No one ever said that the new model would not be usefull. But Anthropic hyped it up to a 0-Day machine, who finds 0-Days in every project with easy and in places they could not have been found by humans.

I have q xyz Domain as my main Domain. And there are basically no issues here. But in 1 or 2 places i noticed that the domain gets blocked, a couple of free/open wifis or a couple of DNS servers. But nothing major imho.

By default this applications allows when adding a server, that the communication is not encrypted between the app and the server. This should be configured by default to enforce TLS encryption. If someone would want to disable dis behavior and allow unencrypted communication, then this should take extra steps.

As i commented somewhere else, to say that since it is turned off it is secure by default, is like saying: “The SSH server is turned off by default so the configuration that comes with it does not need to be secure when shipped”

Thats like saying:

“The SSH Server configuration does not need to be secure because the SSH Server is turned off by default”

Yes, this is what we’re discussing… Are you a bot?

Obviously no. But you keep dodging the point here. And instead of comming up with an argument against my point, you seem to try to attack me personally.

In security and development there is a statement, called “secure by default”. That means the default settings are secure. This would encapsulate something like enforced Transport encryption.

Does this mean that the config can not be changed to fit the thread model? No.

Not sure why you’ve chosen to be indignant about this particular implementation.

We are talking about a tracking App. Most selfhosted projects do not store such private data. You may can mage the argument for immich but only for ppl who take a picture every 5 min.

If the target server is compromised or taken by LEA the data is gone.

Laying the responsibility into the hands of the user is not ok for such an data aggregating service. Such highly critical, private and intime data should be protected and secure by default.

Not even transport encryption is enforced in the project. At first glance, http is allowed on local connections?!? Generate a self signed SSL cert on start and pin it in the app. Easy.

It is no excuse that other services do not follow these state of the art protection measures.

I absolutely agree with you. Such private data should be End-To-End-Encrypted.