Any rebuttal to Simplified Privacy's article "PrivacyGuides Loves Spyware"?

I have learned a lot through Privacy Guides, and it is one of my favorite go to sites for privacy recommendations, so when I see an article accusing this site of loving spyware it got my attention. No idea who the author of the article is, but although they seem to have a lot of respect for Jonah and Privacy Guides as a whole, in the article the author takes issue with Privacy Guides use of Cloudflare which he claims can break SSL and see private encryption keys resulting in the ability to see passwords, etc. I’m a noob when it comes to this stuff, so I really don’t know if the concerns about Cloudfare or anything else mentioned in the article are legit and was hoping Jonah or someone else here at Privacy Guides could offer a response: PrivacyGuides Loves Spyware – Simplified Privacy

You know that the website you linked just mass produces low-quality articles to boost their website and services? Would recommend staying away from such websites.

1 Like

Going to approve this post just because it mentions us. They’ve clearly run out of content, that particular site is a SEO farm for the owner’s “Linux Tech Support” company.

The “privacy advice”, is really quite poor at times as it considers no specific threat model other than “the gubbermint” is going to “get you”.

Most articles are just a tirade against any product or company that is considered BiG TeCh, without actually considering what needs those products might meet that alternatives do not. It’s also worth mentioning that products produced by small companies, might be less mature, because of less resources and funding for formal validation testing (ie audits).

appears to just be concerned with low level evasion

This comment is simply trying to appeal to the reader that they are offering a more qualified voice. While there may be readers of that site, I would be curious to know how many of those readers actually live by the advice that it provides with no exceptions.

Most people are not trying to evade sustained interest of the state they reside in. Two main reasons for this:

  1. Generally they’re not interesting enough (and if they are) it is very difficult to do for a sustained period of time.
  2. The Simplified Privacy author simply does not understand that specific products aren’t enough to protect against sustained targeted surveillance from a state actor. They have all the resources to find out who you are (and it only takes one slip up).

The advice we provide, is individual, you pick the things that apply to your threat model. It is not expected that you do absolutely everything mentioned on or use every product which we suggest. We do direct your thinking to some areas however: is on Cloudflare, their other forum is on Cloudflare, and even his personal site is Cloudflared along with its email

Yeah so what? If you want privacy, just use a VPN. We won’t know who you are, nor will Cloudflare. We’re not offering any public email services, and all of the team members have PGP or are available on Matrix (which has E2EE), some of us are available on Signal, (also E2EE). If Cloudflare was the threat model, there would still be ways to contact us privately.

And even just for text and avatar icons with their staff bios, they use Microsoft Github. You can’t afford to host 5 tiny jpegs?

Not about cost, it’s about that it can be managed in one centralized place perhaps? Again none of these things really relate to privacy but some kind of badness enumeration against BiG TeCh, which can be simply solved with a VPN or Tor.

I do not think his current recommendations have enough adversarial thinking in mind. For example, it’s only when Skiff email was recently bought by Notion, did PrivacyGuides remove it. They never mentioned that Cloudflare can break SSL and see the private encryption keys served to you when you first sign-up.

Clearly they never bothered to read the skiff whitepaper - otherwise they would have noticed this sentence

“Ensure sensitive information - such as Alice’s password and private keys - are never sent beyond her browser window”. (emphasis added)

It further describes the flow and culminates with:

Bob’s password_derived_secret and password are also never sent over any network, even as encrypted data.

Beside that, the use of Cloudflare is DDoS protection. I guess it’s okay for Simplified Privacy because nobody actually reads the site except for people who stumble across it in a search engine. Sadly today popular services are the target of DDoS attacks, and it will involve a provider like that at some point.

We’ve always suggested at the top of the email page that email is not particularly secure anyway. The reason for this is because every SMTP server will transmit clear text versions of the email to the remote server (only protected with opportunistic TLS - meaning providers see everything). If you’re on Proton for example or Tutanota and you send an email to a Gmail user, then it probably won’t be encrypted unless the Gmail user has an email client capable of PGP.

That is the reality, and in the case of email, you’re not always going to be able to control what the other user uses, or if they use webmail.

But not owning your identity, how are readers of PrivacyGuides even supposed to know if Jonah is the one writing on the forums, or if it’s really the government?

The “gubbermint” is not in our threat model. We don’t do anything which which is going to come at odds with US law. If that is in your threat model, you want an anonymous identity you’re not holding on to for very long. If you are actually a target then you’re not going to want to be waiting around them to discover who you are. Even then if you’re actually inside the US that would be incredibly risky on the short term, let alone long term.

In this situation it really wouldn’t matter anyway what cryptography you use. In Jonah’s case, he lives in the US and if they wanted him to use his special keys to do a thing, they would simply compel him to do so. Maybe using an NSL or hold him in custody until he does.

There are no tools which will keep a state you live in at bay, when your identity is known and they don’t like what you’re doing.

Nostr is truly an amazing place and I urge him to try it again. His website says “decentralization” but I was shocked to see he does not even mention XMPP

Decentralization doesn’t necessarily mean privacy. In the case of XMPP there’s plenty of unencrypted metadata. The XMPP: Admin-in-the-middle article still holds true even today.

Sadly with XMPP there are not universally “good” reference clients. We like but this is only available for one platform.

The other reason we don’t recommend XMPP is there are a multitude of XEPs (standards) that some clients implement, whilst others do not. There is no reference client, and thus no certainty in what is actually encrypted and what is not. Users have to be very careful to know what underlying features their chosen client supports.

The rest of the article isn’t worth reading and isn’t at all factual.


Yeah nowadays 1/3 of internet is through Cloudflare. You either trust them or do not use internet than?

1 Like

@dngray Really appreciate you taking the time to thoroughly address the issues in the article. You make many good points, including the fact there is no clarity as to what exact threat model is being addressed. It seems the author has a one size fits all approach and only wants to utilize products and services which are anonymous, open source, and decentralized. Perhaps a nice ideal, but practically impossible to achieve, and for most of us simply impractical and unnecessary overkill which will lead to burnout.

1 Like

Idk, i still feel like there are alternatives to using cloudflare. or at least having one mirror that doesn’t go through their cdn

1 Like

I think giving a response will just increase traffic to the their shitty website, that they cannot achieve by their website with poor information. So, don’t engage or answer, otherwise, they see that this method works and continue their nonsense.

Edit: A reminder that PG is non-profit, whereas Simplified privacy is a business, which needs to sell consulting or products.


But not owning your identity, how are readers of PrivacyGuides even supposed to know if Jonah is the one writing on the forums, or if it’s really the government?

The comedy of the article writes itself. It reads like an an unreviewed op-ed. They themselves don’t reveal their identity, the same boogey man question applies to them: for all we know, they are state actors an acting agains privacy lol.

To summarize, the article has no real substance other than “Cloudfare bad, GitHub bad, XMPP isn’t listed, Matrix uses Google Captcha, therefore privacy guides promotes spyware”. His only sources are privacy guide forums, whereas the rest of his writing has no other sources (lazy except for the bashing).


Jonah, I’m not attacking you. I’m trying to make you realize that they are attacking us. And instead of being at each other’s throats, we can empower our readers to take control of their digital lives.

I didn’t know we were at each other’s throats :eyes:

In addition to what @dngray said, I want to make two important notes that address the main points, in case they are not clear (just because @dngray is not as familiar with our technical setup as I):

  1. This Privacy Guides forum does not use Cloudflare’s Content Delivery Network. Cloudflare has no ability to MITM this forum, because they do not control the TLS certificates for this forum. We would not enable Cloudflare CDN on a Privacy Guides site which requires users to send credentials to log in, like this forum, because that is a bit problematic.
  2. We do not serve avatars or other content on our site from GitHub or any other third-party service. The assets on our website are served directly from our webserver without third-party requests. This is actually enforced by our CSP to avoid a third-party request being done mistakenly, so I don’t know what this is in reference to.

As far as criticism with our content, @dngray covered everything there already :+1:

If the author is confused about anything else we do, I’d encourage them to just ask us here on our forum beforehand, since we respond to virtually every post.


You are using Cloudflare DNS. Idk why the author made that assumption, did you guys use it before until recently?

1 Like

We do use Cloudflare DNS, and our domains are registered with Cloudflare.

This is inconsistent with the claim above that “Cloudflare has no ability to MITM this forum, because they do not control the TLS certificates for this forum”. In fact, Cloudflare can MiTM this forum just fine (whether they do it without their client’s knowledge, or if the client has set up the CDN to do it is secondary).

Perhaps I don’t understand, but at some point you have to pick some DNS provider. If they chose dns provider X, would you say X can MitM?

Cloudfare CDN <> Cloudfare DNS


No. If i understand correctly, its because said dns provider doesn’t control the certificates.

@ignoramous I suppose I should say surreptitiously. There’s a difference between a DNS provider and a service which sits in between the user and the final server and holds the decryption keys at that point.

The domain being seized by Cloudflare on the other hand isn’t something we are worried about.


I don’t see the contradiction you seem to see in @jonah’s statements. It is not clear to me what specific risk you are concerned about here, and what potential alternative could mitigate that risk.

What are the specific concerns with using Cloudflare (for domain registration, and for DNS) and are there alternatives that would eliminate those concerns in your eyes, or is it simply a matter of choosing to trust entity A or entity B?

Yeah, unfortunately I do not (yet) own my own domain registrar and ARIN IP address space, so this is not a problem which is possible to solve :slight_smile:


Yes, any one who can read/write to DNS zones can issue certs (by default).

I am afraid, you understand wrong. Check out the ACME dns01 challenge.

Only the registrar or the owner of the TLD (top-level domain) can seize a domain afaik. Nameservers can’t. Though, in’s case, the nameserver and the registrar are one and the same entity (Cloudflare). Personally, I prefer my registrars and nameservers separate and limit TLDs to the popular ones.

How about a wildcard certificate * that Cloudflare issues and controls without your specific input? That’s the reality here.

Some precautions:

  • Subscribe to Certificate Transparency Logs to get notified whenever PKIX certs are issued for the domains one owns.
  • Add CAA records to limit issuance of certs to trusted intermediaries (but in this case, since Cloudflare has read/write access to the zone (domain), they also control the CAA record).
  • Host domains on their own Nameservers (this is, of course, an extreme step for hobbyists).

You’re asking a question which is not at all the point of my original comment; the point was the claim that “Cloudflare cannot MiTM because <reason>”… is unfounded.

One can host their own nameserver or purchase slices of IPs / register ASNs or limit ACME challenge types or pin certificates with HPKP or TACK (if it works) or pin issuers or…