It's the attack path.

How did you know f-droid's certificate was about to expire? Do you keep track?

It's not 'about to' it's expired. Did you not get a warning?

In Firefox it's easy to see the details of the HTTPS certificate by clicking on the small padlock in the navigation bar.

"Autoruns" is the sysinternals tool you're talking about ;)

Ah yeah, that's the one.

I don't know what the current situation is, but the amount of crapware back in the day was just staggering; every installer offered to "helpfully" install an extra toolbar or virus scanner or whatnot, which is how people ended up with 3 virus scanners and 8 toolbars in IE.

An AP or wlan router that supports vlan to ssid mapping.

At least GrapheneOS devs are transparant about it, as it should:

https://grapheneos.org/faq#default-connections

Would you be willing to share your full list?

Not in its entirety, but these are some of the more helpful "global" non-default rules I employ on some of my "more restrictive" / "less advertising" / "less tracking" PiHoles DNS resolvers:

[BLACKLIST]:

(\.|^)google-analytics\.com$

(\.|^)googlesyndication\.com$

(\.|^)googletagservices\.com$

(\.|^)google\.com$

(\.|^)douclick\.net$

(\.|^)doubleclick\.net$

(\.|^)facebook\.com$

(\.|^)fb\.com$

(\.|^)fbcdn\.net$

(\.|^)googleapis\.com$

(\.|^)disqus\.com$

(\.|^)gstatic\.com$

(\.|^)apple-dns\.net$

(\.|^)salesforceliveagent\.com$

(\.|^)salesforce\.com$

(\.|^)force\.com$

(\.|^)apple\.news$

getpocket.com

reddit.com

[WHITELIST]:

youtube-ui.l.google.com

maps.googleapis.com

maps.gstatic.com

streetviewpixels-pa.googleapis.com

Ah yes...the beauty of Android.

Facebook: https://f-droid.org/packages/com.pitchedapps.frost/

Instagram: https://f-droid.org/packages/me.austinhuang.instagrabber/

Third party UI does not a FB alternative make.

Those only live because they're so marginal that Meta doesn't bother with blocking them.

So you mean an alternative such as Mastodon?

Easy-rsa to the rescue. Been using it for a while, works great and makes life easier :)

Link: https://github.com/OpenVPN/easy-rsa

Summary from that page:

easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

It's funny how I go from "YEAH! CA's SHOULD be a quick one-liner!" to "Should laymen be generating Root CAs?" inside of like 10 seconds of scrolling.

Do you use this approach?

If so, are you willing to share an example robots.txt file? What bots would be allowed? Google, Bing, ...? Those?

robots.txt is a standard and has been for many years. It seems that https://www.robotstxt.org is the main repository for its definition.

Any robots.txt I might suggest wouldn't necessarily be appropriate for anyone else. It's a policy that site stakeholders need to decide for themselves I'd say.

I just checked and cannot reach RT from Germany, using the ISP provided DNS server. I think that is key.

I tried using german isp dns, rt.com is blocked.

That's shocking.