Service

Mastodon

Is your feature request related to a problem? Please describe.

I wish I could see how much uses an expired invite link I have created has.

Describe the solution you'd like

same.

Describe alternatives you've considered

I don't know.

Additional context

Service
I am noticing an issue on https://search.privacytools.io/

Describe the bug
The bug is:

Engines cannot retrieve results:
gigablast (unexpected crash: extra param expired, please reload), yahoo (unexpected crash: list index out of range)

To Reproduce
Steps to reproduce the behavior:

1. Go to https://search.privacytools.io/
2. Click on type in test
3. Look at top right
4. See error

Expected behavior
Search results without the errors

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Clear Linux
• Browser: Firefox
• Version: 77.0.1

Smartphone (please complete the following information):
N/A

Additional context
See more info here on the searx instance: privacytools/search#10

When using the search feature on the main page, it sometimes returns a 500 internal server error. Other times, it loads a global internet search instead of keeping the site scope:

Upstream recommends we update this https://github.com/PrivateBin/PrivateBin/releases

Came to our attention thanks to a poster on the forums.

Is it https://metrics.torproject.org/rs.html#details/8662528527584136FEE7135CAB7DF5A6D7D5FF30 ?

Good afternoon Privacytools team, I hope you are well. This time I am writing to report a problem regarding your WriteFreenly service, which was out of service on April 30, 2021, later returned to normal on May 1, 2021, but without access to the service, apparently had a bad redirect, writing that web address directs you in loop back to the start of privacytools without being able to access the WriteFreenly service or failing that, any of the blogs hosted there ... this scared me a lot and that's why I open the issue, apparently everything disappeared 🐙

Greetings, GatoOscuro 🐱

PS: I don't have how to attach the screenshot/test because when directly typed "write.privacytools.io/" it is quickly directed to "https://privacytools.io/".

Service: Mastodon

Solution

Mastodon users are primarily identified by a [email protected] handle, and you might want
this identifier to be the same as your email or jabber account, for instance.
However, in this case, you are almost certainly serving some web content on https://example.org already,
and you might want to use another domain (say social.example.org) for Mastodon itself.

Luckily, there is support in Mastodon for that, but it might be tricky to set up, and any error
might prevent you from federating with other instances.

(Using a different domain name for Mastodon and the users it serves)

Service
pl.privacytools.io and https://git.privacytools.io/pl-privacytoolsIO/pl.privacytools.io

Describe the issue
SSL cert is invalid

Demographics
Your country: Poland
Your ISP: T-Mobile

Screenshots

Description

It would awesome if Privacy Tools as an entity could start to host an exit node since these are the ones that could bring up more legal troubles for regular individuals and therefore are the most scarce.

Relevant information:
https://torservers.net/
https://community.torproject.org/relay/
https://community.torproject.org/relay/types-of-relays/
https://community.torproject.org/relay/community-resources/
https://www.eff.org/pages/legal-assistance
https://www.eff.org/torchallenge/tor-on-campus.html
https://www.reddit.com/r/TOR/comments/1gaky7/running_a_tor_exit_node_from_home/

@jonaharagon wrote.

I wanted to get a shorter domain but it looks like we're going with link.privacytools.io. Whatever! Haha. We're also going with YOURLS (probably) so we'll have a page up in a few days (it has to be actually made and designed ourselves...).

We're also planning a Javascript tool that site owners can add to their site that'll change all outgoing links like http://example.com to something like https://link.privacytools.io/@http://example.com which will be super cool since it'll strip referrer headers from all those links smile

As far as third party URL shorteners go, I don't really think there are any that would meet the requirements to be recommended by PTIO. Does anyone have any other suggestions? We'll probably just only list our own once it's live, but because it's the only one we can trust, not because we're biased or anything. So if anyone knows of good alternatives speak up and we can include them as well!

