this post was submitted on 09 Jul 2023
35 points (90.7% liked)

Asklemmy

43940 readers
459 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

Hello,

Since your Lemmy posts, comments, related activities, and your basic profile information will be stored in the databases across the fediverse, possibly never to be deleted (or kept by somebody who can), do you:

  1. Always use Tor/VPN with a fediverse app?
  2. Recommend others do the same?

If you feel that it is unnecessary, why do you feel that way? If you think it is necessary, why so?

Thanks. I am trying to get a feel of what I should do. For example, if my instance loses its data (due to a hack, sale, vulnerability, etc.), I am pretty sure all the information is lost (including my IP addresses). If other instances lose their data, or keep the data for their own purposes, then my posts/comments/related activities are lost (maybe excluding some of my profile information, my settings, and my IP addresses).

I look forward to hearing your thoughts.

top 29 comments
sorted by: hot top controversial new old
[โ€“] Max_P@lemmy.max-p.me 19 points 1 year ago (1 children)

Using a VPN won't give you much extra privacy unless you don't trust your instance's admins. IP addresses aren't federated, only the content. I don't think Lemmy itself stores any IP addresses, they merely show up in NGINX logs which ideally are rotated fairly frequently anyway.

But at that point if you care that much, you should already be using a VPN 24/7, because practically everything you're logged into has your account tied to an IP at some point and any of them are potentially vulnerable to a breach.

I'm just careful about what I post and what I vote on, this identity is fairly public anyway.

[โ€“] fermuch@lemmy.ml 6 points 1 year ago (1 children)

If you don't trust your admins, you can host your own instance. That way you'd control what is federated and with whom.

Buuut your server ip would be public, so idk...

[โ€“] cmdr_nova@hackers.town 5 points 1 year ago (1 children)

@fermuch If you want to host your own instance but don't want the trouble of making your IP public for every random Bob to see, there is always Masto.host (which I've used before on my own) https://masto.host/

[โ€“] fermuch@lemmy.ml 4 points 1 year ago (1 children)

Yeah, but now you're moving trust from the instance into trusting masto.host...

[โ€“] cmdr_nova@hackers.town 3 points 1 year ago

@fermuch That's a good point, I guess it's up to the individual to decide what or who they trust most

[โ€“] Kolanaki@yiffit.net 16 points 1 year ago* (last edited 1 year ago)

I just don't care?

I know that stuff is public when I used it.

I've known this is how the internet works since the 90's. I've also known that my IP address isn't a scary super identifying thing as the movies would make you believe. For most people, it's gonna point to your ISP and not your personal device.

Shit man, back in the day we used to scare noobs by showing them their own IP because it was incredibly easy to obtain. It still is, most of the time. Because it doesn't mean fuck all.

As for everything else: If you don't want certain pieces of information out in the wild... Don't put them there in the first place. It's that simple.

[โ€“] saigot@lemmy.ca 15 points 1 year ago

What data does Lemmy store that isn't already inherently public. Private DMs and IPs are all I can think of, and neither of those are of any value as far as I'm concerned.

[โ€“] godless@latte.isnot.coffee 14 points 1 year ago (1 children)

I'm always using a vpn for the sake of living in China, not particularly fediverse related. I simply don't share anything I'm not comfortable everybody knowing regardless, just like we were told in the early days of the internet.

[โ€“] Yeah2206@infosec.pub 0 points 1 year ago

Thanks for the reply. Yeah, I think this makes sense when you trust your VPN provider more than your ISP/government.

[โ€“] MigratingtoLemmy@lemmy.world 12 points 1 year ago (1 children)

Using a VPN is not going to help much.

I don't know if Lemmy traffic can be routed through TOR directly, but that might not be the best idea in terms of usability.

I try not to expose too much PII on Lemmy. That's basic OPSEC.

[โ€“] Yeah2206@infosec.pub 3 points 1 year ago (2 children)

Thx for replying. Would you expand on the idea why VPN wouldn't help with increasing the person's privacy?

BTW, I have tried logging in using Tor. It pretty much works normally but slightly more slowly. Of course, Tor throws more fits depending on how the connection is created, so you are right, I personally would hate having to use it regularly.

[โ€“] xavier666@lemm.ee 6 points 1 year ago (1 children)

Depends on who you are trying to hide from and what exactly you are trying to hide

  • your crazy ex
  • your crazy ex who is good with computers
  • your employer
  • your ISP
  • the state police
  • federal police
  • nation states

For each scenario, there are different minimum security levels you need to maintain.

If you don't want to let your ISP know you are visiting Lemmy and if you don't want the lemmy admin know where you are from, a VPN is great.

However, if you are participating in an anarchist instance planning to ๐Ÿ’ฃa place, a VPN is not enough since the feds can force a VPN company to let them know who exactly is using a certain IP at a certain time.

Rule of thumb; don't do shit on public forums.

[โ€“] Yeah2206@infosec.pub 0 points 1 year ago

Thank you. That's a very nice summary.

