This is a really good and important look at Lockdown Mode by @lhn. "Surprisingly usable" — yes! The tiny bit of friction that users experience with Lockdown Mode (such as having to copy and paste links manually from Messages to Safari) quickly becomes second nature.
@kuketzblog das hat sie doch: sie sagt ganz klar, dass es derzeit keine wirklich praktikable Option gibt, auf diese Dienste zu verzichten. Und auch dass das ein Problem ist, das ihnen bewusst ist.
I am a little surprised that a lot of people use their own #DNS resolver for #privacy reasons. I think this is counter productive and putting their privacy at risk. Let me explain why in a thread and offer a better alternative 1/n
Normally you send your DNS requests to a resolver - by default the one of your provider. They do the actual name resolution for you and answer with the IP address 4/n
This means that an interested party - lets name it NSA - which is monitoring for example the DNS authority for y.z will only see the request of your provider (or whatever public resolver you use). Your interest in x.y.z remains hidden to them. 5/n
Your DNS requests are only visible to your provider (and whoever can coerce them into helping them). More on this later when we talk about DoT. But the rest of the internet will never see your interest in x.y.z (setting aside things like SNI - but that is for another thread) 6/n
To avoid the dependency (and censorship) from a third party some ppl operate their personal resolver (for example outbound on a pi-hole). All their devices will query this resolver - even from abroad via VPN. 7/n
While this makes sense for a company or an organization, it is dangerous for individuals. Because NSA’s monitoring of y.z will suddenly record your personal IP and they now can trace your interest in x.y.z back to you. 8/n
So my recommended #DNS setup for #privacy aware individuals is: always use a public resolver that is operated by a third party you trust. Maybe that is @quad9dns or @mullvad or @digitalcourage. This way your DNS requests are hidden behind their IP 9/n
And to protect the transport from your device to the resolver from monitoring and manipulation by third parties use DNS over TLS (DoT). Every privacy aware DNS provider will offer that nowadays. Thanks for reading this far. EOT 10/10
@Michael1@heisec In your example monitoring the authority for .org gives them that you are talking to eff.org - and probably is making you suspicious ;)
@MrKanister using pi-hole is fine. Because in its default configuration it acts as a forwarder and does not resolve on its own. Pi-hole gives you more control about what you block.
@loremo my ISP has to have special listening interfaces for autonomous access by state authorities - it’s the law. So I trust them only as much as I have to.
@loremo not every resolver of course. But @digitalcourage has been fighting for #privacy for a long time. I trust them to do the right things for the right reasons. Quad9 has a strong commitment to privacy and their hq is located in Switzerland and therefore outside of easy reach for german institutions. Just find the org you trust…