• https://github.com/privacytoolsIO/privacytools.io/issues/800#issuecomment-478835085

Basic Information

Name: Snopyta librehosters
Category: privacy services
URL: https://snopyta.org/ https://libreho.st/

Description

Snopyta hosts various privacy-centric services including a Searx instance, YaCy, VPN, paste, chat, Mumble, IRC, Invidious, etc.

librehosters is a network of privacy-centric services of which Snopyta is one - i hadn't realized there was a whole level above Snopyta until @Mikaela pointed this out

@jonaharagon - please retitle issue: Software Suggestion | librehosters

If I try to download an image or other file someone sends me, via DM on https://element.privacytools.io, it doesn't work. It says:

"To protect your security, element.privacytools.io will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window."

If i click the continue button, it brings me here: https://element.privacytools.io/usercontent/

But that page is a white screen with nothing else on it.

Filing an issue against dead warrant canary sounds a bit hilarious, but anyway.
Warrant canary example on privacytools.io(funny image about FBI) is very misleading. The basic idea behing warrant canaries is to inform about gag orders, which by their nature prevents from modifying anything. This means that it's not possible to remove an image after receiving one. On the other hand gag orders cannot(afaik) force you to do something(ie. lie about not receiving gag order or sign a message about not receiving one). That's why warrant canaries are created periodically and usually signed to make it legally impossible to force someone to create back-dated one(as that would require law-enforcement to make her lie).
As privacytools.io is an educational website I think it would be worth to remove this image or provide one with proper information.

btw. I am not a lawyer ;)

Description

Commenting on federated websites (e.g. PeerTube) using your Mastodon account at social.privacytools.io depends on cross-site requests using WebFinger specification. Steps to reproduce:

1. Open browser developer console
2. Go to https://peertube.cpy.re/videos/watch/c193a2f6-8b24-48c3-a93e-f89bd71cad42 (for example, any PeerTube instance will work)
3. Go to the Comments section at the bottom and try to comment (click in the text box). A window comes up offering either a local instance login or federated comment
4. Enter your Mastodon id in the Remote interact field (e.g. [email protected])
5. Now PeerTube attempts to issue a CORS request to the specified instance to get authorisation and obtain user details but the request fails with the following error (in dev console):

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://social.privacytools.io/.well-known/webfinger?resource=acct:[email protected]. (Reason: CORS request did not succeed).

The actual https://social.privacytools.io/.well-known/webfinger?resource=acct:[email protected] request does work and returns the desired information, but it does not return CORS headers (Access-Control-Allow-Origin) which results in the request being blocked by the browser.

This particular URL should return Access-Control-Allow-Origin: * so that all federated instances are able to call it. This might require more research as Mastodon seems to be already setting CORS but apparently not on all endpoints (mastodon/mastodon#10400) so maybe it's just a bug in Mastodon. I'd just try to set it on your instance and see if it works, and if yes, we can report it to Mastodon too.

If I understand correctly, there is no other tracking than Matomo which respects DNT, so could we have a DNT policy in .well-known? Would it have any benefits regarding Matrix or hosted services, or would it do harm?

• https://www.eff.org/privacybadger/faq#-I-am-an-online-advertising-/-tracking-company.--How-do-I-stop-Privacy-Badger-from-blocking-me
• privacytools/static-sites#3

Edit 2019-11-16, affected services:

• stats.privacytools.io (Matomo, but doesn't matter as it's respecting DNT anyway and statistics and shouldn't break anything)
• chat.privacytools.io (when using web Riots)
  • possibly also dimension.aragon.sh (integration server)?
• assets.privacytools.io (affects at least remote Pleroma instances)
• forum.privacytools.io (my Privacy Badgers have decided it as red at times for unknown reason)

From our Matrix room.

• > I said earlier PTIO's "privacy" "policy" uses American terms such as "PII", which are not applicable to Europeans. Also:
• > no identity / contact details of the controller
• > no legal bases
• > no information about international transfers
• > no knowledge about any (?) of the data subject rights to have control of their personal data
• > no data retention periods

Service
Matrix

Is your feature request related to a problem? Please describe.
I use services like SmsMatrix (Android app which forwards SMS to Matrix) or IRC bridges. Unfortunately the chat.privacytools.io server forces e2e encryption in private rooms and there is no way to disable this, rendering these services useless. I can't communicate with bots or bridged private rooms because they don't support e2ee.

