Freedombone Blog

Freedom in the Cloud

The rush to TLS

Issues which I've been encountering recently with XMPP are all about TLS and differing threat models. It seems as if LetsEncrypt has been around for ever, but really it has only been usable in the last two or three years. During that time an increasing number of internet applications just assume that TLS authentication is in place.

Before LetsEncrypt XMPP servers typically allowed self-signed TLS certificates or no certificates. Recognition by Certificate Authorities (CAs) wasn't mandatory. But increasingly now it is. This is all fine except in cases where you don't need TLS or where Certificate Authorities are untrusted and belong in the threat model. That's usually the case if you're running XMPP on onion addresses. After all, CAs include numerous dodgy companies and entities like the Chinese government.

So if you're setting up an XMPP server with the intention of using both clearnet and onion addresses then there's a conflict of interests between the two routing worlds. The clearnet would like CA-recognized TLS certificates to always be used. The onionspace would prefer that to be optional or not present.

In the rush to implement TLS everywhere, and thereby secure the internet from the evildoers, minority use cases like onion routing have been forgotten about and there isn't a clear solution if you want to inhabit both worlds.

As a workaround I've added a settings screen for the XMPP app within Freedombone which allows TLS authentication to be strictly enforced or not.

Matrix addendum

There has been a recent talk about Matrix at FOSDEM 2019 in which it's said:

As of Matrix 1.0, we require homeservers to present a CA-signed TLS certificate

So very much the same problems are going to apply to Matrix on onion addresses quite soon. Probably the version of Matrix on onion-only versions of Freedombone will need to be modified in order to federate, and will be non-compliant with the spec. If that's infeasible then it might be that Matrix on onion will only be non-federating, which would be disappointing.

Addendum addendum

It looks like Matrix will be ok after all. In the recently published federation API it says:

The TLS certificate provided by the target server must be signed by a known Certificate Authority. Servers are ultimately responsible for determining the trusted Certificate Authorities, however are strongly encouraged to rely on the operating system's judgement. Servers can offer administrators a means to override the trusted authorities list. Servers can additionally skip the certificate validation for a given whitelist of domains or netmasks for the purposes of testing or in networks where verification is done elsewhere, such as with .onion addresses.

Dark Messenger

Recent testing of the Conversations app with an XMPP server running on the onion-only version of Freedombone revealed that it no longer worked. This was strange because for the first few years of development of the server system I used this as a test case, having messages go back and forth between a phone and a laptop using the onion server and no clearnet.

I think what has happened is that within the last year or so enforcement of TLS within XMPP clients has become stricter and can no longer be easily bypassed or turned off. While LetsEncrypt is a great thing if you're not using the clearnet then the imposition of strict TLS can become a problem leading to bad or in this case broken user experience. It's yet another example of how minority use cases sometimes get disregarded.

The changes needed to get the app working with an onion-only server again are fairly minor but unlikely to be upstreamed. So I've made a fork of Conversations dedicated to messaging using onion addesses, called Dark Messenger. Dark as in darknet or "going dark". Most of the effort was actually just changing the branding to distinguish it from the main Conversations version. You can run the two apps on the same phone without any interference if necessary.

dark messenger on a mobile phone

The dove is a CC0 icon and it symbolizes peace and reconcilliation. Also there is the dove in the biblical flood story who brings back the olive leaf as a sign that refuge was close at hand.

Noah then sent forth a dove, which returned the first time without good news; but the second time, she brought an olive leaf in her bill, plucked off, plainly showing that trees, fruit trees, began to appear above water.

Not exactly instant messaging, but a sort of message bringer during times of hardship.

Dark Messenger can be downloaded as an installable apk or as source code from the downloads section and the development repo is here. You won't find it on any app store.

There are various advantages to this kind of setup, and it's hard to accidentally send anything insecurely. In the longer term Briar might become a better option, because it doesn't need any servers.

Matrix on Python 3

Also another development is that the Matrix app on Freedombone now runs on Python 3. This improves its performance and makes it more suitable for running on ARM single board computers with 1GB of RAM. In tests while running a room with 20 users and subscribing to a few rooms on other homeservers, some of which are quite high volume, Synapse on Python 3 only uses 200MB of RAM. So this makes it similar to an XMPP server in terms of resource use.

XMPP still has advantages, such as the ability to proxy through Tor on mobile (the Android Riot app currently can't do that, hence exposing metadata) but the competition is getting closer. Really the idea of competition is the wrong frame here though, because bridging between Matrix and XMPP is improving and so in the end choice of chat software will just be down to personal preference.

Also on the topic of chat systems I noticed that OTR version 4 was announced on day 3 of 35C3. It doesn't support multi-user encrypted chat though, so this is an encryption standard which is dead upon arrival. Yes, a lot of private chat is one-to-one, but in the last few years private group chat has become a major phenomena and to ignore that in your security model is a gigantic oversight. So an easy prediction is that OTR will continue to decline in popularity in 2019.

The Dark Matrix

While listening to some 35C3 talks I've managed to get the Matrix and Riot apps for Freedombone working on onion addresses. I don't think there were any fundamental barriers preventing this from happening earlier, and so my previous statements about Matrix being tied to TLS and not compatible with Tor were probably just wrong. Since RiotWeb is composed of client side javascript if you're running it within a Tor compatible browser it doesn't care whether the domains being used are clearnet or onion ones.

I expect that federated onion homeservers, forming a "dark Matrix", will work but that there will be issues with federating onion and clearnet homeservers. This isn't unusual, and the same applies to fediverse instances.

Running on onion addresses does provide some security advantages, but also it means that you don't need to buy a clearnet domain, you don't need to forward any ports and so could be behind a hostile internet router and you don't need to care about obtaining TLS certificates. There was a talk on the first day of 35C3 about TLS1.3 which also described the many issues with TLS and what a dumpster fire it is. In a lot of ways using onion addresses is more convenient and with better security properties, so long as you don't mind the long random strings or QR codes.

Freedombone Homepage

One way to get to apps installed on a Freedombone server is to use the FreedomBox companion app on Android. But on desktops until recently there wasn't any equivalent to that.

Now there's the Freedombone Homepage, accessible via http://freedombone/home

homepage

The homepage looks similar to the apps screen within the admin section, but here clicking or pressing on icons takes you straight to the URL of the chosen app. You can set http://freedombone/home, or the equivalent onion address in a Tor browser, to the home page in a web browser for maximum convenience.

Also unlike the admin section of the web interface, which requires a password to log in, any user on the server can access the homepage.

There is a search bar for doing web searches, and the hope is that this helps to encourage you to get out of the habit of always using Google.

Freedombone in 2019

2018 has been a fairly significant year for the project. Interest in decentralized systems and education about the problems of large silo systems has been increasing. Mainstream criticisms of Sillicon Valley companies which began to be reported in 2017 became more trenchant. There were continuing purges against disfavored demographics or particular topics of discussion.

Freedombone, and self-hosting projects like it, are becoming more relevant over time.

Probably the most significant changes to Freedombone this year have been the move out of Github and the introduction of the web interface. The web interface takes the project from being hacker grade to something which potentially could be a mass market product pre-installed on hardware. Some plans for the remainder of the year, and into the new year are:

Transition to buster

2019 is another Debian release year and version 10, nickname "buster", will be in freeze early in the year with the expectation of release some time in the middle of the year. Once it goes into freeze then I'll start on a new buster branch of Freedombone. If things are similar to the last release then it will take one or two months to make a new version, depending upon how big the changes are.

Rock64 build

It's probably possible to make a fully free software build for Rock64. I assumed there would be blobs in the boot sequence, but upon more investigation it looks like that isn't the case and it can all be built with Free Software licenses. As usual there might still be proprietary 3D graphics, but for a server that's not needed.

More apps

With the Debian 10 release it will be possible to enable more apps, such as those which require more recent php or python versions. One example is PixelFed.

Web interface polish

Improving the translations. Adding warnings screens. To make something really usable requires laser-like focus on interface minutiae, including things like color contrast, making sure that things are phrased in a comprehensible way and that the flow between screens is as semantically coherent as possible.

Your homepage

Add a web interface screen which can be set as a browser home page, allowing you to quickly navigate to any of your installed apps, and also do web searches.

guifi.net integration

The guifi.net model seems like a good one, with a foundation as a legal mechanism and crowdfunding of network infrastructure. This would be a good direction for the internet to go in, where it is neither run by corporations nor by the government but instead run by and for its users. It would be nice to have an easy way to set up Freedombone as a guifi.net node.