[О блоге] [наверх] [пред] [2022-11-01 16:06:37+03:00] [441c4b64eb0ecffb78ed6429e9a78db7b92880e1]

My opinion on privacyguides.org

>I discovered new website called privacyguides.org and they seem support
>privacy and security for censorship and cyberbullies. According to the
>their website the best secure OSes are Fedora, Arch Linux and Qubes
>(Whonix). Could you please check their claims?

Initially when I saw their website, then I liked it, because at least it
is just an up-to-date aggregator of various modern privacy-preserving
software. However then looked at it narrowly, I discovered some very
harmful and dangerous recommendations. Of course in my humble opinion.
All people have varying criteria.

I wanted to criticise several of their points, but let's walk over all
of their recommendations.

* Introduction to passwords: https://www.privacyguides.org/basics/passwords-overview/
  Use unique passwords for every service, rotate only when you think of
  compromise -- good advices indeed. Use either randomly generated and
  securely stored password with password manager, or use diceware
  passphrases -- also very good advices, perfect ones.

* Multi-Factor Authentication: https://www.privacyguides.org/basics/multi-factor-authentication/
  In general there are no mistakes in that part of recommendations, but
  it totally lacks more simple and easier to remember fact, that
  authentication can be performed either by something you "know", or by
  something you "have", or by something you "are". Passwords is
  something you "know". Asymmetric cryptography keys are something you
  "have". Biometric information is something you "are". SMS, push
  notification, OTPs are something you also have. That page is silent
  about the fact, that private asymmetric cryptography key encrypted by
  your passphrase is already a two-factor authentication. So ordinary
  OpenSSH with encrypted private keys can be treated like 2-factor
  authentication from cryptography point of view. Unfortunately remote
  side can not prove are you using your keys securely, and most people
  won't use any strong passphrases with them (if any at all), so they
  tend to force people using often weaker (from cryptography point of
  view), but somehow forced hardware security tokens or SMS/push
  notifications. It is better for most people, who just do not
  understand importance of the strong authentication, but that does not
  mean that it will increase security of (for example) OpenSSH model
  with passphrase and encrypted private key, assuming that your hardware
  is not compromised of course.

* Email security: https://www.privacyguides.org/basics/email-security/
  They are right about insecure nature by default and inability to
  secure the metadata (message headers). They mention OpenPGP and
  S/MIME. And the fact, that there is no forward secrecy for those
  security measures (you have to use online protocols for forward
  secrecy and possible deniability). Everything is right here.

* VPN: https://www.privacyguides.org/basics/vpn-overview/
  They are right that VPN is *just* a shifting of point of trust from
  your ISP to someone else. I disagree with their strong "Yes" answer on
  "should I use VPN?" question. Everything depends on where you move you
  point of trust, who *will* monitor your traffic now. For example if I
  will use some widely spread service like NordVPN (I just searched for
  VPN and saw its name in first results), then my private data will be
  collected by that huge (12M+ of users, as they claim) provider,
  instead of my local one in my small town with several thousands of
  users. My private data for local ISP is probably so invaluable, that
  it won't even collect it for possible further usage. My NordVPN/whatever
  big ones will definitely collect it, because... why not, 12M+ of users
  is valuable source of data. But yes -- it will hide your IP address
  from the end-entity website/service you are using. Or maybe it can be
  used to bypass some censorship/firewall restrictions. It is
  questionable is it useful and favorable from ethical point of view.

* Android: https://www.privacyguides.org/os/android-overview/
  They are right that stock Android is full of closed non-free software
  with definitely possible backdoors and huge number of privacy related
  misfeatures. But they are silent about the fact, that majority of
  those devices have communication chip connected to the same bus/memory
  as Android OS itself. And you have no control over that chip, that is
  always on and connected to the cellular network and can execute remote
  commands transparently from Android OS itself. Nothing prevents it
  from reading your memory with ephemeral private keys used for E2EE.
  Moreover, I highly doubt that "problem could be solved by using a
  custom Android distribution". That year I tried (just out of
  curiosity) to build LineageOS, that claims to be fully "open source"
  and so on -- there are HUGE number of binary prebuilt packages
  involved in the build process. I do not want to say that it is not
  possible to build everything from the source code, but LineageOS
  definitely does not provide that automation at all. Maybe Replicant is
  more serious about that? I did not check, but the whole Android
  ecosystem is some kind of strongly biased towards active use of
  prebuilt binaries of many components and build tools. In general, I
  can not even imagine bearable security regarding any kind of modern
  smartphones. The whole ecosystem is built upon control over the user
  and his abilities.

* I am glad that there is no information about iOS, where user is
  definitely under sole control of Apple, so forget about privacy.

* "Linux" (actually Android is also "Linux", but they also mention
  GNU/Linux operating system to clarify that term):
  https://www.privacyguides.org/os/linux-overview/
  They are right that "open source" will not magically make your
  software more secure, invulnerable to attacks, or privacy respecting.
  But free software is necessity for the possibility to create that kind
  of software. "FOSS" != "secure", but FOSS is *ability* to create it.

  They note that GNU/Linux system currently do not have so strong
  measures for "verified boot chain" and strong sandboxing. Maybe that
  is true, when compared to widespread non-free system. But "verified"
  boot chain is actually used for DRM (digital restrictions management)
  on them, for preventing user's abilities to make modification to his
  own device (yeah, yeah, because company thinks about user's security,
  as we heard many times before). And sandboxing is required on those
  systems because they are aimed to run non-free closed software, mainly
  with malicious misfeatures harming the privacy.

  Do I need strong sandboxing on my completely free software system? If
  it is fully free, then I expect it not to have something I wanted to
  avoid. At least I have got a possibility to do that in many cases. If
  I run trusted software, then it won't try to harm my computer, won't
  try to spy on me, won't do anything I will regret. So no need in
  sandboxing in that ideal world. But software contain bugs and can be
  attacked. So we need at least some exploit mitigations, that is true.
  That is why I can not treat "verified boot chain" and "sandboxing" as
  something highly required and necessary. They are made mainly to
  control user's abilities and aimed to run malicious proprietary
  software, that sane security/privacy-aware user do not want to run at all.

  They are right about "security-focused" distributions, that they are
  aimed for offence/attack, not defence.

  I strongly disagree with almost every other point they wrote:

  * They recommend "bleeding edge" distributions, saying that they will
    quickly apply security fixes to the packages. Strongly disagree with
    that, because every update in one of hundred/thousand packages you
    have is a risk of bringing yet another bug to it. Every update is a
    risk that something will misbehave or will stop working, because of
    slightly changed library's workflow. Every day you upgrade your
    bleeding edge system, you *will* expect something will be broken,
    something will be changed (maybe in backwards incompatible way).
    Some people will like that, some will want that. But the fact that
    you have constantly changing software, constantly having software
    that was not definitely by proven by time -- no way it can gain your
    security or privacy.

    Moreover, let's be honest: how many times any of your packages,
    libraries and software are affected by some *security* issue? I run
    my desktop system without any major upgrade for more than five
    years, following security announcements. And probably once or twice
    per year I really need to upgrade/patch anything. And non-bleeding
    edge distributions, like Debian, will anyway release
    serious/critical updates to their stable long-term versions. 99.99%
    of all software updates are about anything, but security issues. And
    only part of those issues will affect you and your system. For
    example if there is some vulnerability in kernel's PPP-module
    solely, then how it will affect people who used it last time more
    than twenty years ago?

    "Bleeding edge vs stable" versions is mainly a question of
    priorities and preferences. But stability is crucial for security.
    Real vulnerabilities are relatively seldom thing and they are fixed
    even in long-term stable distributions.

  * They strongly recommend against Linux-libre kernel, because they
    tend to treat constantly updating CPUs microcode as a security
    measure. Well, what can I say? I strongly recommend against using of
    kernel, that contains non-free software blobs, that downloads and
    changes your hardware ('s microcode), because noone knows what that
    yet another microcode update brings to you. Possibly yet another
    additional backdoor? Non-free software is completely unacceptable
    thing for anything related to security or privacy. Additional
    non-free software/blob/microcode/whatever -- decreased security.
    Automatically updated non-free software -- automatically decreased
    security and your computer is just remotely controlled. Their
    website literally recommends you to use *more* non-free closed
    software. Unacceptable thing and their site can be just silently
    closed and be forgotten.

    Moreover, are those CPU security vulnerabilities are applicable to
    the user who runs trusted free software? Nope, in general. So why
    bothering? But if users runs non-free software, understanding all
    negative consequences and his system breakage, then why he continues
    worrying about his privacy? If you have to run something untrusted,
    then use isolated separate computer for that task. At least only it
    will be affected by broken security countermeasures. Of course it is
    more expensive solution, but it is the only acceptable one I see.

  * They recommend Wayland, because X11 protocol allows screen recording
    and so on. Again -- why bothering, if you run trusted and controlled
    by *you* software? And if you run untrusted non-free software, then
    why bother about privacy at all? Why would you run non-free software?
    I am not against Wayland, but it is stupid advice concerning security.
    Question is simple: who controls your PC? If it is not you (you run
    non-free software), then exactly that is the main problem you have
    to solve, not the X11/Wayland-protocol security.

* Why there is no mention of BSD operating systems? I am convinced and
  sure that they are undoubtedly more secure and privacy respecting out
  of box. Each year I consider how less control you have other modern
  popular GNU/Linux distributions. Many (and page about "Linux" also
  notes that) distributions tend to automatically generate some unique
  identifier and use it during enabled-by-default software updates, that
  is completely incompatible with the privacy. Moreover widespread BSD
  systems are much more lightweight, minimalistic and easier to deal
  with, because there are just fewer number of unnecessary complex
  components involved. BSD systems as a rule are complete operating
  systems, done by the same developers throughout the whole components.
  That is why their quality and user experience tend to be much higher.
  Most security features appeared in GNU/Linux ecosystem were invented
  in BSD OSes. BSDs are often ahead of GNU/Linux world by many features
  and technologies, of proven quality and stability.

* DNS: https://www.privacyguides.org/advanced/dns-overview/
  Mostly everything is written correctly. However they claim that
  "unencrypted DNS always uses UDP" -- that is just not true, because
  big queries may initiate TCP connection too. I will nag that you do
  not need *encryption* to make your data unmodifiable. DNSSEC
  records are not encrypted, but they can not be modified without
  revealing that fact

* Tor: https://www.privacyguides.org/advanced/tor-overview/
  They write that Tor is decentralized network. This is lie. It is
  distributed, yes, but centralized -- they have got centralized
  closed-source database servers keeping the state of all nodes and
  censoring who can participate in the network (that already happened
  several times). They claim that it is designed "with as much privacy
  as possible" -- can not agree there too, because technically they
  contain *very* primitive technologies, especially comparing to I2P
  project as an example. Powerful adversary, like government, can
  deanonymize Tor participants by monitoring network activities in Tor.
  I2P really tries to hide timing information by using "garlic" packet
  assembling and two unidirectional channels with independent network paths.

  And although I was high-bandwidth Tor exit-node for years, having
  multiple accidents and interrogations with local police forces, I
  changed my mind about that network and strongly against supporting
  that network. As with BitTorrent, I am convinced that it is unfair to
  use it without participating back (by starting up relay node), without
  sharing your resources too. And I am united in solidarity with
  https://withblue.ink/2020/11/12/maybe-we-shouldnt-want-a-fully-decentralized-web.html
  article, where you have to think about ethical questions, about the
  responsibility. For me, Tor is a censorship-bypassing technology
  mainly for spreading the propaganda.

* Page about centralized, federated and peer-to-peer network topologies
  is pretty good indeed: https://www.privacyguides.org/advanced/communication-network-types/
  And I like that they do not bias the reader to any type. Each of them
  has their pros and cons. Even centralized Signal could be the best
  choice for many people. Personally I am fan of federated networks.

* "Linux" choices: https://www.privacyguides.org/linux-desktop/
  They recommend Fedora, openSUSE... but are not this website is solely
  about privacy protection? I assume that they treat any GNU/Linux
  distribution as already much better choice than either Microsoft
  Windows, or Apple macOS. But that is not true and looks like just
  harmful advice. Fedora, Ubuntu and similar widespread distributions
  are not differ much from any of non-free OSes: by default they tend to
  automatically and transparently deanonymize you (of course for your
  better user experience), to leak your search queries, to leak mistyped
  commands, to easily run non-free software (Flatpack, Snappy
  technologies) out-of-box. Every time I have installed and run any of
  those distributions (to check some of my software buildability and
  workability under them) -- each damn time I find many bugs and awful
  overall quality and stability. Latest Fedora is so damn slow and
  bloated, that it can hardly even boot from not so fast USB flash
  drive, leading to timeouts and programs to exit.

  How any of those distributions can be secure, when they contain a
  biggest pile of crap (yes, I intentionally emphasize my worst attitude
  to that terrible anti-Unix mess of bugs and inflexibilities) called
  systemd? Its authors once decided even to hard-code Google's public
  nameservers -- no privacy-aware person can allow that step possibility.
  https://suckless.org/sucks/systemd/

  I really treat systemd-driven distributions no better than any of
  Microsoft/Apple proprietary creations. The same experience, same
  insecurity, same snake-oil with beautiful (meaningless in practice)
  words about the importance of user's privacy.

  However mention of NixOS is a good one. That distribution has very
  interesting and attractive package system with reproducible builds.

* Router distributions: https://www.privacyguides.org/router/
  Can not comment anything here, because I have never used any
  specialized router software. I have always had just an ordinary OS
  installed for that task on separate computer. However I dealt with
  m0n0wall, that is base for pfSense, that is base for OPNsense and can
  not say anything against it. If it is more convenient to you, then why not?

* DNS recommendation: https://www.privacyguides.org/dns/
  Awful and pretty harmful recommendation is using some huge network
  like Cloudflare. Instead of your ISP collecting the DNS data, you
  move that collection to the huge world-wide company, just helping
  privacy-hating corporations to spy on you more easily. It is the same
  as to use Facebook solely for all actions. For example I completely
  (once again) distrusted Firefox, when they enabled DoH feature by
  default, leading millions of users to leak their DNS queries to one of
  the biggest companies in the world. Completely unacceptable and insane.

  Another option they misses: just setting up your own DNS recursive
  resolver on VPS (that are very cheap nowadays) and setting ordinary
  IPsec/WireGuard tunnel to secure requests/responses to it, without
  using specialized unnecessary higher level protocols for that task.

* Email provider recommendation: https://www.privacyguides.org/email/
  Actually that is the most hated page by me. Considering ProtonMail
  completely depreciates any value of the whole website, because it is
  total snake-oil.

  First of all, what does email provider intended to do? It is just
  always available server that temporary stores some outgoing
  correspondence from you, until destination server is available and
  receives it. And it stores incoming correspondence probably long-term,
  until you receive it with you mail user agent (MUA). Email ecosystem
  does not require connections between email providers to be encrypted
  and authenticated. In practice many of them does not support that at
  all. And noone can force TLS usage, because there just can not exist
  common trust anchor for their authentication (geopolitics and so on).
  So you can never be sure that your email correspondence is passed over
  encrypted/authenticated transports solely. That is why you can only do
  end-to-end encryption for assuring correspondence confidentiality.

  Who can be responsible for encryption and authentication while you
  communicate with other people? I assume that this is obvious that only
  *you* can be that responsible person, because only you (and whom you
  talk to) is interested in that. And of course technically encryption
  and authentication can be done in a trusted way only on the computer
  controlled by you. If computer is not under your control -- no privacy
  and security can be expected. If third-party does encryption/authentication
  instead of you -- the same applies.

  So again, what could you expect from email provider? Actually just a
  reliable work with enough storage. You can neither force, nor expect
  it to use encrypted transport. And your encryption/authentication,
  that is done on you computer, does not require any support from the
  provider. So there is practically no difference between any of email
  providers from security point of view if you REALLY do end-to-end
  secure communications. Some of email providers require you to give
  real world identities, some of them require cellphone number binding.
  But in general they are just temporary buffers in the network, nothing
  more.

  I heard that ProtonMail did not provide ability to use SMTP/POP3/IMAP4
  on free accounts. That means that you can not use ordinary MUA on the
  computer under your control. So their free account just can not be
  used for secure communications. They offer (offered?) only web-based
  access, that requires you to run some automatically downloaded
  software from their server (JavaScript code inside the browser).

  The most awful thing is that they provide OpenPGP functionality based
  on that JavaScript code. That means that your computer runs *their*
  software (that can be changed anytime without you notice that fact).
  Complete understanding of some data channel insecurity -- is ok. But
  false sense of security (when you believe about security, but that can
  be false assumption) is much worse: you can not make adequate risk
  management. And ProtonMail just gives exactly the fail sense of
  security. Even if your private key is kept in encrypted form on their
  server and is decrypted only inside your browser, nothing prevents
  them to slightly modify the code *you* run in your browser to make
  your key/message/whatever leaked.

  EVERYTHING that relies on code running inside your browser, that is
  downloaded from remote server not under your control -- can not be
  trusted and you literally has no control over your computer.

  I did not read/check about other email providers, because either it is
  the same snake-oil, or just irrelevant from security point of view.

  I can not comment anything about self-hosting email section, because
  it relies on assumption that you would use webmail solution, that is
  just can not be (securely) compatible with OpenPGP in a sane way.
  Email has to be used through MUA.

* Disk encryption: https://www.privacyguides.org/encryption/
  It is pure insanity to recommend BitLocker. Ok, that is already
  insanity to use Windows and expect any kind of security from it, but
  BitLocker is known (https://media.ccc.de/v/35c3-9671-self-encrypting_deception)
  just to silently bypass encryption and rely on built-in SSD methods,
  that are known often to be complete snake-oil.

There are much information about various software. There are many
proprietary closed-source non-free ones, so, again, shame on that
resource -- non-free software never can be a choice regarding security
or privacy. Of course there are good software mentioned too, like
Syncthing, Mutt, GnuPG and similar things. But considering non-free or
JavaScript-driven solutions brings a false sense of security, that is
much worse than adequate understanding of lack of security.

    [оставить комментарий]