very low bar to pass for privacy, and you still tripped on it.
So yes, no matter how much I experience in the world, people advocating for being taken advantage of or having their rights violated (which is what’s happening here) blows my mind, despite running into it semi-constantly.
You’re fine with not targeting an individual and using blanket warrants instead? Even a judge said it was unconstitutional due to it not being individualized, and the EFF says it can implicate innocents. Even Google, who tracks and collects most everything, was reluctant to hand it over.
Sure, this reinvigorated the case, but it has an “ends justify the means” feel to it, which is a slippery slope. But you’re actively endorsing a less privacy friendly stance than Google, of all things. That blows my mind.
Proton should, but they’re not the only ones who can. They’ve done the hard work by providing an API, which I linked earlier ( https://api.protonmail.ch/vpn/logicals ). That API is the only piece that Proton needs to keep updated and working, but anyone can compare their own IP (or someone else’s IP who connects to them) against that API…and it’s already built.
It’s super simple for someone (ideally Proton) to set up a website. Websites already grab the IP of who connects to them, then they just run that IP against that API and just have a green banner that says their connected via which exit, or red banner with ISP and IP. And you can get fancier from there.
I mean, I’m not a web dev, but I could set that up in less than a day. I’m also not a UI/UX person, so it would also look awful.
There absolutely should be a Proton page to verify, in my opinion. Mullad has a banner on every page, and an indepth DNS leak test page.
Another cumbersome way to check is to do a curl on https://api.protonmail.ch/vpn/logicals (syntax depends on device you’re running it from).
specifically the shortened version FUD
Here’s from the '70s:
“The search for self”. Clothes. New York, NY, USA: PRADS, Inc. 10 (14–24): 19. 1975-10-01. Retrieved 2011-06-10. […] One of the messages dealt with is FUD—the fear, uncertainty and doubt on the part of customer and sales person alike that stifles the approach and greeting. […]
terms like FUD that originated with Crypto
Just because you first saw it in regards to crypto doesn’t mean that’s where it originated from.
If you run, your own Pihole, any reason why you’re not just doing unbound? That’s what I usually suggest to most people who do.
I have not tried it, but I’m not a fan of logging into a search engine or providing an email. Mullvad, by comparison, just gives you an account number.
https://help.kagi.com/kagi/getting-started/faqs.html#why-does-kagi-search-require-an-email-address
Yeah, I got the same reason when I asked about that issue with Android (GrapheneOS). I didn’t run into this issue on Windows. I don’t recall Mullvad running into this issue, either.
ProtonVPN has also been the only known app impacting GrapheneOS shipping a DNS leak fix due to “Proton is doing something weird” that other apps aren’t doing. Proton is also convinced they’re programing their app correct and aren’t open to fixing it…whereas Mullvad did when prompted.
Lastly…if the Killswitch and LAN access are mutually exclusive, why does Proton let me turn both on and not explain it? You’d think if you turned on the Killswitch, it would grey out the LAN access with a note saying you can’t have both. And if you try to turn on the LAN access with Killswitch on? It should pop up with a notification saying you can’t have both with a yes/no prompt to take you to the Killswitch settings to turn that off if desired.