This may look like a weird question btw.
I see constantly people here worried about digital security, I see people using Tor, deleting social networks, and just sharing the different levels of security that they use.
So I was wondering, how safe is Lemmy? Sure it doesnt collect info like Twitter and Meta does, but that doesnt mean its 100% safe. So what are the main problems we can have here? Is there anything the 3 letter agencies could exploit? Is there any preventive measures users could take?
So lemmygrad.ml is registered by somebody in the Netherlands while the server is hosted in Switzerland. Both of these countries are Western aligned so it should not be a big problem for the NSA to gain access if they really wanted to. If they get access to the server or the ISP serving it, then they can approximate your location and find out what ISP you’re using
And if they get access to your ISP then they can find out everything about you since you registered with an ID
If you’re in the USA, they 100% have near free access to your ISP. Everything you’ve ever done online has been logged in Utah and replicated multiple times across the entire country
If you’re in the 5 Eyes they probably have a high degree of access through legal spying which they can then send to your country’s authorities
If you’ve ever had any activity on any online communist space raw (no trusted VPN, no Tor), there’s a very high chance that all of that activity has been recorded on a database with backups and then replicated across multiple data centers in different regions, countries, or even continents
If that online space is any modern American website, there is a 100% chance of this happening
To explain some of that, we wanted to move the hosting to a non-5 eyes country, but also needed a host that could deliver infrastructure as well as DDoS protection and, if possible, privacy guarantees (that they won’t delete your hosting because you say stuff they don’t like). This Swiss host is the one we eventually found that fit everything, you can read more about them here: https://swissmade.host/en/.
We would have moved the hosting to China to be completely safe but it was unfeasible at the time (need someone to speak Chinese and be able to make payments there which can be difficult).
Would y’all do it in the present?
Probably, yeah, but I think we have a one year contract with the current host and we made the switch not long ago, like two months or so. @muad_dibber@lemmygrad.ml took care of it at the time so he can help you more than I with the technical stuff.
We could switch at any time, but this host is fine for now. If we start getting some warnings from them for being too communist, then it’ll be time to find another host.
They can get my ISP at any time or just when Im logged on?
If they request data from your ISP, they’ll likely be able to get it at any point, either while in transit or afterwards. If you’re using HTTPS, they’ll only be able to see metadata (what websites you’ve accessed and when), but…
Damn things are bad
That is an accurate assessment
If you’re worried about the alphabet orgs. Only use 2048 bit encryption or higher , meaning only use RSA/ECC for all communications. The alphabet orgs don’t care about forums like this because it low threat level.
Some RSA[1] and ECC implementations have backdoors. RSA and ECC can also be broken by Shor’s Algorithm.
AES is an encryption algorithm that the NSA hasn’t broken yet. An alternative to AES is CAMELLIA. Use 256 bits.
https://arstechnica.com/information-technology/2014/01/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/ ↩︎
Yes you can read about that with NIST also. There was a ECC algorithm that looked pretty deliberate (Dual_EC_DRBG). SHOR’s theorem uses quantum computing we don’t have that yet. Also there is post quantum algorithms getting decided by NIST. No NSA can’t break RSA or ECC curves unless the key itself is too small or the RNG or PRNG was tampered with. Also PGP/GPG is safe , alphabets can’t crack or bruteforce these. Just use anything over 2048 bit and make sure you have a long “passphrase” not password encrypted private key. Also for ECC check your curves https://safecurves.cr.yp.to/. I am a crypto guy and alphabet doesn’t have enough computing power to bruteforce these keys.