Xavier summarised it fairly well. VPN isn't going to help with entities that are actively trying to track you. You might be able to outwit Facebook trackers/Google trackers or something with some clever user agent manipulation/ faking your browser ID and a VPN, but that's the extent of it.

[โ€“] flashmedallion 10 points 1 year ago

No because I didn't choose this public forum for its privacy or security

[โ€“] DeimosE2@lemmy.dbzer0.com 9 points 1 year ago

I don't see that much of a point in this unless you're in "they're coming to get me" stages of paranoia.

[โ€“] kostel_thecreed@lemmy.ca 8 points 1 year ago* (last edited 1 year ago) (1 children)

That would be pretty wasteful on the Tor bandwidth, unless it is necessary for you to hide your Lemmy activity from the glowies. Realistically all you would need would be a VPN, but I do not think our IPs are publicly accessible on Lemmy, and only visible to the instance admins, so another not so worrisome worry. All in all, just limit what you share and how much of it you share and you will be good.

Currently I do use a VPN, though it's not because of Lemmy that I do so, it's the general threat model that I made which causes me to use a VPN. I do not recommend it to others which have no use for a VPN, specially if they have not made a threat model yet.

Remember, OPsec is what kills privacy and creates linkability, something which you do not.

[โ€“] Yeah2206@infosec.pub 1 points 1 year ago (1 children)

Thx for the reply. For the sake of discussions here, if someone think they can increase the privacy by always using Tor to access all the fediverse accounts, and let's just assume they don't ever miss (for me, this probably is unlikely). How do you think this increases linkability to their ... ?

[โ€“] kostel_thecreed@lemmy.ca 2 points 1 year ago

Using Tor one of the best ways to be anonymous online, but this only works because everything becomes randomized all the time. However, all these protections become useless when you create an account and then use tor on it: they know it's you because you're the only one who owns that account. But all this doesn't matter until you start sharing public info that is linkable to your private/personal identity, making anything else in this world to anonymize you useless. Like I said, tor isn't a "instant privacy with no downside" as everything can crumble down with a simple OPsec error.

So, if you are interested in privacy there are a couple resources which will help :

  • Privacy Guides ( /c/privacyguides on lemmy.one)
  • Anonymous Planet (anonymousplanet.org)
  • Extreme Privacy by Michael Bazzell
[โ€“] jayknight@lemmy.ml 7 points 1 year ago (2 children)

Are there any onion service lemmy instances yet?

[โ€“] fermuch@lemmy.ml 3 points 1 year ago

Would that be possible? How would other (normal network) instances federate with you?

[โ€“] Yeah2206@infosec.pub 0 points 1 year ago (1 children)

Also, isn't onion service pretty much used to hide the server's IP, but doesn't do much about hiding anything for the end users?

[โ€“] LedgeDrop@lemm.ee 2 points 1 year ago (1 children)

The end user's ip is hidden in the onion network. The server will get the ip address of the "last node" your client routed it's request through (and that node only has the ip address of the previous node, etc).

However, the clients ip can be leaked if a server creates some Javascript which makes an Ajax call (basically, an additional http request). A malicious Ajax call will not go through the onion network and thus expose the clients real ip. Hence, it's recommended to disable Javascript and other features while using tor.

[โ€“] jayknight@lemmy.ml 1 points 1 year ago (1 children)

If you have all your traffic going through tor, ajax requests will come from an exit node too.

[โ€“] LedgeDrop@lemm.ee 2 points 1 year ago

I did a bit more homework and you're right.

"Back in the day" running Javascript increased your attack area. But now-a-days I guess it's consider "safe".

I did find this old (7 years ago) posting which talked about concerns. Today, I guess the rule of thumb is to avoid (or limit) browser plugins.

Thank you clarify that.

[โ€“] gapbetweenus@feddit.de 6 points 1 year ago

I kind of just assume everything on the internet is in public space by default.

[โ€“] Candelestine@lemmy.world 6 points 1 year ago (1 children)

I mainly worry about data security at my end, I'm very careful about what kind of information I ever give out. I've gotten more lax with the rise of ecommerce, but my computer didn't even used to know my real name or any real information about me. I simply lied for absolutely everything, up until I went to college.

Nowadays I've gotten lazier, but some of those habits remain. Anything that could ever even remotely lead back to anything less than tens of thousands of people simply doesn't go on here. While a personality profile could be assembled and used to sell me stuff, I don't care so much about that. Though if we slowly get absorbed into Meta because $$$, I might change my mind on that last one.

So, no, I don't worry about it too much. If I was a hacker or political activist irl or something I might take it a little more seriously.

[โ€“] Yeah2206@infosec.pub 1 points 1 year ago (1 children)

Thx for the reply. I probably wouldn't want discuss anything indicating illegal activities or political activism on the Fediverse. I think Reddit was just demanded to turn over some (subset?) of discussions about copyright piracy. They might get away without the subpoena altogether on the fediverse arguing the data is already public.

[โ€“] Candelestine@lemmy.world 2 points 1 year ago

Yes, I would not be participating in any of that from here without additional security. More private communities are really better for that kinda stuff anyway, always have been.

load more comments
view more: next โ€บ