Describe the solution you'd like
End to End encryption should be enabled by default, but not forced. In 90% you would want it, but there are also some important cases where you need an unenceypted private chat.

Describe alternatives you've considered
The only other alternative would be that all bridges and bots support e2ee, which is simpy not the case today

Please consider turning the forced e2ee off.

Shortened URL: https://git.io/JeYOR (I used it for Matrix topic)

• https://social.privacytools.io/about/more
• https://chat.privacytools.io/
  • linked to by https://riot.im/app/#/group/+members:privacytools.io
  • also mentions the XMPP bridge that was removed in privacytoolsIO/privacytools.io#1246
  • mentions weird rooms such as "#TorProject:privacytools.io: Unofficial Tor Project chat room!" with which I understand multiple community members to have issues with moderation and which possibly goes against our CoC.
    • as OpenNIC is linked to their official room, why not #_oftc_#tor:matrix.org? @blacklight447-ptio possibly knows their official rooms better.
  • missing #forum:privacytools.io

Description

To register on or connect to our homeserver, simply use https://chat.privacytools.io as the homeserver in your Matrix client.

Error

Matrix client says that registration has been disabled!

• https://github.com/t2bot/synapse-simple-antispam

There have been multiple complaints on abuse, e.g. element-hq/riot-meta#306

Open https://riot.privacytools.io/
Login with your PIO account. Go Settings -> General: Click Disconnect.
For me it spinner activates, but never actually disconnects.

I also am not aware how the account system works and how one contributes blog posts etc., while previously it was forking now archived blog.privacytools.io repo and just doing it.

Service
OpenCollective

Describe the bug
There are no contribution options for PTIO :(

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://privacytools.io/sponsors/'
2. Click on 'Become a Sponsor'
3. Scroll down to 'All ways to contribute' and click it
4. Observe that there are no contribution options

Expected behavior
I expected to see a way to contribute.

Screenshots

Smartphone (please complete the following information):

• Device: Pixel 4 XL
• OS: CalyxOS (Android 11, May security patch)
• Browser: Firefox Nightly v90

Service
Searx search.privacytools.io

Describe the issue
When using the PrivacyTools searx instance, it will redirect to searx.space.

Service

IPFS Gateways

Is your feature request related to a problem? Please describe.

There aren't many IPFS subdomain gateways and it would be nice if PrivacyTools could provide one.

Describe the solution you'd like

Additional context

• https://ipfs.github.io/public-gateway-checker/
  • I am aware of #29 and hoping it will be addressed and this service keeps being provided and may receive this improvement.
• https://ipfs.io/ipns/docs.ipfs.io/how-to/address-ipfs-on-web/#subdomain-gateway

Service
privacytools.io Matrix homeserver via the Element client (https://element.privacytools.io/)

Describe the issue
It seems that your SSL certificate has expired for the Element deployment. I've attached a screenshot below. The screenshot is from Firefox, but the same issue is reported by Chrome as well, with the expiration date at 13th Aug 2021.

Demographics
Your country: Romania

Screenshots

Desktop (please complete the following information):

• OS: Ubuntu 20.04.3
• Browser: Firefox 91.0.2, Chrome 84.0

Chocobozzz/PeerTube#3083 (comment)

Service
What service are you trying to access?

https://git.privacytools.io/

Describe the issue
A clear and concise description of what the issue is. Please include any error messages you see in your browser/app/etc.

502 Bad Gateway
nginx

Demographics
Your country: se13-wireguard
Your ISP: Mullvad.net

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Debian 11
• Browser Firefox
• Version 68.6.0esr (64-bittinen)

Smartphone (please complete the following information):

Additional context
Add any other context about the problem here.

I don't think this issue template is very useful.

Service

Matrix (and Keybase)

Is your feature request related to a problem? Please describe.

We have official instant messaging precenses at Matrix #general:privacytools.io and https://keybase.io/team/privacytools_io and I don't like how there is no relation between them.

Describe the solution you'd like

Matterbridge supports both Keybase and Matrix.

Describe alternatives you've considered

• There appears to be a dedicated bridge for it, but I don't think it supports bridging groups yet.
  • https://github.com/Half-Shot/matrix-keybase
• We could discontinue the Matrix room? However that doesn't seem like a good choice of action considering it's a federated system we support more than Keybase and we are hosting an instance.
• We could discontinue the Keybase room? However it has active chatters and seems to be used as an additional channel about Matrix downtimes in addition to status.privacytools.io

Additional context

Matterbridge regardless of the name would be more like relaybot in my opinion, it's a single bot through which the other side(s) are visible and it doesn't require anything else than hosting and account on both sides. No Synapse appservice configuration necessary.

Theoretically it could be hosted somewhere outside of PrivacyTools infra also, but I don't think that would be a good idea as PrivacyTools infra exists and not using it would lead into a depedency on a team/community member.

Service
https://search.privacytools.io/

Describe the issue
502 Bad Gateway

Demographics
Your country: USA
Your ISP: Spectrum

Screenshots
N/A

Desktop (please complete the following information):

• OS: [e.g. iOS] Clear Linux
• Browser [e.g. chrome, safari] Firefox
• Version [e.g. 22] 77.0.1

Smartphone (please complete the following information):
N/A

Additional context
N/A

There seem to be some limits to the WriteFreely instance, like max number of pictures and links >in one post. Would it be possible to scratch those limits?

I keep running into this issue. All I get is a “failed to submit post, please try again” error.
I then have to split up my articles, but that can mean tons of links in the article or elsewhere on >the web no longer work. It’s a pain to update all links in the article, but on some other places >it’s not even possible.

So far I found out that write freely say that this is not a built in limitation on their end, but must be an error here.

This is what I get in the developer tools:

JSON

code: 500

error_msg: This is an unhelpful error message for a miscellaneous internal error.|

Response payload

1 {"code":500,"error_msg":"This is an unhelpful error message for a miscellaneous internal error."}

Could someone please look into this? I'd really like to start working on my blogs again after almost 3 months...

PS: I just realized that you can link to a section of the post simply with [Chapter](#Chapter) instead of [Chapter](https://url#Chapter).
I removed all unnecessary urls and now the longer version of the post can be saved. So it seems to simply be a limit of https urls.

I'd still like this to be fixed, as I'll probably still reach the limit at one time (e.g. I now have 196 instead of 306 times https:// in one post that couldn't be saved before).

https://forum.privacytools.io/t/limits-on-write-privacytools-io/1124

According to this comment searx/searx#912 (comment) - it is doable.
And by using the YaCy open source search engine (not meta-engine, but a real one) we're encouraging them to continue growing. We need more real search engines, not meta engines, so we gotta support them.

I've first created this issue in privacytools / search but since that seems to be a ghost town, I've decided to duplicate it here as well.

Service
What service are you trying to access?
https://tube.privacytools.io

Describe the issue
A clear and concise description of what the issue is. Please include any error messages you see in your browser/app/etc.
Expired server certificate provided when visiting the site

Demographics
Your country: New Zealand
Your ISP:

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: MacOSx Big sur
• Browser Firefox
• Version

Additional context
Add any other context about the problem here.

https://git.privacytools.io/ calls itself as " PrivacytoolsIO Git" while our branding is "PrivacyTools" and I guess it could also say Gitea. I think @dawidpotocki has also requested it to have our logo on the front page.

It's currently running 1.9.0 while the current version of GItea is v1.10.1 released ~two weeks ago.

Additional request: could it use dark theme by default (that can be overridden by logged in user in settings)? That would be done by adding the following to Gitea's app.ini.

