Privacy question, Lemmy and Let's encrypt

Looking at my Pi-hole logs I see that when loading Lemmy.ml site, Pi-hole asks DNS for r3.o.lencr.org which is hosted by Akamai, which have their HQ in USA. Does this mean that even if Lemmy is hosted in EU, my visit to Lemmy can be tracked in the USA ?

@fruechtchen
4
edit-2
1M

it could be the case that one of the linked lemmy instances uses that and lemmy retrieves its data to show what this linked lemmy instance has posted

Dessalines
admin
31M

Do you have the network request?

@ajz
creator
31M

I had a closer look with Termshark on two computers now. It shows a handshake for SSL, and probably asks a Let’s Encrypt OCSP server about the validity of the used SSL certificate. This blog post was useful to read https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ so I understand a bit better why this happens, and well as this : https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns

@AgreeableLandscape
admin
2
edit-2
1M

If you opened any images or embedded links on the Lemmy page, that could be why, since that would directly load the image or embed source. It could also be that another instance is hosting their images (which would include the thumbnails for their posts) on a CDN. The Lemmy web client isn’t supposed to load any core assets or send XHRs to anywhere beyond the host by default, unless the instance admin specially configured it that way (which isn’t the case on lemmy.ml).

As for your privacy question, I think at most it would send a referrer that contains the URL of the page that made the request, which can be scrubbed from the request with a browser extension. It would obviously also send your browser’s standard request headers and your IP address, same as any HTTP request. I could be wrong, but I don’t think an XHR or static file load would be able to see, for example, cookies or local storage belonging to the parent site unless the parent site let it?

EDIT: Actually as I was typing this, I saw your comment about OSCP, that might also be it, but the above was what I immediately thought of. If it is OSCP though, I don’t know if what I said about the privacy implications would apply, but I imagine it would also not give any information about what page you’re on, just the domain.

A reputable and trustworthy VPN would probably mitigate this. Presumably the request isn’t executing a script, so it can’t fingerprint your browser, so assuming your user agent string isn’t too unique, just hiding your IP address should thwart any tracking they might be doing.

@ajz
creator
3
edit-2
1M

Thanks. After I saw those lines in the log files I tried this a few times : Start the browser, load lemmy.ml and do nothing else, and then check the Pi-hole logs again. I guess I can test again later some time by blocking XHR and frames via something like uMatrix first.

A loosely moderated place to ask open ended questions

If your post is

  1. Open ended
  2. Not offensive

it’s welcome here!

  • 0 users online
  • 18 users / day
  • 31 users / week
  • 119 users / month
  • 473 users / 6 months
  • 1553 subscribers
  • 437 Posts
  • 5425 Comments
  • Modlog