privacyguides/privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

Rearrange some sections and correct grammatical errors (#1548)

Browse Source 
Co-Authored-By: djoate <56777051+djoate@users.noreply.github.com>
This commit is contained in:
Jonah Aragon
2019-12-01 14:36:48 -06:00
committed by GitHub
parent 685d1077e2
commit 7791da0d19
28 changed files with 289 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
pages/os.html
View File

@ -7,6 +7,41 @@ description: "Even your own computer could be compromising your privacy. Discove
{% include sections/operating-systems.html %}
<h3>Warning</h3>
<ul>
<li><a href="#win10"><i class="fas fa-link"></i> Don't use Windows 10 - It's a privacy nightmare</a></li>
</ul>
<h4 id="cpuvulns">Remember to check CPU vulnerability mitigations</h4>
<p><em><a href="https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack">This also affects Windows 10</a>, but it doesn't expose this information or mitigation instructions as easily. MacOS users check <a href="https://support.apple.com/en-us/HT210108">How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support</a>.</em></p>
<p>When running a recent enough Linux kernel, you can check the CPU vulnerabilities it detects by <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code>. By using <code>tail -n +1</code> instead of <code>cat</code>, the file names are also visible.</p>
<p>
In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the <code>tail</code> command. To mitigate this, disable <a href="https://en.wikipedia.org/wiki/Hyper-threading">hyper-threading</a> from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports <code>/etc/default/grub.d/</code>:
</p>
<ol>
<li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>
<li><code>sudo reboot</code> to reboot</li>
<li>after the reboot, check <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code> again to see that everything referring to SMT now says "SMT disabled."</li>
</ol>
<h5>Further reading</h5>
<ul>
<li><a href="https://cpu.fail/">CPU.fail</a></li>
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/">Hardware vulnerabilities index on The Linux kernel user's and administrator's guide</a></li>
<li><a href="https://www.cyberciti.biz/faq/install-update-intel-microcode-firmware-linux/">How to install/update CPU microcode firmware on Linux</a> - Regardless of your CPU manufacturer, you should always install the latest microcode packages available to be protected from CPU vulnerabilities, especially if the command above reports <strong>no microcode</strong> in its output.</li>
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
<li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
<li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
</ul>
{% include sections/live-operating-systems.html %}
{% include sections/mobile-operating-systems.html %}

79
pages/providers/dns.html
View File

@ -6,3 +6,82 @@ description: "Don't let Google see all your DNS traffic. Discover privacy-centri
---
{% include sections/dns.html %}
<h4>Terms</h4>
<ul>
<li>DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:</li>
<ul>
<li>Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="In other words automatic mode leaves your DNS traffic vulnerable to SSL strip and MITM attacks"><i class="fas fa-exclamation-triangle"></i></span></li>
<li>Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.</li>
</ul>
<li>DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server."><a href="https://tools.ietf.org/html/rfc8484#section-8.2"><i class="fas fa-exclamation-triangle"></i></a></span></li>
<li>DNSCrypt - An older yet robust method of encrypting DNS.</li>
</ul>
<h4>How to verify DNS is encrypted</h4>
<ul>
<li>DoH / DoT
<ul>
<li>Check <a href="https://www.dnsleaktest.com/">DNSLeakTest.com</a>. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title="Your DNS provider may not appear with their own name, so compare the responses to what you know or can find about your DNS provider. Just ensure you don't see your ISP or old unencrypted DNS provider."><i class="fas fa-exclamation-triangle"></i></span></li>
<li>Check the website of your DNS provider. They may have a page for telling "you are using our DNS." Examples include <a href="https://adguard.com/en/adguard-dns/overview.html">AdGuard</a> and <a href="https://1.1.1.1/help">Cloudflare</a>.</li>
<li>If using Firefox's trusted recursive resolver (TRR), navigate to <code>about:networking#dns</code>. If the TRR column says "true" for some fields, you are using DoH. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='Some fields will say "false" depending on the the value of network.trr.mode in about:config'><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver"><i class="fas fa-exclamation-triangle"></i></a></span></li>
</ul>
</li>
<li>dnscrypt-proxy - Check <a href="https://github.com/jedisct1/dnscrypt-proxy/wiki/Checking">dnscrypt-proxy's wiki on how to verify that your DNS is encrypted</a>.</li>
<li>DNSSEC - Check <a href="https://dnssec.vs.uni-due.de/">DNSSEC Resolver Test by Matthäus Wander</a>.</li>
<li>QNAME Minimization - Run <code>dig +short txt qnamemintest.internet.nl</code> from the command-line (taken from <a href="https://nlnetlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">this NLnet Labs presentation</a>). If you are on Windows 10, run <code>Resolve-DnsName -Type TXT -Name qnamemintest.internet.nl</code> from the PowerShell. You should see this display: <code>"HOORAY - QNAME minimisation is enabled on your resolver :)!"</code></li>
</ul>
<h3 id="clients">Software suggestions and Additional Information</h3>
<ul>
<li><strong>Encrypted DNS clients for desktop:</strong>
<ul>
<li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='"Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."'><a href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"><i class="fas fa-exclamation-triangle"></i></a></span> Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li>
<ul>
<li>DNS over HTTPS can be enabled in Menu -> Preferences (<code>about:preferences</code>) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.</li>
<li>Advanced users may enable it in <code>about:config</code> by setting <code>network.trr.custom_uri</code> and <code>network.trr.uri</code> as the address you find from the documentation of your DoH provider and <code>network.trr.mode</code> as <code>2</code>. It may also be desirable to set <code>network.security.esni.enabled</code> to <code>True</code> in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.</li>
</ul>
</ul>
</li>
<li><strong>Encrypted DNS clients for mobile:</strong>
<ul>
<li><em>Android 9</em> comes with a DoT client by <a href="https://support.google.com/android/answer/9089903">default</a>. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="...but with some caveats"><a href="https://www.quad9.net/private-dns-quad9-android9/"><i class="fas fa-exclamation-triangle"></i></a></span></li>
<ul>
<li>We recommend selecting <em>Private DNS provider hostname</em> and entering the DoT address from documentation of your DoT provider to enable strict mode (see Terms above). <span class="badge badge-warning" data-toggle="tooltip" data-original-title="If you are on a network blocking access to port 853, Android will error about the network not having internet connectivity."><i class="fas fa-exclamation-triangle"></i></span></li>
</ul>
<li><em><a href="https://apps.apple.com/app/id1452162351">DNSCloak</a></em> - An <a href="https://github.com/s-s/dnscloak">open-source</a> DNSCrypt and DoH client for iOS by <td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"A charitable non-profit host organization for international Free Software projects."' href="https://techcultivation.org/">the Center for the Cultivation of Technology gemeinnuetzige GmbH</a>.</li>
<li><em><a href="https://git.frostnerd.com/PublicAndroidApps/smokescreen/blob/master/README.md">Nebulo</a></em> - An open-source application for Android supporting DoH and DoT. It also supports caching DNS responses and locally logging DNS queries.</li>
</ul>
</li>
<li><strong>Local DNS servers:</strong>
<ul>
<li><em><a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby">Stubby</a></em> - An open-source application for Linux, macOS, and Windows that acts as a local DNS Privacy stub resolver using DoT.</li>
<li><em><a href="https://nlnetlabs.nl/projects/unbound/about/">Unbound</a></em> - a validating, recursive, caching DNS resolver. It can also be ran network-wide and has supported DNS-over-TLS since version 1.7.3.</li>
<ul>
<li>See also <a href="https://www.ctrl.blog/entry/unbound-tls-forwarding.html">Actually secure DNS over TLS in Unbound on ctrl.blog</a>.</li>
</ul>
</ul>
</li>
<li><strong>Network wide DNS servers:</strong>
<ul>
<li><em><a href="https://pi-hole.net/">Pi-hole</a></em> - A network-wide DNS server mainly for the Raspberry Pi. Blocks ads, tracking, and malicious domains for all devices on your network.</li>
<li><em><a href="https://gitlab.com/quidsup/notrack">NoTrack</a></em> - A network-wide DNS server like Pi-hole for blocking ads, tracking, and malicious domains.</li>
</ul>
</li>
<li><strong>Further reading:</strong>
<ul>
<li>On Firefox, DoH and ESNI</li>
<ul>
<li><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Trusted Recursive Resolver (DoH) on MozillaWiki</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">Firefox bug report requesting the ability to use ESNI without DoH</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS (DoT) and benefit from encrypted SNI without having to enable DoH</a></li>
<li><a href="https://blog.cloudflare.com/encrypted-sni/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li>
</ul>
<li><a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">QNAME Minimization and Your Privacy</a> by the Internet Systems Consortium (ISC)</li>
<li><a href="https://www.isc.org/dnssec/">DNSSEC and BIND 9</a> by the ISC</li>
</ul>
</li>
</ul>

10
pages/providers/email.html
View File

@ -15,3 +15,13 @@ description: "Find a secure email provider that will keep your privacy in mind.
</div>
{% include sections/email-providers.html %}
<h3>Related Information</h3>
<ul>
<li><a href="https://www.wired.com/2011/10/ecpa-turns-twenty-five/">Aging 'Privacy' Law Leaves Cloud E-Mail Open to Cops</a> - Data stored in the cloud for longer than 6 months is considered abandoned and may be accessed by intelligence agencies without
a warrant. Learning: Use an external email client like Thunderbird or Enigmail, download your emails and store them locally. Never leave them on the server.</li>
<li><a href="https://www.eff.org/deeplinks/2012/04/may-firstriseup-server-seizure-fbi-overreaches-yet-again">With May First/Riseup Server Seizure, FBI Overreaches Yet Again</a></li>
<li><a href="https://www.autistici.org/ai/crackdown/">Autistici/Inventati server compromised</a> - The cryptographic services offered by the Autistici/Inventati server have been compromised on 15th June 2004. It was discovered on 21st June 2005. One year
later. During an enquiry on a single mailbox, the Postal Police may have tapped for a whole year every user's private communication going through the server autistici.org/inventati.org.</li>
</ul>

15
pages/providers/social-networks.html
View File

@ -6,3 +6,18 @@ description: "Find a social network that doesn't pry into your data or monetize
---
{% include sections/social-networks.html %}
<h3>Related Information</h3>
<ul>
<li><a href="https://addons.mozilla.org/firefox/addon/mastodon-simplified-federation/">Mastodon: Simplified Federation</a> - Firefox Extension to improve usability for remote Mastodon instances.</li>
<li><a href="https://justdeleteme.xyz/">JustDeleteMe</a> - A directory of direct links to delete your account from web services.</li>
<li><a href="https://forget.codl.fr/">Forget</a> - A service that automatically deletes your old posts on Twitter and Mastodon that everyone has forgotten about.</li>
</ul>
<h3>Facebook Related</h3>
<ul>
<li><a href="https://www.facebook.com/help/delete_account">Delete your Facebook account</a> - Direct link to delete your Facebook account without being able to reactivate it again.</li>
<li><a href="https://deletefacebook.com/">How To Permanently Delete A Facebook Account</a> - This guide will take you through a smooth and successful Facebook account deletion.</li>
<li><a href="https://addons.mozilla.org/firefox/addon/facebook-container/">Facebook Container by Mozilla</a> - Prevent Facebook from tracking you around the web.</li>
<li><a href="https://www.stopusingfacebook.co/">Stop using Facebook</a> - A curated list of reasons to stop using Facebook and how to do it.</li>
</ul>

6
pages/software/networks.html
View File

@ -7,3 +7,9 @@ hidedesc: true
---
{% include sections/self-contained-networks.html %}
<h3>Related Information</h3>
<ul>
<li><a href="https://darknetdiaries.com/">darknetdiaries.com</a> - True stories from the dark side of the Internet.</li>
</ul>

6
pages/software/passwords.html
View File

@ -6,3 +6,9 @@ description: "Stay safe and secure online with an encrypted and open-source pass
---
{% include sections/password-managers.html %}
<h3>Related Information</h3>
<ul>
<li><a href="https://peertube.mastodon.host/videos/watch/4cdedd90-a5b4-4022-b93d-828e85ed58cd">Edward Snowden on Passwords on Peertube</a></li>
</ul>

60
pages/software/real-time-communication.html
View File

@ -7,6 +7,66 @@ description: "Discover secure and private ways to communicate with others online
{% include sections/instant-messenger.html %}
<h3 id="exploiting-centralized-networks" class="anchor">
<a href="#exploiting-centralized-networks">
<i class="fas fa-link anchor-icon"></i>
</a>
Recent news about breaking E2EE on centralized instant messengers
</h3>
<h5>November 2019</h5>
<ul>
<li><a href="https://www.reuters.com/article/us-interpol-encryption-exclusive-idUSKBN1XR0S7">Exclusive: Interpol plans to condemn encryption spread, citing predators, sources say (Reuters)</a></li>
<li><a href="https://arstechnica.com/tech-policy/2019/11/think-of-the-children-fbi-sought-interpol-statement-against-end-to-end-crypto/">Think of the children: FBI sought Interpol statement against end-to-end crypto (ArsTechnica)</a></li>
</ul>
<h5>October 2019</h5>
<ul>
<li><a href="https://www.eff.org/deeplinks/2019/10/open-letter-governments-us-uk-and-australia-facebook-all-out-attack-encryption">The Open Letter from the Governments of US, UK, and Australia to Facebook is An All-Out Attack on Encryption (EFF)</a></li>
<li><a href="https://arstechnica.com/tech-policy/2019/10/the-broken-record-why-barrs-call-against-end-to-end-encryption-is-nuts/">The broken record: Why Barrs call against end-to-end encryption is nuts (ArsTechnica)</a></li>
<li><a href="https://arstechnica.com/information-technology/2019/10/ag-barr-is-pushing-facebook-to-backdoor-whatsapp-and-halt-encryption-plans">US wants Facebook to backdoor WhatsApp and halt encryption plans (ArsTechnica)</a></li>
</ul>
<h5>August 2019</h5>
<ul>
<li><a href="https://arstechnica.com/tech-policy/2019/08/post-snowden-tech-became-more-secure-but-is-govt-really-at-risk-of-going-dark">Post Snowden tech became more secure, but is government really at risk of going dark? (ArsTechnica)</a></li>
</ul>
<h5>July 2019</h5>
<ul>
<li><a href="https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/">US attorney general William Barr says Americans should accept security risks of encryption backdoors (TechCrunch)</a></li>
<li><a href="https://www.theregister.co.uk/2019/07/23/us_encryption_backdoor/">Low Barr: Don't give me that crap about security, just put the backdoors in the encryption, roars US Attorney General (The Register)</a></li>
</ul>
<h5>May 2019</h5>
<ul>
<li><a href="https://www.theguardian.com/uk-news/2019/may/30/apple-and-whatsapp-condemn-gchq-plans-to-eavesdrop-on-encrypted-chats">Apple and WhatsApp condemn GCHQ plans to eavesdrop on encrypted chats (The Guardian)</a></li>
</ul>
<h5>January 2019</h5>
<ul>
<li><a href="https://www.justsecurity.org/62114/give-ghost-backdoor/">Give Up the Ghost: A Backdoor by Another Name (Just Security)</a></li>
</ul>
<h5>December 2018</h5>
<ul>
<li><a href="https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/">What's actually in Australia's encryption laws? Everything you need to know (ZDnet)</a></li>
</ul>
<h3>Complete Comparison</h3>
<ul>
<li><a href="https://securechatguide.org/effguide.html">securechatguide.org</a> - Guide to Choosing a Messenger.</li>
<li><a href="https://www.securemessagingapps.com/">securemessagingapps.com</a> - Secure Messaging Apps Comparison.</li>
</ul>
<h3 id="#rtc-independent-security-audits">Independent security audits</h3>
<ul>
<li><a href="https://eprint.iacr.org/2016/1013.pdf">A Formal Security Analysis of the Signal Messaging Protocol (2019)</a> by Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt and Douglas Stebila</li>
<li><a href="https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf">Keybase's Protocol Security Review (2019)</a> by <a href="https://www.nccgroup.trust/">NCC Group</a></li>
<li><a href="https://www.nccgroup.trust/us/our-research/matrix-olm-cryptographic-review/">Matrix Olm Cryptographic Review</a></li>
<li><a href="https://briarproject.org/news/2017-beta-released-security-audit">Briar - Darknet Messenger Releases Beta, Passes Security Audit</a></li>
</ul>
<hr/>
{% include sections/voice-video-messenger.html %}