Notices by Lenny (f09fa681@digitalcourage.social)

@rysiek According to https://www.cloudflare.com/network/ there are 330 data centers, so that may make it less accurate in the general case.

The quality of data-mined locations associated to IP addresses can however result in similarly accurate or inaccurate locations (also depending on the privacy hygiene of the ISP, the user and other devices using the IP). Another anecdotal evidence: I'm sometimes supposed to be in Lausanne according to IP-based geolocation lookup which is ~180km away from me (and some websites switch to French, yay).

I'll agree it's not the same thing on a technical level, sure, but would need more data to assess whether the location quality is several orders of magnitudes worse as you claim. In the end, it's similarly bad that it leaks.

@rysiek I would question the IP address providing more precise information **in general**.

Looking up my IP from both of my ISPs (mobile and landline) I'm getting a similarly accurate geolocation, one ~30km and one ~40km away from me. The Cloudflare airport code gives me ~30km accurate position. That's an anecdotal report for sure but possibly transferable to the general situation in Switzerland.

So what am I missing here that makes one an apple and the other an orange?

@rysiek Whether it's 10km or 100km doesn't matter much to me. The fact that the location is leaking at all is the concerning factor IMO. Signal and Cloudflare simply brushing that away is quite concerning.

But I want to emphasize that I don't recommend jumping ship from Signal to less secure or similarly affected alternatives either and do support your effort in that respect.

@rysiek You all remember the WebRTC "IP leak" fiasco from back then, right? Where people could be called on some messengers and before even accepting the call, your own IP would leak to the caller? (And also Natalie Silvanovich showed everyone why it's a bad idea to start the WebRTC state machine prior to accepting a call to everyone because it's a huge attack surface - https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html) Pretty much everyone jumped ship back then and agreed it to be a big no no.

This attack here is pretty much the same thing without the need to even make a call. It is way more subtle and therefore even more severe IMO.

@rysiek This is downplaying it way too much for my taste. Let me explain:

The rough location information is usually only available to servers. Now, even though I prefer zero trust, I would argue that trusting a messenger's server to not give away my rough location is way more reasonable than trusting the person that uploaded the data I'm downloading from the server.

**But in this case, the person that uploaded the data can extract the location I'm downloading it from.** This is big. It takes metadata to a whole different level.

I also want to quickly respond to the arguments:

That very rough radius could actually a pretty big deal in less populated areas.

The second argument is whataboutism. (And there are definitely apps that are not affected.)

Kinda agree with the third one though.

---

If I were #Signal, I would turn off the caching mechanism for now and urge #Cloudflare to rethink their statement. The privacy protection mechanisms are clearly lacking. Cloudflares position is simply not acceptable.

@ascentale @pete @forteller A3: Obviously "Die Prinzen - Mein Fahrrad"
https://youtu.be/Dg5y6Q2crXw?si=EwrT-c9YfW0sdFS9

Some say it's a great and rewarding way to learn German.

#bikenite

@fluepke If that doesn't make you an expert, what does? Have you tried?

Can't speak for the DID people because I dealt with another WG but I can tell you, they weren't exactly known to be very open either but I still got invited. Sometimes it's nice to be surprised. Not all people who work in such WGs are mindless sycophants which close themselves off towards critics, even if they work for a company or towards a goal with questionable ethics.

@fluepke @LiberalArtist @eloquence We can totally criticise the W3C in many, many areas but let's clarify a few important things:

- A ton of WG/CG mailing lists are open: https://lists.w3.org/Archives/Public/ It is also possible to participate there.
- Many WG/CGs use public GH repos and one can make "substantial contributions" by becoming an Invited Expert. This system is far from perfect, obviously, but it does exist.
- Many of the W3C CGs are open and everyone can join.

With that out of the way, can you reference the WG or CG you're talking about which denied public access to the mailing list and severely restricted individual contributions?

Edit: You're probably referring to https://www.w3.org/2019/did-wg Their mailing list is publicly available here: https://lists.w3.org/Archives/Public/public-did-wg/ Spec repo is here: https://github.com/w3c/did-core and creating issues is allowed (this is how I got invited to another group btw).

@puniko @threemaapp @KBreker Ich bezweifle, dass deine Antwort verstanden werden wird. 😂 Ohne das Schweizerdeutsche regelmässig gehört zu haben, keine Chance das zu decrypten.