[ui]
DEFAULT_THEME = arc-green

Service

ipfs.privacytools.io / https://ipfs.privacytools.io/ipfs/bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m#x-ipfs-companion-no-redirect

Describe the issue

502 Bad Gateway
nginx

Demographics
Your country: Sweden
Your ISP: Mullvad

Screenshots

Desktop (please complete the following information):

• OS: Debian Testing
• Browser Firefox
• Version 75

chat.privacytools.io/selfhosted instance issues

Check boxes as they are fixed on PTIO

• Host Dimension instead of relying on vector.im
  • upstream issue letting clients know about it: element-hq/element-web#6430
    • upstream spec and sdk change allowing this has been merged matrix-org/matrix-spec-proposals#1957 & matrix-org/matrix-react-sdk#3340
• Host identity server OR set it to chat.privacytools.io (same as homeserver) so it won't work.
  • https://github.com/matrix-org/matrix-doc/blob/6e8739c989172c351a6ead66f073b413f6340326/api/client-server/login.yaml#L147-L148 ?
  • Update 10/7: I don't know if our fix actually works currently so I'm unchecking this box, see: https://github.com/privacytoolsIO/privacytools.io/issues/1049#issuecomment-539269846
• Host Jitsi Meet
  • upstream: element-hq/element-web#7711 WONTFIX element-hq/element-web#6930

Upstream privacy issues

• Upstream Privacy Tracker which seems to have different priorities and miss some issues below, notably Tor and actually removing removed messages from the database.

major

Privacy issues that I think prevent PTIO listing:

• matrix-org/matrix-doc#447 - history is stored forever, there is no way to limit how much or how long
  • Signal & Wire: messages aren't stored on server, clients have option how many old messages to keep + both also support disappearing/timed/exploding messages.
• matrix-org/synapse#1263 - uploaded media/files aren't removed when they are removed in Riot
• matrix-org/synapse#1287 - actually removing removed messages from the database fixed
• element-hq/element-web#7649 / matrix-org/matrix-spec-proposals#2134 - private contact discovery
  I am not sure which topic to put this under, but Signal & Wire both have this.
• matrix-org/matrix.org#342 - Matrix.org uses Cloudflare (issue closed without disabling Cloudflare)
  • See also https://github.com/privacytoolsIO/privacytools.io/issues/374. I understand this to mean that Cloudflare can one way or another read all traffic going through Matrix.org including IRC users who have never even heard of Matrix if someone happens to use Matrix on the same IRC channel? Matrix.org is quite big compared to an individual Cloudflaring their IRC client, I have heard a number 1500 connections associated with a I-line request from third party bridge admin.
  • Wire and Signal [citation needed] apparently have support pages behind Cloudflare wireapp/wire-webapp#5716.

major privacy issues also with selfhosting

I consider these as major due to Cloudflare as the traffic to integration manager and identity server would go through it and so would all messages assuming the user federated with Matrix.org. These may be irrelevant to user who is on Matrix.org.

• element-hq/element-web#10161 - Store Integration Manager preferences in account data and allow user to change them somewhere sensible
• element-hq/element-web#10167 - Present an aggregated terms of service dialogue at registration if possible
• element-hq/element-web#10087 - Prompt to accept integration manager policies on registration
• element-hq/element-web#10094 - Store identity server in Account Data and support choosing identity server integration in User Settings
• element-hq/element-android#20 - Identity server is hardcoded in RiotX (Android client rewrite), the issue is closed and no one has commented on identity server since it was pointed out on 2019-07-09.

medium

I need a better word here, but these would be issues that also affect other recommended instant messengers and may not be a blocker.

