Roadmap
Last updated: 2026-01-09
This is our honest, low-commitment public direction, not a promise.
We publish this page mainly to:
- be transparent about our values and long-term vision
- show people what we care about
- get feedback from the community
Some things to consider:
- Dates are estimates at best. Many items depend on external ecosystems (software releases, global adoption)
- Order and priority can (and will) change based on security issues, community needs, funding/hardware reality
Highlights of 2026
January
- Switched from Cloudflare nameservers to SERVFAIL, an indie DNS service that respects your privacy
- Switched from Nginx to Angie, a modern, feature-rich fork of the Nginx stable branch
- Fixed Cryptgeon not working on Yggdrasil due to lack of HTTPS
What's coming next?
- Moving our services to on-prem servers Paused
- Expanding our darknet infrastructure In progress
- Adding ECH support Not started
- Adding DANE support Not started
- Dropping IPv4 support For distant future
Moving to on-prem
Status: Paused
ETA: No ETA yet
Cloud infrastructure is not very cheap. It's also not the most secure or private as it puts the renter at the mercy of the hosting provider, trusting that the hosting provider or another malicious party with access doesn't tamper with the systems or deplatform the renter.
We therefore want to move our important infrastructure to physical servers we own and control. It would cut down the costs in the long run as we don't have to pay recurring fees for cloud hosting, it lets us create and host far bigger and more ambitious projects that we wouldn't have been able to before, and it cuts out one more company from the supply chain for better security and greater sovereignty.
While it does cut down the costs in the long run, the initial costs for hardware will be high. We believe it is worth it.
Expanding the darknet infrastructure
Status: In progress
As clearnet is becoming uninhabitable and more hostile for self-hosters every day, we worked on expanding our services on alternative networks like Tor and Yggdrasil.
While plenty of our services are available on darknets/alternative networks, there are still a couple of services that are not. More specifically, the following services have not been fully covered yet:
| Service | Tor | Yggdrasil | Notes |
|---|---|---|---|
| Telepath XMPP | No | No | Tor support in Prosody requires a special module, XMPP-over-Yggdrasil is mostly uncharted territory |
| Telepath IRC | No | Yes | — |
While we do want to make as many of our services available over both the Yggdrasil and Tor network, it is not feasible for some services (eg. Mumble requires UDP which Tor doesn't support, therefore Telepath Mumble is available only over clearnet and Yggdrasil).
We might also consider expanding to other alternative networks/darknets (eg. I2P, Lokinet) in the future.
ECH support
Status: Not started
ETA: No ETA yet, starts at April 2026. See why below.
Encrypted Client Hello (ECH) is a TLS extension that encrypts the entire initial handshake, preventing network observers from seeing metadata like the Server Name Indication (SNI). This closes one of the last privacy gaps in HTTPS, ensuring that ISPs can see the destination IP address, but not the specific domain name being requested.
We are planning on adding support for ECH for our services to enhance privacy, but it will take a while for this to happen for the following reasons:
- Currently, Caddy is the only web server with good out-of-the-box support for ECH
- Caddy does all the ECH stuff automatically (generating keys, setting DNS records) so it requires configuring the DNS provider in Caddy to automatically publish the needed DNS records
- Nginx only implemented initial ECH support since mainline version 1.29.4
- As of writing this, ECH has not reached the stable branch yet (next stable release is coming April 2026)
- Angie doesn't support it yet as it's based on the stable branch
- Requires custom build of OpenSSL, built-in ECH support coming in OpenSSL 4.0 (coming April 2026)
- Outside of HTTP(S) servers, most other applications that rely on SNI don't support ECH yet
DANE support
Status: Not started
ETA: No ETA yet
DNS-based Authentication of Named Entities (DANE) allows using the DNS system secured with DNSSEC to vouch for TLS certificates, as an alternative to the fragile certificate authority system.
In late 2023, it was revealed that Jabber.ru, one of the world's oldest and largest XMPP services, had been the victim of a massive, sophisticated Man-in-the-Middle (MITM) attack. The attackers had access to the network infrastructure upstream from the servers and intercepted encrypted traffic without triggering security warnings by issuing valid TLS certificates from Let's Encrypt.
One of the ways to mitigate this is by using the TLSA DNS record type, which is used to associate a TLS server certificate or public key with the domain name where the record is found. Using DNSSEC (which we already implement), the record is cryptographically signed to prevent tampering.
However, DANE is not too useful for HTTPS services as most browsers refuse to implement it. It mainly shines with e-mail and XMPP. We plan to implement DANE for Telepath XMPP.
Dropping IPv4
Status: For distant future
ETA: Once global IPv6 adoption reaches ~80%
Currently, FSKY is entirely dual-stack (supporting both IPv4 and IPv6). In the distant future, we plan on dropping IPv4 support from our services entirely in favor of the new and superior IPv6. Only around half of the Internet supports IPv6 in 2026, so we will only drop IPv4 support once the IPv6 adoption rate is high enough.
If you want to track the IPv6 adoption progress, you can check out the following resources: