i had drifted away from sabrina over the years but she just cut me off and slid back into my lane

i am the only person you know who’s seen her live. any ‘you’ 😛

it’s perhaps interesting to see what existing apps ZipoApps has on the Android Play Store.

no idea. impossible to rule out. there’s no good answer to ‘why’ that i’ve seen

Prerequisites

• Internet-facing web server with reverse proxy and domain name (preferably SSL of course)
• Server behind the reverse proxy with Rust environment

Installation

• Don’t bother downloading the source code to your server; installing it that way gives you a big debug executable
• Instead just cargo install mollysocket
• Move the mollysocket executable if desired
• Run mollysocket once so that it will emit the default config

Configuration

• Fish the config file out of .config/mollysocket/default-config.toml and copy it somewhere.

config.toml

• In the new file, replace the allowed_endpoints line with allowed_endpoints = ['*']. The default 0.0.0.0 config appears to be a bug; this setting controls access to endpoints within the app, not IPs from outside. Leaving the original value causes mollysocket to reject everything.
• Put a proper path in the db = './mollysocket.db' line rather than just having it land wherever you’re sitting.
• Delete the mollysocket.db that was created on first run (even if it’s already where you’re intending to put it). This is just to make sure the web server creates it and has the correct permissions.

Run script

• The environment variable ROCKET_PORT must be set or the server will sit and do nothing. It’s best to create all of the environment variables mentioned in the README, whether that is in a user profile script or in a shell script that wraps startup. You can change any of these values, but they must exist.

• export ROCKET_PORT=8020
  export RUST_LOG=info
  export MOLLY_CONF=/path/to/your/config.toml
  

Proxy server

• You’ll need to proxy everything from / to your mollysocket server and ROCKET_PORT.
• Exclude anything that you may need served from your web server, such as .well-known.

Things to know

• I get this warning on startup: “Forced shutdown is disabled. Runtime settings may be suboptimal.”
• I also can’t stop my server with any sane signal; only SIGKILL brings it down.
• Some discussion here: https://github.com/SergioBenitez/Rocket/discussions/1880

deleted by creator

you probably already found this, but for others who might be curious:

https://molly.im/

https://github.com/mollyim/mollyim-android

in the settings if you change notification method from websocket to unified push, the UP settings come up, including a server address (which is what they intend to be used) or some air gap mode that i can’t find documented

if your threat model were ‘encrypt everything at rest’, invitations to people outside your own service would be tricky as they have to be machine-readable text in a specific format. i’m sure it’s possible but you’d have to be specific in looking for that as a feature.

my needs are more modest - don’t store email in GAFAM or particular regimes - and i use runbox, which is bog-standard except for being stored somewhere else, being paid, and having slightly more homely webapps. using ‘evolution’ on linux, a bog-standard email program that’s also a bit more homely than alternatives, invitations go out to whomever i choose and look normal. i make recurring events for myself all the time and remove individual occurrences. i’ve added on ical subscriptions for things like country holidays, which are the first thing you’ll notice missing when you leave outlook.

the mail’s just imap and the calendar’s just caldav. when you get into providers that don’t provide imap or caldav for (valid) security reasons, that’s when you’re more likely to get integration issues with regular people.

i’m shopping for mp3 players for precisely this reason - a friend has an ipod touch that abruptly stopped scrobbling. the last.fm app is stuck in a loop sucking battery. and she needs bluetooth anyway. she has always kept music and phone separate but now we have to ask the five whys on that before getting her a new unfamiliar gadget.

again not foss so won’t dwell at length — but i use fund manager from beiley software. commercial, but works double-entry and handles more investment complexity than a human could ever need. windows app, i run it under wine on linux and crossover on mac. (i don’t own a windows box — that’s how irreplaceable it was for me.)

summary (not sure why it didn’t get included here): jmp.chat pilots another way to detect unauthorized certificates

We’ve been hard at work on a different tool that can also help with defense-in-depth for this kind of situation. Ultimately, a MITM will use a different public key from the one the server uses, even if it is wrapped in a signed certificate declared as valid by a trustworthy authority (like Let’s Encrypt). If we know what key is seen when trying to connect, and we know what key the server administrator expects us to see, we can detect an ongoing MITM of this variety even when the certificate presented is valid. The tool we have developed is in early testing now. We call it CertWatch.

The premise is simple. The server administrator knows exactly what public/private keypair they are using (or can easily find out) and publishes this in DNSSEC-signed DNS records for our tool to find. The tool then periodically polls the XMPP server over Tor to see what certificate is presented. If the key in the certificate matches the key in the DNS zone, we know the session is not MITM’d (some caveats below). CertWatch checks the current setup of any domain entered, and if not yet declaring any keys, it displays setup instructions. It will either tell you to enable DNSSEC or it will tell you which DNS records to add. Note that these records are additive, so it is safe to add multiple sets when serving multiple domains from one host through SRV records. Once everything looks good, running a domain through CertWatch will display a success message and instructions for getting notified of any issues. It will then poll the domain periodically, and if any key mismatches are found, those subscribing to notifications will receive an alert.

so per wikipedia and confirmed at MDN, firefox is the only major browser line not to consider certificate transparency at all. and yet it’s the only one that has given me occasional maddening SSL errors that have blocked site access (not always little sites, it’s happened with amazon).

i don’t understand how firefox can be simultaneously the least picky about certificates and the most likely to spuriously decide they’re invalid.

well i feel stupid now for not doing the obvious. but…

Blocked Page

Your organization has blocked access to this page or website.

on the PPA box, this is what it showed me (meanwhile it was attempting to connect to incoming.telemetry.mozilla.org). another symptom of displaying respect for enterprise policies but in fact ignoring them. (as i had mentioned, on this box all of the settings look locked down as they should be, but it’s still attempting to send telemetry.)

thanks, i’ll look again. it’s not that i love the idea of being fingerprinted; i just think that five mylar bags, four tin hats and a partridge in a pear tree won’t save me from that. i need my password manager, and once that’s in, enforcing a generic screen is silly - cow’s out of the barn. but not having the arms race against pocket and telemetry would be a big bonus.

i did try that but the never-dark mode blinded me. i understand the reasoning, but absolute anonymity isn’t my own threat model; i’d like to be able to use themes and resize the window

an interesting oddity: on my non-rooted xperia, signal thinks that i don’t have play services and so it falls back to… polling. every five minutes. killing my battery and my logs.

i had to put signal into the restricted battery group, which means no notifications. i anxiously await the new molly, as i already have a unified push environment. it looks like the migration will be a bit delicate.

neo store refuses to run if you don’t grant it the right to send notifications and bypass battery optimizations. if an app demands a permission and doesn’t have a plausible explanation why it needs it, i don’t keep it :/

imo magic earth is a navigation app, full stop. it does that amazingly well, including live traffic, but i wouldn’t use it for anything else. organic maps is a better general-purpose map but isn’t a patch on magic earth for nav.

It exists, it’s called a robots.txt file that the developers can put into place, and then bots like the webarchive crawler will ignore the content.

the internet archive doesn’t respect robots.txt:

Over time we have observed that the robots.txt files that are geared toward search engine crawlers do not necessarily serve our archival purposes.

the only way to stay out of the internet archive is to follow the process they created and hope they agree to remove you. or firewall them.

https://blog.archive.org/2017/04/17/robots-txt-meant-for-search-engines-dont-work-well-for-web-archives/

i made the same migration from markor (files in a folder) to logseq. there’s a lot to be gained - always-preview alone is a game changer - but on mobile the visibility of the keyboard can be fiddly. once in a while you’ll feel like you’re in vi, it has such a mind of its own. but i’m not planning to go back