• matrix-org/synapse#4565 - metadata resistance
  • to-read for me, is this similar like Wire server knows connections between users, or is this a more serious one?*

nice to have

• element-hq/element-web#4426 - riot does not scrub exif data from upload
  • Discord apparently does, Signal and Wire do.
• element-hq/riot-meta#287 - Proxy/Tor support meta issue
  • I cannot find option to enable Tor use either in Signal or Wire, Conversations would have it
  • https://github.com/vector-im/riot-web/issues/3320 - desktop
  • element-hq/riot-android#1234 - Android
  • element-hq/element-ios#1085 - iOS

unsorted / note

• matrix-org/synapse#1941 - allow account deletion, not just deactivation
  • I am not sure where exactly to put this either.
• https://github.com/vector-im/riot-web/issues/7757 - Open source the integrations server WONTFIX
• https://github.com/vector-im/riot-web/issues/6739 - stickers aren't encrypted
• Less technical users may register on matrix.org unknowingly by default
  • element-hq/element-ios#2614
  • element-hq/element-android#450
  • element-hq/riot-android#3238

Research papers

• Notes on privacy and data collection of Matrix.org
• Notes on privacy and data collection of Matrix.org, Part 2

These issues are mostly took from privacytoolsIO/privacytools.io#840, if you are aware of reported issues that aren't listed here, please do comment them and someone from the team will edit this issue and add them.

I was personally missing a list of things that can be done today to avoid the privacy issues that Matrix/Riot currently has and this may be helpful while considering the delisting (#1047).

Service

• https://wiki.privacytools.io/view/Main_Page

Describe the bug

There is no favicon so I get confused by that 🌐 symbol in my tabs 😿

To Reproduce
Steps to reproduce the behavior:

1. Go to https://wiki.privacytools.io/view/Main_Page
2. See the tab bar
3. 

Expected behavior

I look into my tabs and see the PrivacyTools shield and know immediately what it is.

Screenshots

Rest of the template

N/A

Service
Matrix

Describe the issue
Registration using the PrivacyTools Homeserver (chat.privacytools.io) is not working. On Element, the error "Unable to query for supported registration methods." appears when selecting the homeserver and on the registration page.

Screenshots
Element showing error

Service

status.privacytools.io / privacytools.statuspage.io

Describe the bug

The status page is using a timezone called "CDT" instead of the international timezone standard, Coordinated Universal TIme (UTC) leading to confusion when visitors have no idea what is CDT.

To Reproduce

Steps to reproduce the behavior:

1. Go to https://status.privacytools.io/ / https://privacytools.statuspage.io/ without knowing what is CDT or its offset to your local time.
2. Look at any timestamp
3. Wonder what that is in local time.

Expected behavior

All timestamps are either in UTC or in the local time reported by my web browser, so as someone who has to think international times can calculate the offset to local time easily and have an idea what the time is or I can directly see it in local time.

Screenshots

Desktop (please complete the following information):

• OS: Debian GNU/Linux bullseye/sid
• Browser: Firefox
• Version: 75.0 64-bit

Additional context

Using non-UTC timezone in a big international project or where audience is international just doesn't work. It's not realistic for everyone to learn all timezone abbreviations and their offsets if every project was using their own time instead of UTC.

UTC time can easily be gotten by date -u command. UTC time in international date formating (ISO 8601) can be gotten with date -Is -u.

Service
https://search.privacytools.io/

Describe the issue
As of today, searches started failing with the following message:
Rate limit exceeded

Description: Discourse *appears* to be recommending Google.

I will assume that PTIO isn't do this or receiving any funding (correct?).
But, I did want to bring up a discussion on possibly changing this to Jive Search.

Perhaps PTIO could create an issue on their bug tracker as well?

Screenshots

Please add screenshots if applicable

I have no idea how the invites to Writeas, Mastodon and whatever else work, while they are at times asked about. Which people have permissions to invite and are there team accounts which only purpouse is to invite people?

Service
https://search.privacytools.io/

Describe the bug
Some time in the past 24 hours, I stopped getting search results from startpage and qwant.

To Reproduce
Steps to reproduce the behavior:

1. Go to https://search.privacytools.io/
2. Configure only startpage and qwant as your search engines
3. Search for something
4. See no results

Expected behavior
Some search results