I think this might be reasonable to put a pause on suggesting AdGuard services including the Safari extension, Adguard home, and the dns servers, until more clarification is presented by AdGuard team about their continued operations in Russia (head office, number of developers, accepting Russian local payment system, partnership with Serveroid, nature of the employment of the COO of Adguard with Serveroid)
The only Adguard products that PG lists in their recommendations are:
Adguard home which is an open-source and self-hosted DNS blocker. How anything you mentioned warrants its removal? If you think they are doing something suspicious here then youâd need to point to those suspicious code parts first. I donât know if their binaries are reproducible, but you can build it from source and then compare your binary with what they provide to see if they inject anything funny.
iOS content blocker is also open-source but itâs impossible to audit what exactly you download from App Store. Fortunately, the way content blocking works on iOS makes it impossible for them to do anything funny because of how restrictive the API is (saying as someone who shipped a content blocker to App Store myself). The app is also not asking for any additional permissions itself, so what exactly are you worried about?
If youâre using their DNS resolver then the only thing they can do is to log your IP and what domains youâre trying to resolve. That would contradict their privacy policy and thatâll have quite a few legal implications in the EU as they are registered as a Cyprus company. Theyâd also lose their user base over it which is honestly quite a bad business move. Assuming they are an evil Russian spying company just because they have engineers in Russia is just a conspiracy.
So Iâm not sure what exactly warrants removing the first two products. Although itâd be understandable if PG would want to stop recommending their DNS resolver just to be on the safe side.
I mean, youâre welcome to? Their sources are on GitHub.
They could also potentially resolve your domain to a malicious IP, but that would be very noticeable thanks to TLS. So in the end, youâre giving them the same amount of information as to your ISP unless you have encrypted SNI.
Although I probably wouldnât use their resolver if I were a Russian citizen just to be safe.
There at least needs to be a disclaimer about the potential ties to the Russian government. (Head office in Moscow, ties with Serveroid, accepting local payment system despite breaking the local law, etc)
Some people will probably choose to pick other options if they know about this. Although advuard services are open source, there may be some risks about a malicious update to their apps, and thatâs why we need to be more diligent about a projectâs current and future trajectory and potential risks, government ties, funding, investors, etc
I think PrivacyGuides should consider this issue while considering some important contextual questions.
First, would PG recommend software if it had offices in another country like China? No? Then why Russia?
Second, Russia has been very anti privacy and is engaged in massive cyber espionage.
Third, Russia has not been above using their own companies to do their dirty work. See Kasperky.
Honestly I didnât know they had head offices in Russia and that disapoints me. Unfortunately, that would imply that using their DNS services is probably a bad idea. Even if they have no bad intentions right now, the Russian gov could easily take over and use their service as a one-time shot to do a large DNS poisoning attack. Sure, people would catch on, but damage is done.
If Adguard is recommended on PG, I would like to hear the reasoning why it is continued to be recommended
On what grounds? Are you surprised that a company founded in Russia used Russian VPS (apparently founded by the same person?) to provide its services? Sorry, I still canât connect the dots. As far as I know there are no laws requiring hosting providers to inject backdoors in every VM people spin up.
Should we also add a disclaimer to the Tor page about its potential ties to the US government? If no then why? Your current arguments can be applied to almost every service listed on PG.
Some people will probably choose to pick other options if they know about this. Although advuard services are open source, there may be some risks about a malicious update to their apps, and thatâs why we need to be more diligent about a projectâs current and future trajectory and potential risks, government ties, funding, investors, etc
Again, this is a not a good argument as it can be applied to literally any service provider. I donât know why you decided to pick on AdGuard here, but it feels like you just donât like them or scared of âEvil Russiansâ.
I think these concerns are definitely warranted, this is coming from someone who is using AdGuard and has even paid for their subscriptions. Whilst all governments do extremely shady things which are hard to quantify and compare, I would encourage you all to read about some of the âstuffâ (cough* countless atrocities) that have happened in Russia, and the stupid amount of power the government has, specifically in regards to: if you go against them they will do very bad stuff to you, regardless of your position in the world.
Exactly my point. Instead of virtue signalling and stating any government is as bad as any other, letâs appreciate the differences in a democratic country with a strong judicial system and medium/strong privacy laws (Western countries) with countries in which the government doesnât even need a court order for you to hand them all your data, and let them take over.
And again, no, this is from someone coming from such country as Russia. And yes, Chinese government is also as bad as Russiaâs government and projects operating as businesses in China shouldnât be recommended imo, and they havenât as far as I know
Saying one is worse than the other is hard to quantify or measure, the US are also responsible for countless atrocities, including ongoing ones. Itâs a kind of a fence sitting thing. But they say AG has moved outside of Russia, so I suppose that is good. But we should be weary cause if they are pressured it will happen regardless of their geographical position in the world.
Itâs understandable that PG should remove a recommendation that has the ability to log your IP and DNS queries, even though there isnât any evidence of that being the case.
But it wouldnât be understandable to remove an extension recommendation that can compromise anything that happens on the browser and the software that can compromise the whole system or a router.
Yes and Iâm not sure if I agree with the suggestion.
Unless one builds these things from the public source code, it wouldnât be so easy to notice, even if someone did, it would probably be too late.
AdGuard has been building their reputation for 12 years, their HQ is in Cyprus, a lot of their team members are either there too or are moving there, etc. I think theyâre trustworthy.
I agree with your logic Jonah, but as Lucas has pointed out, it wouldnât be easy to notice the extension/software changes and it would be too late when you notice it. This all comes back to the point of your trust in AdGuard. if you donât trust them, and if they are not able to clarify the communityâs concern about their ties to Russia, thereâs no point in recommending ANY of their services.
If weâre going by that logic, Intel is secretly relaying everything Iâm typing here and TOR is most definitely backdoored and all of the posturing about being secure on the TOR network (in a technical sense, notwithstanding OPSEC mistakes) is complete and utter poppycock. Letâs not pretend that western 3-lettered agencies have our best interests at heart; if they had their way with everything this forum wouldnât exist. I am ambivalent on the services which require a backend hosted on Russian infrastructure, but I still do not see a problem with the FOSS work that they have done.
I wish someone had a tool that could diff the cloudflare, OpenDNS and Adguard DNS databases to periodically check just how much poisoning is happening (and I think we might come up against surprising results).
I mean, you need to asses risks while also considering selling privacy-focused products is their core business.
Whatâs the risk of them sneaking a backdoor into AdGuard Home? Iâd say itâs negligible as it wouldnât be too hard to spot it given its popularity among privacy conscious people.
For example, I just cloned their repo and quickly/lazily skimmed through the sources (except the frontend) to see if they do anything funny but nothing raises a flag. Iâm also assuming that the community would spot funny things in the past given projectâs popularity.
If we assume theyâd sneak in a backdoor same way as xz backdoor happened, weâd find difference in the pre-built binaries and the one you build yourself. I downloaded their latest release, then checked out to the same commit to build a release binary myself (again, except frontend). Running IDA and bindiff against those two binaries says thereâs high confidence they were built from the same code as you can see on the screenshot.
The hash is different as their binaries are not byte-for-byte reproducible as you can also see with vbinddiff, for example. I quickly skimmed through the difference, and itâs pretty minor as far as I saw (havenât gone through everything but I donât think thereâs anything funny there either). Hope theyâll look into delivering reproducible builds though.
Doing the same with their content blocker is difficult but we can check what capabilities content blocking extensions have: Creating a content blocker | Apple Developer Documentation.
So your extension only provides the rules to the system, and canât do much more else. It canât see your history or network requests.
Now if weâll look at their DNS resolver, we can see that they have the ability to log your DNS traffic due to how DNS works, and we canât verify their claims. But given their privacy policy they canât do that as otherwise they risk losing customers and attracting EU watchdogs which would basically kill their business. Iâd also be not a smart thing to do even if they were an evil Russian org as thereâs literally no point in going through many years of building the trust and then exposing themselves without achieving anything substantial. So thereâs a risk but itâs pretty minimal in my view.
Please note that Iâm not suggesting removing their DNS resolver, Iâm just writing down my thoughts about risks continuing recommending their services poses.
It s not conspiracy; its easy to be proven fact.