Internet Security & Privacy
Categories:
[Technology]
Tags:
[security],
[privacy],
[internet]
Passphrases
I'm going to touch on this only briefly since I did a full twenty to twenty five minute podcast on this subject. As mentioned before, make sure to use a password manager such as Bitwarden. Bitwarden does have a free version that has a ton of functionality. I currently pay for the premium version of Bitwarden for the extra features but anyone starting out will be fine with the free option.
Grab some dice and a word list such as the one from the EFF. Roll the dice to get five numbers and write those numbers down. Then replete for as many words as you want your passphrase to be long. I would suggest using at least six, this will make the chances of cracking so low that even if the attacker can guess 1 trillion times per second it will still take them 3,505. Keep this in mind, since using just one less word results in your attacker being able to guess your passphrase in only 165 days!
The passphrase you get from your dice should only be used for Bitwarden. The more places you have it used the better the chance you have of getting fished. This is when someone makes a fake site that looks just like the site you want to go to. They then can steal your password and kick you back to the real site.
Why use dice to pick your passphrase? Something called entropy:
Entropy is a measure of the uncertainty or randomness of a system. The concept is a difficult one to grasp fully and is confusing, even to experts. Strictly speaking, any given passphrase has an entropy of zero because it is already chosen. It is the method you use to randomly select your passphrase that has entropy. Entropy tells how hard it will be to guess the passphrase itself even if an attacker knows the method you used to select your passphrase. A passphrase is more secure if it is selected using a method that has more entropy.Entropy is measured in bits. The outcome of a single coin toss -- "heads or tails" -- has one bit of entropy. - Arnold G. Reinhold
I've been asked before if it's ok to use a site like rempe.us/diceware instead of trying to find dice that you may or may not have. For normal everyday use this should be fine but keep in mind that no computer connected to the internet is 100% safe and you should assume it's been compromised. One thing you can do is to download the site and run it offline in order to ensure no one is snooping. I'd even go as far as creating a bootable USB drive running Linux that is fresh and has never been online to run the downloaded files.
Remember, convenience is the killer of security and privacy.
Useful Extensions
HTTPS Everywhere
HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
Many sites offer encypted web traffic but they may default to unencrypted HTTP, or have links that go back to the unencrypted version of their site.
HTTPS Everywhere is an open-source extension that fix this problem by rewriting your requests to the encrypted version of the site your visiting.This of course only works if the site offers an encrypted version, but getting a site encrypted is more and more common with each passing year.
By defaulting to an encrypted version of a site you greatly increase your security and privacy on said site. When encrypted sniffing and eavesdropping on your web traffic is much more difficult. So much more that an attacker would have to spend more time to break the encryption than the value they would get from your information.
Privacy Badger
Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it's like you suddenly disappeared.
When you view a webpage, that page will often be made up of content from many different sources.
Privacy Badger keeps track of all of this. If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you.
Privacy Badger keeps note of the "third party" domains that embed images, scripts and advertising in the pages you visit.
In some cases a third-party domain provides some important aspect of a page's functionality, such as embedded maps, images, or stylesheets. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies and referrers.
If you want a more advanced tool for controling cookies, trackers, and scripts; check out uMatrix and uBlockOrigin. I use these daily and love how much control I have over each domain.
Decentraleyes
Decentraleyes is a local Content Delivery Network (CDN) Emulator.
The aim of this add-on is to cut-out the middleman by providing lightning speed delivery of local (bundled) files to improve online privacy.
a lot of websites make you load vital files through large third-party services
There are a couple of reasons why web developers are tempted to do this. It lowers upkeep costs (as these services do not cost the host any money), and it speeds up the web in the sense that if you store a specific version of a file once, you will only contact that central content delivery service to see if the file your browser already has, is identical to the one that's being served.
Since these companies are now deeply woven into the fabric of the web, cutting them off actually breaks a significant percentage of all websites.
That is where Decentraleyes comes in!
It comes bundled with a fair amount of commonly used files that you would need to get from these 3rd party providers, and serves them locally on your machine.
Whenever a site tries to fetch them from a delivery network this extension grabs the version that you have stored on your computer saving you bandwidth and protecting your privacy.
Decentraleyes complements regular content blockers such as Privacy Badger we previously mentioned.
Use a VPN
A VPN allow you to connect to a another server and encrypt your data from your home to their server. This will stop your ISP from spying on you and collecting data. Keep in mind that the company you use for the VPN can spy on you and collect data. So make sure to do your research and find a good company.
I currently use Mullvad because they do not require you to sign up with an email address, provide your name, or credit card (you can pay with cryptocurrency). This is a big step in limiting the amount of data a VPN provider has on you.
For maximum privacy make sure the VPN you choose does not keep logs, allows you to pay with Bitcoin, only asks for an email address (use a temporary address for added privacy), have openVPN connections, and is not United States corporation.
That all being said, using a VPN will not make you anonymous. But it will give you a better privacy. A VPN is not a tool for illegal activities and don't rely on a "no log" policy because companies can lie.
For more information an VPNS check out the past posts on the subject:
Web Browsers
The Tor Browser gives you the most privacy over every other browser. It does slow down your speeds slightly due to how it works to provide you with said privacy. However, if you really want to cut down on the amount of spying (both corporate or state sponsored) than the Tor browser is your best best.
Firefox is a great second choice browser for privacy and security; its also what I use on a daily basis. Firefox is fast, reliable, open source and respects your privacy. There is a bit of work that needs to be done to make it the most privacy and security buff that it can be but it's worth every second.
Finally there is the Brave browser. Brave is open source and automatically blocks ads and trackers. This browser is based on chromium, the open source version of what Google turns into Chrome.
Proton Mail is a very user friendly and privacy focused email service. They have free and paid versions, accept bitcoin as payment for their paid plans, allows you to use your own domain, and has encryption built in and automatically enabled.
You can send an encrypted email to anyone on the web and they can view it with a key you supply them. If you don't encrypt the email they can see it as with any email. The nice thing about Proton Mail is that every message in your account is automatically encrypted and only you are able to view the messages. The company does not even know what your messages say.
Other email providers include, Disroot and Tutanota. Both of these have free accounts and have encryption built-in.
Privacy Respecting Search Engines
Searx
Searx is an open source search engine that searches other search engines. This site takes your search and aggregates the results if finds from many of the webs search engines. Including Google, Yahoo, Bing, ect. This all happens without storing information on you and what you are looking for. Also there are no ads!
StartPage
StartPage gives you Google search results, with complete privacy protection.
Duck Duck Go
The search engine that doesn't track you. Some of DuckDuckGo's code is free software hosted at GitHub, but the core is proprietary. This is by far the most popular of the security and privacy focused search engines.
Ways to support the blog.
If you are an email kind of nerd you can sign up for mine here.
You can donate to this site from my Liberapay account if you so choose. If you want a more passive way to support this site, use this link when shopping on Amazon; it kicks some of Amazon's profit to me at no extra cost to you.