A security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user might be in.

cross-posted from: https://lemmy.ca/post/37638868 !privacy@lemmy.dbzer0.com

This affects Signal too

An issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users. In some cases an attacker only needs to send an image across the app, with the target not clicking it, to obtain their location.

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117?ref=404media.co

Signal, an open-source encrypted messaging service, is widely used by journalists and activists for its privacy features. Internally, the app utilizes two CDNs for serving content: cdn.signal.org (powered by CloudFront) for profile avatars and cdn2.signal.org (powered by Cloudflare) for message attachments.

          • melroy@kbin.melroy.org
            31·
            17 hours ago

            So Unbound is actually a very powerful validating, recursive and caching DNS resolver. So without relaying on Google DNS or ISP DNS, you can host your own Unbound recursive DNS server, which can do request to other DNS servers and even root-dns servers. You can even setup your own stub zones and forward zones (sorry this is too much details I know). And like I said it also has caching feature. I will soon create a blog post about Unbound as well on my https://blog.melroy.org/ site be sure to subscribe.

            Here is a snipped of part of my config, feel free to use it however you want:

                    # Serve stale data
        serve-expired: yes
        serve-expired-ttl: 86400           # one day, in seconds
        serve-expired-client-timeout: 500  # 500ms

        # Increase caches for better performance
        msg-cache-slabs: 4
        rrset-cache-slabs: 4
        infra-cache-slabs: 4
        key-cache-slabs: 4

        rrset-cache-size: 300m
        msg-cache-size: 150m

        outgoing-range: 200
        num-queries-per-thread: 100
          • Hellmo_luciferrari@lemm.eeEnglish
            2·
            17 hours ago

            You can use both. Unbound is a validating, recursive, caching DNS resolver.

            You can setup Unbound to be a self hosted DNS solution, and point PiHole to use your Unbound.

            Source: Unbound

              • Hellmo_luciferrari@lemm.eeEnglish
                1·
                17 hours ago

                Do you know what DNS does?

                If you don’t, essentially is what translates IP addresses to hostnames.

                So what having unbound would do is allow you to do DNS lookup locally.

                • theunknownmuncher@lemmy.worldEnglish
                  2·
                  17 hours ago

                  Um… yes I understand what DNS does. Really?

                  I’m not trying to challenge you in any way. My disconnect in understanding is what unbound does and why I would want to use it over the built-in pihole FTLDNS. What are its advantages?

                  EDIT: I’ve answered my own question, unbound queries root name servers directly instead of using DNS providers. This is interesting. New question, what is the advantage of being my own DNS provider? Privacy from my ISP (who can just see the IPs that I am connecting to, anyway)?

                  • Hellmo_luciferrari@lemm.eeEnglish
                    2·
                    17 hours ago

                    I wasn’t trying to be short or condescending either. Just relaying what I know.

                    It is another layer of privacy in some cases. Could protect against poisoning of I’m not mistaken, but don’t quote me.

                    I know for me, I prefer to self host things where I can so I can own as much of my own data as possible.