blog post: document privacy features of f-droid.org fronter setup
A quick blog post to describe the current setup. The Hetzner/Greenhost work should be in a separate post.
Here are a couple points to include:
- letting clients work without SNI is a privacy feature
- ECH is coming soon, in the meantime, our webserver config works without SNI
- Make f-droid.org hosting setup look like a generic CDN-style.
- f-droid.org webserver support connecting via any domain name.
- Use separate certbot certs per-domain to avoid probing.
Some text from the proposal that might be useful:
The f-droid.org webserver setup already gives us a lot of flexibility how it is configured and run. We will setup f-droid.org to key privacy improvements like connecting with a blank SNI field. Additionally, we will configure it to look like a generic CDN setup to make it stand out less. We will test various configurations for improved access.
We explored allowing connections using only the IP address without giving the domain name, but that would conflict with the blank SNI setup, so we dropped this idea.