An Analysis of GrapheneOS's Server Infrastructure
4 hours ago
- #governance-concerns
- #infrastructure-analysis
- #privacy-contradictions
- GrapheneOS has strong mobile security, making it hard for forensics tools like Cellebrite to extract data, but its server infrastructure reveals inconsistencies with its privacy values.
- The infrastructure is largely managed by one person, Daniel Micay, with his personal setup and funding linked to his GitHub account, raising concerns about governance and bus factor.
- Servers run Arch Linux, a rolling-release distribution, which is unusual for security-focused infrastructure, and they include full toolkits even on minimal services like DNS nodes.
- Despite building a global DNS network for independence, all DNS queries are forwarded to Cloudflare, contradicting the project's goal of avoiding third-party visibility.
- Infrastructure moved from France to the U.S. (Virginia) citing privacy concerns, yet U.S. jurisdiction has extensive surveillance capabilities, creating a jurisdictional contradiction.
- The project's update signing keys and critical infrastructure appear centralized under one individual, lacking public evidence of redundancy or distributed control as previously promised.