Security notes - security for the everyday person: Difference between revisions
Jump to navigation
Jump to search
(14 intermediate revisions by the same user not shown) | |||
Line 61: | Line 61: | ||
--> | --> | ||
==Is it important to encrypt my | ==Is it important to encrypt my laptop or phone?== | ||
<!-- | <!-- | ||
tl;dr: | |||
* if you think you'll lose it, and want to ensure that the next reboot people will have a ''hard'' time getting in, yes. | |||
* do not assume encrypted devices do much against law enforcement, | |||
:: in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications | |||
What makes more-mobile devices special compared to most others | |||
is that they physically are ''usually'' in environments you can't trust | |||
{{comment|(and unlike most other kinds of devices, not taking them there ''defeats their point'' so people just ''will do that'')}}. | |||
Data-at-rest encryption is arguably largely about "what happens when the people steal the storage and/or device that contains it?" | |||
After it's stolen and it's still on, this encryption does not yet play a role. | After it's stolen and it's still on, this encryption does not yet play a role. | ||
Line 143: | Line 133: | ||
Also, [https://xkcd.com/538/ [[File:security.png]] ] | Also, [https://xkcd.com/538/ [[File:security.png]] ] | ||
--> | |||
==Is it important to encrypt my PC?== | |||
<!-- | |||
tl;dr: | |||
: if you think it'll get stolen for the data on it, yes. | |||
: if you like the related peace of mind, yes | |||
: yet practically | |||
:: people don't generally take their PCs anywhere - LAN parties happen... less than since the nineties | |||
:: even theft by non-interested people is not too much threat. Yes, they could poke around, but chances are that they or the next owner will just reinstall the thing. | |||
: again, keep in mind that encrypted devices does not do much against law enforcement, | |||
:: in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications. | |||
Footnotes: | |||
* "encrypt my PC" is usually variably used to mean | |||
:: "encrypt the system drive | |||
:: "encrypt user data" | |||
:: ...or other things | |||
* added disks would have to be separately encrypted | |||
--> | |||
==Is it important to encrypt my external drive?== | |||
<!-- | |||
If it's portable and you care about what happens when it gets stolen, yes. | |||
That said, | |||
* some of the solutions used by external disk are less secure than they could be | |||
* some of the solutions used by external disk are bad. | |||
* some of the implementations have been very flawed | |||
Also, there is a gliding scale of convenience, and threat modeling. | |||
Most are still good against casual theft, but if you are a person of interest, maybe double check. | |||
This isn't about how many bits the encryption has, it's where | |||
* the key is kept when it's off | |||
* where it's kept when it's on | |||
* the steps you need to do to have it become readable | |||
:: and its compatibility | |||
Say, if something is transparently encrypted -- it says it is but you never have to put in anything -- | |||
that often means that the drive is good within a specific computer - basically, it being in that computer | |||
means you get in automatically, and if people steal just the drive, chances are they will never get in. | |||
The thing is if that is a laptop, it's easier to steal the entire thing in the first place. | |||
--> | |||
==Is it important to use two-factor authentication?== | |||
<!-- | |||
For anything that really matters to you, it is likely worth it, because: | |||
* changes are higher that you will know about bad attempts | |||
* changes are lower than someone will get in at all | |||
There ''are'' footnotes to that. | |||
The idea that you have to provide | |||
* something you ''have'' (varies, but for convenience is now often "something done on your phone") plus something | |||
'''AND''' | |||
* something you ''know'' (like a password) | |||
...means that | |||
* even if ''one'' of those is taken, or just poorly chosen, | |||
* a system that is set up for 2FA is also more likely to ''tell'' you about attempts that failed on using just one of them | |||
Line 257: | Line 338: | ||
Depends. | |||
In security, you do [[threat modeling]], a.k.a. figuring out '''what problem you are trying to solve''', | |||
because it's easy to solve a problem you didn't really have, or focuses on a smaller but forgets a larger issue. | |||
In which case we bought into [[fear, uncertainty, and doubt]], and/or a sales pitch, and are not more secure. | |||
Which can even have net-negative effect, when nothing changed, | |||
when you only ''think'' you are safer, and act more careless. | |||
If you want to hide your browsing behaviour from your ISP (or free wifi spot), it helps. | |||
: | : browser traffic mostly isn't snoopable, but looking up the site name is. | ||
: this can be overstated, because in many countries such snooping is illegal -- but that doesn't mean they don't | |||
:: Redundant in that: the network can't snoop on the contents of HTTPS website traffic, which is now common on everything (and always was on important sites like banks and such) | |||
:: Redundant in that: other WiFi clients already can't snoop on you (because of how WiFi works), except with some specialist hardware | |||
:: useful in that: the network behind it ''can'' listen to plain HTTP, site name lookups (DNS requests, and/or HTTP [[SNI]] headers) and potentially block based on each | |||
:: sometimes that's a thing -- e.g. even if they can't see any data exchange with porn.org, they can see the fact that you looked up the name just now so are ''probably'' visiting it. | |||
If you want to not get localized in the world | |||
: because as far as a remote side is concerned, you come from that VPN company's servers, not from your own ISP's | |||
: say, livestreamers may worry about doxxing. While your hope IP ''usually'' doesn't give people anything closer than "this city or two", this is still a very reasonable defense (assuming it is not your only one) | |||
If you want to get around country restrictions, or even just sites that overzealously switch languages while traveling, it helps | |||
: which is purely about practical use, unrelated to privacy or security. Just the [[proxy]] part. | : which is purely about practical use, unrelated to privacy or security. Just the [[proxy]] part. | ||
: note that this may be against the ToS you agreed with on the site. | : note that this may be against the ToS you agreed with on the site. | ||
:: How much the site actually cares, and how much it does against it, depends on what kind of site it is, whether it cuts into profits. But in the case of e.g. netflix, it's because ''they'' say no - the law doesn't. | :: How much the site actually cares, and how much it does against it, depends on what kind of site it is, whether it cuts into profits. But in the case of e.g. netflix, it's because ''they'' say no - the law doesn't. | ||
If you want to encrypt your browser traffic against snooping -- it mostly was already. | |||
:: | |||
:: | |||
:: | If you want nother people on WiFi to not snoop on you -- they already can't really. | ||
If you want to be anonymous to the sites you visit, you should ''assume'' it does not work. | |||
: in particular when you tell it who you are, by logging in | |||
: but also, assume that VPN barely affects [[browser fingerprinting]] | |||
It solves some network-level privacy issues, but solves ''zero'' browser-level privacy issues | |||
: and do you ''really'' know which is which? | |||
More technically: | |||
The main point of a VPN is often proxying: | |||
that all your traffic goes to your VPN company's servers first (encrypted), | |||
and only ''then'' to the rest of the internet (unencrypted). | |||
: The first part of that path also cannot be snooped on. | |||
:: As far as the ISP is converned, it's just another secure connection - the contents are unknown | |||
::: They can find out ''that'' it's a VPN connection, but nothing about the contents | |||
Also, they add encryption, but as those parentheses suggest, only for part of the path. | |||
: whether that has any added value depends on who you (dis)trust more | |||
Upsides | |||
* avoiding warnings from your own ISP (or others) for using P2P | * avoiding warnings from your own ISP (or others) for using P2P | ||
Line 316: | Line 416: | ||
Arguables: | Arguables: | ||
* useful if you assume your ISP is malicious | * useful if you assume your ISP is malicious | ||
Line 339: | Line 437: | ||
* may give a false sense of security | * may give a false sense of security | ||
:: most people don't realize what it ''doesn't'' protect. Basically, see all of the 'Neither' section below | :: most people don't realize what it ''doesn't'' protect. Basically, see all of the 'Neither' section below | ||
What you may think it does, but doesn't: | What you may think it does, but doesn't: | ||
* defeating ''some'' of the trackability of people who are specifically interested in you | |||
: Certainly not all. Not even close. And 'some; is not enough. | |||
* "VPN makes your internet connection faster" | * "VPN makes your internet connection faster" | ||
:: No. Also, that's vague. See the next two points. | :: No. Also, that's vague. See the next two points. | ||
Line 348: | Line 450: | ||
* "VPN makes your latency lower" | * "VPN makes your latency lower" | ||
:: It can't. The very nature of what it does is an extra step in routing (via the VPN servers) and encryption (which isn't free) | :: It can't. The very nature of what it does is an extra step in routing (via the VPN servers) and encryption (which isn't free) | ||
:: it may | :: it may add very little, but it cannot subtract. | ||
:: if a test somehow shows lower latency, that test is extremely forced in a way we must get technical about. | :: if a test somehow shows lower latency, chances are that test is extremely forced in a way we must get technical about. | ||
:: they only way it can be better is ''if'' something (probably your ISP) is actively doing content-specific throttling. | |||
::: in which case a VPN may make the latency more stable, but still not lower | |||
* "VPNs make for faster download speeds" | * "VPNs make for faster download speeds" | ||
:: Generally not. | :: Generally not. | ||
:: may have slight negative effect | :: again, may have slight negative effect, but that is often negligible | ||
:: the only reason it would be positive is that someone is specifically slowing that download, and now cannot | :: the only reason it would be positive is that someone is specifically slowing that download, and now cannot | ||
::: if so, yeah, a VPN would be a good stopgap - while you take | ::: if so, yeah, a VPN would be a good stopgap - while you take legal action to what is probably illegal for your ISP to do, or if not, that you ''want'' to make a big fuss about making illegal. | ||
Line 389: | Line 495: | ||
Specifics: | Specifics: | ||
* Defeating net non-neutrality | * Defeating net non-neutrality | ||
:: In most other places, net neutrality is still the norm - with some exceptions, like government forcing ISPs to ban specific sites (happens in a few places, mostly for P2P, and fairly ineffective). | |||
:: In most other places | :: but it's a thing in the US now that they're actively dismantling net neutrality[https://en.wikipedia.org/wiki/Net_neutrality_in_the_United_States#Net_neutrality_and_the_Trump_administration_(2017)] | ||
* "VPN masks your identity", "evades tracking", "you leave no trail" (anonimizing) | * "VPN masks your identity", "evades tracking", "you leave no trail" (anonimizing) | ||
Line 404: | Line 510: | ||
::: If you're talking P2P, know that there are companies that do purpose-built tracking - because there's so much of it and lessening (scaring and/or sueing you makes sense) makes it cheaper to run the network. | ::: If you're talking P2P, know that there are companies that do purpose-built tracking - because there's so much of it and lessening (scaring and/or sueing you makes sense) makes it cheaper to run the network. | ||
:: Note that a generic VPN is wider, Tor is a nicer option for some cases (and since it's redundant with VPN, choose which you prefer) | :: Note that a generic VPN is wider, Tor is a nicer option for some cases (and since it's redundant with VPN, choose which you prefer) | ||
Line 428: | Line 528: | ||
And yes, some of that is technical, but a lot of it looks technical but ends up being a very practical thing | And yes, some of that is technical, but a lot of it looks technical but ends up being a very practical thing. | ||
There is a very real question that -- again -- comes down to [[threat modeling]]. | |||
: Is it that you are political and want to not get into shit? | : Is it that you are political and want to not get into shit? | ||
: Is it that actually want it to never be read? | : Is it that actually want it to never be read? |
Revision as of 11:01, 15 April 2024
Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |