Default connections

just4frun

As an "anti-Google" measure GOS uses its own servers instead of Google's for the following services:

internet connectivity check
attestation key provisioning
widevine provisioning
NTP

This creates a serious anonymity (and as the consequence, security) issue, because ISP sees these requests and the device stands out enormously in the crowd, the pure fact of using GOS is enough to draw attention from an adversary.

NTP server is not possible to change from the OS and time.grapheneos.org is visible in ECH headers to anyone passively observing the traffic, disabling the NTP service will break TOTP and other apps; internet connectivity check is using a direct connection even if VPN enabled. How does GrapheneOS address these issues? What a user can do to mitigate this on a first GOS launch?

As a matter of fact, GOS team has explicitly expressed their attitude to similar issues with carriers, so I guess it should apply here as well

You could end up drawing attention to yourself by doing it...

https://grapheneos.social/@GrapheneOS/113319957245214108

gristle-cause

just4frun there are claims on the internet that connectivity checks bypasses VPN - could you please confirm or deny it?

That is correct

just4frun As an "anti-Google" measure GOS uses its own servers instead of Google's

This justification is incorrect. GOS does not particularly care about 'degoogling' at all. The GOS server implementations offer security improvements over default servers. For example, the default connections FAQ details the GOS network time implementation:

Network time updates are security sensitive since certificate validation depends on having an accurate time, but the standard NTP / SNTP protocols used across most OSes have no authentication. Our servers obtain the time from 6 independent NTP servers with NTS for authentication where at least 3 servers need to agree on the time for it to be updated.

just4frun This creates a serious anonymity (and as the consequence, security) issue, because ISP sees these requests and the device stands out enormously in the crowd, the pure fact of using GOS is enough to draw attention from an adversary.

Connectivity test can be set to the standard google server, to anonymize & blend in, or disabled altogether. All other connections can be masked behind the VPN tunnel. For users who consider their ISP to be an adversary, VPN and/or Tor is a bare necessity

just4frun it may literally cost someone a life

This burden of proof falls to you. Show me the user who both (1) operates under a threat model where absolute anonymity from their ISP is needed under threat of death, and (2) haphazardly connects to untrusted networks without configuring GOS for proper anonymity. Otherwise, configuring GOS defaults to use the more secure GOS endpoints seems reasonable for the masses

de0u

just4frun What a user can do to mitigate this on a first GOS launch?

Start the device the first time without a network connection (for example, no SIM).

GrapheneOS

just4frun GrapheneOS doesn't connect to a network in the default state of not having a SIM inserted. You have an opportunity to install a VPN from an APK on a USB storage drive before it connects to a network if that's something you want.

Use a VPN in each profile and set the connectivity check servers to standard if you want to blend in with other devices. That covers everything and you can still receive updates. Otherwise, how are you going to receive highly important updates to the OS and apps? There are other connections beyond the default ones when you use GrapheneOS apps such as the Info app fetching the release notes. We've posted this advice about using a VPN combined with standard connectivity checks in many places.

It's going to be very obvious it isn't a normal Android device uses a bunch of Google services with the approach you want to take. It will not work.

just4frun It's very clear that GrapheneOS is going to connect to GrapheneOS services for updates at a bare minimum. The only thing people really need to learn is that connectivity checks should be changed to standard when using a VPN if they want to blend in with non-GrapheneOS Android users. It won't 100% blend in such as not having outbound VPN leaks.

The developer is known for his non-conformant stance in such questions, he may even disagree with you here

Stop misrepresenting GrapheneOS as a one person project and stop making inaccurate claims about our team.

GrapheneOS

just4frun

As an "anti-Google" measure

No.

This creates a serious anonymity (and as the consequence, security) issue

No, it doesn't create any issue. There would be updates and other services from us regardless. Using a VPN hides everything other than connectivity checks from the network, which is why the standard recommendation is to use a VPN and consider using standard connectivity checks.

Disabling every connection to GrapheneOS services is possible but without updates you won't have a private/secure device. It's going to look a lot different than the many connections made by a stock OS device.

If you're not using a VPN, how do you expect to blend in? The connections the device is making including the ones you're making to web sites and services yourself and with your apps are going to be visible to the network. How is that going to be blending in with others?

just4frun

This poses a significant threat especially to people located in authoritarian countries that impose a nationwide surveillance like China, Iran, Russia, Saudi Arabia, Turkey and so on

de0u

just4frun This poses a significant threat especially to people located in authoritarian countries that impose a nationwide surveillance like China, Iran, Russia, Saudi Arabia, Turkey and so on

If the notion is that any device which seems like it is running any custom OS is a threat, maybe it is best to run a stock OS.

Even if a GrapheneOS device made absolutely zero connections to any GrapheneOS server ever, it would still be obvious that the device would also not be contacting Google servers or Huawei servers or Sony servers, etc. Even if GrapheneOS were configured to use Google servers for Internet connectivity checks, attestation key provisioning, and Widevine provisioning, and to use regular insecure NTP for time, it wouldn't be downloading and installing APEX updates and system updates from Google, wouldn't be contacting Google's calendar servers, Google's diagnostic telemetry servers, etc.

Some users may need a device that appears to be running an unmodified stock OS... in which case they may need to run an unmodified stock OS.

Eirikr70

I might be wrong but as soon as you have chosen a private DNS, your ISP doesn't see your NTP requests.

just4frun

Eirikr70

There is no way to set it to AOSP, only to turn off which will invoke numerous problems
The problem is not with DNS but with SNI header in the HTTPS connection with Graphene NTP server. I've made a typo, GOS server does NOT use ECH

Btw, I've found the page which answers all the questions https://grapheneos.org/faq#default-connections
tldr: connectivity check, attestation key and widevine provisioning can be changed to Google servers. NTP still not implemented, you either turn it off completely and regularly sync clocks by hand or be detected. What impedes adding it idk. imo AOSP should be used by default here, 95% of users don't know about these caveats

Honestly I'd like to hear why proxying was implemented in the first place, is there ANY good reason for it?

phospmph

just4frun GrapheneOS does not disguise itself as other OS by default. The device will still need to connect to GrapheneOS update servers for receiving important security patches via OS and app updates anyway.

The recommendation for blending in with other stock devices is to use a VPN with connectivity check set to standard
https://nitter.net/GrapheneOS/status/1951745852361359832#m

de0u

just4frun Honestly I'd like to hear why proxying was implemented in the first place, is there ANY good reason for it?

Some users would prefer their connection details to go through a proxy which doesn't permanently log, instead of the device contacting Google/Qualcomm directly. Users who do prefer directly contacting Google/Qualcomm can choose that.

just4frun

phospmph
there are claims on the internet that connectivity checks bypasses VPN - could you please confirm or deny it?

pertaining patches and updates - Graphene must at least use ECH to blend in with CDN imo. it may use Cloudflare / AWS to notify about updates, they're signed anyway

GrapheneOS does not disguise itself as other OS by default

now imagine you're a dissident / a whistleblower in Saudi Arabia or China installing GrapheneOS and it calls back. it's wrong default behavior, user should be explicitly notified about that before action is taken. it may literally cost someone a life

just4frun

gristle-cause This burden of proof falls to you. Show me the user who both (1) operates under a threat model where absolute anonymity from their ISP is needed under threat of death, and (2) haphazardly connects to untrusted networks without configuring GOS for proper anonymity. Otherwise, configuring GOS defaults to use the more secure GOS endpoints seems reasonable for the masses

A high-profile whistleblower who does not have a computer sciences degree had acquired a very valuable data that X government doing scary Y thing. He searched for secure OS, found Graphene, installed it and went with it to take photo proofs of the documents he had access to in the department. Instead, he faced security services at the exit followed by death penalty after atrocious interrogation in a basement.

gristle-cause Connectivity test can be set to the standard google server, to anonymize & blend in, or disabled altogether. All other connections can be masked behind the VPN tunnel. For users who consider their ISP to be an adversary, VPN and/or Tor is a bare necessity

Default user behavior will be to first connect to the internet, afterwards enable VPN when the leak already happened. He does not know nerdy details about how the updates function and why GOS NTP server is superior
The fact that by just powering up the phone and enabling Wi-Fi to download VPN renders you a red flag for surveillance systems should be explicitly stated at the startup with option to choose the servers before a connection was made
Even I with years of professional experience in infosec field didn't knew that Graphene is glowing like a Christmas tree for an ISP. I honestly thought that there is no compromising traffic whatsoever. I've learned this by accident
I can assure you that security services (especially domestic counter intelligence) in fact do work exactly as I've described. Yes, they do monitor identities that access questionable resources, GOS servers included

de0u

just4frun Even I with years of professional experience in infosec field didn't knew that Graphene is glowing like a Christmas tree for an ISP.

The behavior of the system is pretty clearly documented. I would naively think that infosec professionals consult documentation as part of evaluating a platform... though monitoring behavior with tools would also seem plausible.

Edit: if the suggestion is that GrapheneOS out of the box should not connect to networks at all before asking users to make configuration choices... I guess that could be suggested via an issue filing, but I'm skeptical that it will happen.

gristle-cause

just4frun the core issue: it sounds like you feel GOS should be anonymous out-of-the-box. GOS is not an anonymous OS, it is a security & privacy focused OS. To attain default anonymity would require compromises on security, which the GOS project has shown no intention to pursue

Whonix + Tor is the only setup where one can really attain anonymity, maybe Tails

just4frun

just4frun I can assure you that security services (especially domestic counter intelligence) in fact do work exactly as I've described. Yes, they do monitor identities that access questionable resources, GOS servers included

https://habr.com/ru/articles/798575/, you can use translation from Russian. tldr: Russian LE detected Matrix traffic, knocked at the door with questions. Same goes for Signal, Jabber. Even in democratic countries for a domestic intelligence officer, you're a priori under presumption of guilt, not innocence, and in his world model at least 80% of people using GrapheneOS is either criminals or, to put it lightly, is a matter of interest to the agency

So again, is there ANY good reason NOT TO enable NTP switch and a popup on startup informing of these caveats? That's literally a few lines of code.

just4frun

de0u pretty clearly documented

1) Nobody reads that
2) That's not enough
3) You may as well say Google telemetry is clearly documented. Isn't it?

de0u but I'm skeptical that it will happen

That's the point of the thread, to get GOS team evaluation of the issue. The developer is known for his non-conformant stance in such questions, he may even disagree with you here

raccoondad Exactly, its missing the point of the project

gristle-cause security & privacy focused OS

1) That's essentially interconnected with anonymity. Security comprises both privacy and anonymity
2) Notifying intelligence services that I've just installed Graphene - is a privacy issue
3) I'm not asking to invent a mesh-to-I2P bridge inside Graphene by default lol. I'm talking about a REAL world scenario with even more REAL consequences. I don't understand why there is even an argument, this is in fact an attack vector and it should be evaluated accordingly.

raccoondad

gristle-cause it sounds like you feel GOS should be anonymous out-of-the-box

Exactly, its missing the point of the project

de0u

just4frun That's the point of the thread, to get GOS team evaluation of the issue. The developer is known for his non-conformant stance in such questions, he may even disagree with you here

There's more than one GrapheneOS developer (see commit logs).

For a specific proposal that hasn't yet had an issue filed, filing an issue can be a good way to obtain an "official answer". My hunch is that a proposal to add multiple security/privacy toggles to the initial setup wizard would be viewed as potentially reasonable, but that it is not likely to happen in at least the next year.

de0u

just4frun So again, is there ANY good reason NOT TO enable NTP switch and a popup on startup informing of these caveats?

https://discuss.grapheneos.org/d/2609-ntphtpdate-and-other-servers/17

just4frun

GrapheneOS You have an opportunity to install a VPN from an APK on a USB storage drive before it connects to a network

That requires you to know this way is mandatory in the first place. Most of the users don't have a CS degree in cyber security and don't know all the nuances and caveats. The connection behavior is non-obvious.

GrapheneOS Otherwise, how are you going to receive highly important updates to the OS and apps?

You don't if that's what you choose at the initial setup, you do it offline. Notifications about updates can be sent through CDN providers like Cloudflare that doesn't link the notification server to GOS domain. What if your updates server and signing key are compromised? Currently they're automatic, why GrapheneOS forces user updates? This is another security issue.

GrapheneOS 's very clear that GrapheneOS is going to connect to GrapheneOS services for updates at a bare minimum

What is precluding GrapheneOS to add ECH to their domains to at least mask the SNI?

GrapheneOS If you're not using a VPN, how do you expect to blend in?

VPN serves completely different purpose. I'm talking about standing out in traffic as the result of GOS default behavior opaqueness. Complete blending is user's issue, "notify the surveillance that I've just installed GrapheneOS" - is GOS issue.