Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m
m ("Is it important to use a VPN?")
Line 27: Line 27:
 
Mostly not.
 
Mostly not.
  
The VPN (sponsored) ads you've seen lately are leaning heavily on the "overheard in public" kind of fear.
+
The VPN sponsored ads you've seen lately are leaning heavily on the "overheard in public" kind of fear.
 
+
(Also, there may be good, but not-so-easily-put-in-these-ads reasons, like getting around country restrictions, or not getting disconnection warnings from your own ISP for using P2P.)
+
  
  
Line 35: Line 33:
 
: public wifi points can't snoop on the unencrypted data  
 
: public wifi points can't snoop on the unencrypted data  
 
:: only necessary for sites that don't encrypt - more and more do
 
:: only necessary for sites that don't encrypt - more and more do
: your ISP can't snoop on DNS lookups, i.e. the names (and ''only'' the names) of the sites you visit
+
 
 +
: getting around country restrictions
 +
: avoiding warnings from your own ISP for using P2P (this and the previous are not in the ads for dubious-legality reasons)
 +
 
 +
: ISP paranoia. Since HTTPS is now almost universal they can't snoop on traffic already -- but they can still snoop on DNS lookups, i.e. the names (and ''only'' the names) of the sites you visit.
 +
 
  
 
Downsites:
 
Downsites:
: slower
+
: slower. How much varies, but always a little.
 +
 
 
: may be a false sense of security
 
: may be a false sense of security
: VPN servers may be logging a ''bit'' more than nothing (to stay legal)
+
:: protecting communication does not necessarily protect your computer, or your data from other threats.
: you've moved the point of possible corruptibility from many ISPs to few VPN servers
+
 
 +
: you've moved the point of possible corruptibility, from many ISPs to fewer VPN servers
 +
 
 +
: the VPN servers you use may be logging a ''bit'' more than nothing (to stay legal)
 +
 
 +
 
  
 
Neither:
 
Neither:
Line 50: Line 59:
 
:: ''All'' sites where security matters (banks etc) use encrypted connections already. This is what that padlock in your browser represents. (it indicates HTTPS (HTTP over SSL/TLS))
 
:: ''All'' sites where security matters (banks etc) use encrypted connections already. This is what that padlock in your browser represents. (it indicates HTTPS (HTTP over SSL/TLS))
 
:: As do most others, and most phone apps. Heck, my toy home-hosted server does, because I was interested.
 
:: As do most others, and most phone apps. Heck, my toy home-hosted server does, because I was interested.
: you've moved the point of possible corruptibility, not removed it
+
 
 +
: you've not removed the point of possible corruptibility, you've just moved it.
  
 
-->
 
-->

Revision as of 16:43, 7 July 2020

Security related stuff.

Practical


Theory


Unsorted


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


Is it important to use a password manager?

"Is it important to use a VPN?"

Challenge/response

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

JSON Web Signature (JWS)

Signing arbitrary data.

See also:


JSON Web Encryption (JWE)

Syntax for the exchange of encrypted data, and sending it in Base64 within JSON.

See also:


JSON Web Tokens (JWT)

JWT is aimed at sending verifiable claims, building on JWS or JWE

Signed using a shared secret, or a public/private key.

Typically used between identity provider and a service provider, in an SSO-like way.

See also:


-->