GrapheneOS
add a "control default connections" screen in setup wizard to allow users to turn off all kinds of connections including that to GrapheneOS services
I hope GrapheneOS can be closer to my dream OS:
Just like a newly installed Arch Linux, everything is the simplest and best. Even if it is connected to the Internet, it will not automatically connect to any server. Before I open an app with Internet access, I don't need to worry about any unconscious network connection—even to GrapheneOS servers.
I know keeping the system up to date is critical to keeping the device secure. So these connections could be left enabled by default, just like the device location permissions are currently on the initial setup screen. I hope all default passive network connections will be listed there too, so that users can selectively turn them off. Once the user turns off all those options, he can fully trust that GrapheneOS will not automatically connect to any server and will not consume any kb of traffic, even if he turns on the cellular network or connects to WiFi. No network connection can be established without the user's active operation.
Privacy and security are sometimes at odds. But we should give users choices, not help them make choices that might not be the best. Sometimes, users trust that GrapheneOS is private by default so much that they feel betrayed when they find that there is an unwanted network connection in some cases: even if I turned on the always-on vpn with offline configuration before connecting my phone to the Internet for the first time, the operator still knew that I was GrapheneOS! (https://github.com/GrapheneOS/os-issue-tracker/issues/5544)
The title of this screen can be "Control default connections," and on this screen, list all connections mentioned in https://grapheneos.org/faq#default-connections as items, each followed by a toggle, allowing users to turn them off before they use GrapheneOS.
Warn the user about the disadvantages of doing this when the user disables system updates.
I think there should be a grayed-out toggle for connections that can't be disabled currently, for the sake of being transparent to the user (that is, using the UI as a form of "documentation", not just for letting the user control stuff). Ideally, these would be at the bottom of the list.
I think the connections should ideally be listed by listing the features making them, rather than e.g. a list of domain names (but it could be nice having the domain names in parentheses).
It might be worthwhile to add the Let apps refresh data automatically toggle (from the Settings app > Passwords, passkeys & accounts) here as well. Despite no account being added to the system in the default installation, any user-installed app could add an account to the system, and it could be nice having it respect (out of the box) a user's privacy choice rather than respecting the toggle's hardcoded default.
I think a better title might be "External services & connections". The word control is redundant because the user would be presented with controls; the word default is also redundant because the defaults are implied in the initial state of the toggles in this screen.
I think there should be a grayed-out toggle for connections that can't be disabled currently, for the sake of being transparent to the user (that is, using the UI as a form of "documentation", not just for letting the user control stuff). Ideally, these would be at the bottom of the list.
Which connection do you think can't be disabled?
Which connection do you think can't be disabled?
It was more of a general idea, features could always be added in the future, that you might not find an easy way to implement a toggle for them in this screen.
Maybe an example is the System Updater, which doesn't currently support turning off automatic updates other than disabling the app. You could still make a toggle that'd disable this system app though.
Which connection do you think can't be disabled?
Are the connections for "attestation key provisioning" and "Widevine provisioning" possible to disable? I have wanted to disable the latter, and possibly the former if I understood the impact of that
There's https://github.com/GrapheneOS/os-issue-tracker/issues/740
I would log traffic and see DNS connections to one while there seemed to be no reason
You can disable Network for the RemoteProvisioner app doing both attestation key provisioning and widevine key provisioning. This will break support for attestation including for Auditor once current keys provisioned for the app(s) using it expire. For Auditor, it can still continue working for existing pairings via the attestation signing keys it already created but can't create new ones without new attestation keys provisioned once the old per-app ones expire.
Thank you! I might do that in the future. But even with that in mind, it seems like some form of "proper" support for disabling them, especially independently of each other, and introducing a toggle to for this in the setup screen would be in line with what the author of the feature request desires to see
I think there should be a grayed-out toggle for connections that can't be disabled currently, for the sake of being transparent to the user (that is, using the UI as a form of "documentation", not just for letting the user control stuff). Ideally, these would be at the bottom of the list.
Which connection do you think can't be disabled?
Is it possible to disable the connection to the GrapheneOS server for syncing the system clock?
You can disable Network for the RemoteProvisioner app doing both attestation key provisioning and widevine key provisioning. This will break support for attestation including for Auditor once current keys provisioned for the app(s) using it expire. For Auditor, it can still continue working for existing pairings via the attestation signing keys it already created but can't create new ones without new attestation keys provisioned once the old per-app ones expire.
This doesn't make sense to me. Are you saying Auditor won't work without internet access? That's at odds with my experience, and at odds with the FAQ: https://grapheneos.org/faq#bundled-apps
For example, it's useful to have the Auditor app available before connecting to the internet [...]
I must be misunderstanding something here
Is it possible to disable the connection to the GrapheneOS server for syncing the system clock?
Yes, by turning off network time sync.
Are you saying Auditor won't work without internet access?
It depends on how the particular device is set up. It will generally be able to work with pre-provisioned keys without initial internet access but after obtaining internet access will likely expect to get it again occasionally for making new pairings. Existing pairings do not need newly provisioned keys.
Once it gets internet access, it starts rotating the attestation keys. It also obtains per-app attestation signing keys for when apps first use the feature. Those are currently only per-app, not per-pairing, and likely last a few weeks before expiry. Our Auditor app generates an attestation signing key with attestation enabled for itself and then uses that for the same pairing for each verification. It will work indefinitely without needing new attestation keys since the attestation signing for a pairing is with a key we generated, not the keys provisioned to the devices chaining up to the attestation roots. It would be possible for Auditor to support using attestation signing keys WITHOUT changing them up to the attestation root to make it able to work fully offline with 0 dependence on a service but we haven't bothered to do this and it would solely be based on pinning with no initial verification.