[О блоге]
[наверх]
[пред]
[2022-11-01 16:06:37+03:00]
[441c4b64eb0ecffb78ed6429e9a78db7b92880e1]
My opinion on privacyguides.org
>I discovered new website called privacyguides.org and they seem support
>privacy and security for censorship and cyberbullies. According to the
>their website the best secure OSes are Fedora, Arch Linux and Qubes
>(Whonix). Could you please check their claims?
Initially when I saw their website, then I liked it, because at least it
is just an up-to-date aggregator of various modern privacy-preserving
software. However then looked at it narrowly, I discovered some very
harmful and dangerous recommendations. Of course in my humble opinion.
All people have varying criteria.
I wanted to criticise several of their points, but let's walk over all
of their recommendations.
* Introduction to passwords: https://www.privacyguides.org/basics/passwords-overview/
Use unique passwords for every service, rotate only when you think of
compromise -- good advices indeed. Use either randomly generated and
securely stored password with password manager, or use diceware
passphrases -- also very good advices, perfect ones.
* Multi-Factor Authentication: https://www.privacyguides.org/basics/multi-factor-authentication/
In general there are no mistakes in that part of recommendations, but
it totally lacks more simple and easier to remember fact, that
authentication can be performed either by something you "know", or by
something you "have", or by something you "are". Passwords is
something you "know". Asymmetric cryptography keys are something you
"have". Biometric information is something you "are". SMS, push
notification, OTPs are something you also have. That page is silent
about the fact, that private asymmetric cryptography key encrypted by
your passphrase is already a two-factor authentication. So ordinary
OpenSSH with encrypted private keys can be treated like 2-factor
authentication from cryptography point of view. Unfortunately remote
side can not prove are you using your keys securely, and most people
won't use any strong passphrases with them (if any at all), so they
tend to force people using often weaker (from cryptography point of
view), but somehow forced hardware security tokens or SMS/push
notifications. It is better for most people, who just do not
understand importance of the strong authentication, but that does not
mean that it will increase security of (for example) OpenSSH model
with passphrase and encrypted private key, assuming that your hardware
is not compromised of course.
* Email security: https://www.privacyguides.org/basics/email-security/
They are right about insecure nature by default and inability to
secure the metadata (message headers). They mention OpenPGP and
S/MIME. And the fact, that there is no forward secrecy for those
security measures (you have to use online protocols for forward
secrecy and possible deniability). Everything is right here.
* VPN: https://www.privacyguides.org/basics/vpn-overview/
They are right that VPN is *just* a shifting of point of trust from
your ISP to someone else. I disagree with their strong "Yes" answer on
"should I use VPN?" question. Everything depends on where you move you
point of trust, who *will* monitor your traffic now. For example if I
will use some widely spread service like NordVPN (I just searched for
VPN and saw its name in first results), then my private data will be
collected by that huge (12M+ of users, as they claim) provider,
instead of my local one in my small town with several thousands of
users. My private data for local ISP is probably so invaluable, that
it won't even collect it for possible further usage. My NordVPN/whatever
big ones will definitely collect it, because... why not, 12M+ of users
is valuable source of data. But yes -- it will hide your IP address
from the end-entity website/service you are using. Or maybe it can be
used to bypass some censorship/firewall restrictions. It is
questionable is it useful and favorable from ethical point of view.
* Android: https://www.privacyguides.org/os/android-overview/
They are right that stock Android is full of closed non-free software
with definitely possible backdoors and huge number of privacy related
misfeatures. But they are silent about the fact, that majority of
those devices have communication chip connected to the same bus/memory
as Android OS itself. And you have no control over that chip, that is
always on and connected to the cellular network and can execute remote
commands transparently from Android OS itself. Nothing prevents it
from reading your memory with ephemeral private keys used for E2EE.
Moreover, I highly doubt that "problem could be solved by using a
custom Android distribution". That year I tried (just out of
curiosity) to build LineageOS, that claims to be fully "open source"
and so on -- there are HUGE number of binary prebuilt packages
involved in the build process. I do not want to say that it is not
possible to build everything from the source code, but LineageOS
definitely does not provide that automation at all. Maybe Replicant is
more serious about that? I did not check, but the whole Android
ecosystem is some kind of strongly biased towards active use of
prebuilt binaries of many components and build tools. In general, I
can not even imagine bearable security regarding any kind of modern
smartphones. The whole ecosystem is built upon control over the user
and his abilities.
* I am glad that there is no information about iOS, where user is
definitely under sole control of Apple, so forget about privacy.
* "Linux" (actually Android is also "Linux", but they also mention
GNU/Linux operating system to clarify that term):
https://www.privacyguides.org/os/linux-overview/
They are right that "open source" will not magically make your
software more secure, invulnerable to attacks, or privacy respecting.
But free software is necessity for the possibility to create that kind
of software. "FOSS" != "secure", but FOSS is *ability* to create it.
They note that GNU/Linux system currently do not have so strong
measures for "verified boot chain" and strong sandboxing. Maybe that
is true, when compared to widespread non-free system. But "verified"
boot chain is actually used for DRM (digital restrictions management)
on them, for preventing user's abilities to make modification to his
own device (yeah, yeah, because company thinks about user's security,
as we heard many times before). And sandboxing is required on those
systems because they are aimed to run non-free closed software, mainly
with malicious misfeatures harming the privacy.
Do I need strong sandboxing on my completely free software system? If
it is fully free, then I expect it not to have something I wanted to
avoid. At least I have got a possibility to do that in many cases. If
I run trusted software, then it won't try to harm my computer, won't
try to spy on me, won't do anything I will regret. So no need in
sandboxing in that ideal world. But software contain bugs and can be
attacked. So we need at least some exploit mitigations, that is true.
That is why I can not treat "verified boot chain" and "sandboxing" as
something highly required and necessary. They are made mainly to
control user's abilities and aimed to run malicious proprietary
software, that sane security/privacy-aware user do not want to run at all.
They are right about "security-focused" distributions, that they are
aimed for offence/attack, not defence.
I strongly disagree with almost every other point they wrote:
* They recommend "bleeding edge" distributions, saying that they will
quickly apply security fixes to the packages. Strongly disagree with
that, because every update in one of hundred/thousand packages you
have is a risk of bringing yet another bug to it. Every update is a
risk that something will misbehave or will stop working, because of
slightly changed library's workflow. Every day you upgrade your
bleeding edge system, you *will* expect something will be broken,
something will be changed (maybe in backwards incompatible way).
Some people will like that, some will want that. But the fact that
you have constantly changing software, constantly having software
that was not definitely by proven by time -- no way it can gain your
security or privacy.
Moreover, let's be honest: how many times any of your packages,
libraries and software are affected by some *security* issue? I run
my desktop system without any major upgrade for more than five
years, following security announcements. And probably once or twice
per year I really need to upgrade/patch anything. And non-bleeding
edge distributions, like Debian, will anyway release
serious/critical updates to their stable long-term versions. 99.99%
of all software updates are about anything, but security issues. And
only part of those issues will affect you and your system. For
example if there is some vulnerability in kernel's PPP-module
solely, then how it will affect people who used it last time more
than twenty years ago?
"Bleeding edge vs stable" versions is mainly a question of
priorities and preferences. But stability is crucial for security.
Real vulnerabilities are relatively seldom thing and they are fixed
even in long-term stable distributions.
* They strongly recommend against Linux-libre kernel, because they
tend to treat constantly updating CPUs microcode as a security
measure. Well, what can I say? I strongly recommend against using of
kernel, that contains non-free software blobs, that downloads and
changes your hardware ('s microcode), because noone knows what that
yet another microcode update brings to you. Possibly yet another
additional backdoor? Non-free software is completely unacceptable
thing for anything related to security or privacy. Additional
non-free software/blob/microcode/whatever -- decreased security.
Automatically updated non-free software -- automatically decreased
security and your computer is just remotely controlled. Their
website literally recommends you to use *more* non-free closed
software. Unacceptable thing and their site can be just silently
closed and be forgotten.
Moreover, are those CPU security vulnerabilities are applicable to
the user who runs trusted free software? Nope, in general. So why
bothering? But if users runs non-free software, understanding all
negative consequences and his system breakage, then why he continues
worrying about his privacy? If you have to run something untrusted,
then use isolated separate computer for that task. At least only it
will be affected by broken security countermeasures. Of course it is
more expensive solution, but it is the only acceptable one I see.
* They recommend Wayland, because X11 protocol allows screen recording
and so on. Again -- why bothering, if you run trusted and controlled
by *you* software? And if you run untrusted non-free software, then
why bother about privacy at all? Why would you run non-free software?
I am not against Wayland, but it is stupid advice concerning security.
Question is simple: who controls your PC? If it is not you (you run
non-free software), then exactly that is the main problem you have
to solve, not the X11/Wayland-protocol security.
* Why there is no mention of BSD operating systems? I am convinced and
sure that they are undoubtedly more secure and privacy respecting out
of box. Each year I consider how less control you have other modern
popular GNU/Linux distributions. Many (and page about "Linux" also
notes that) distributions tend to automatically generate some unique
identifier and use it during enabled-by-default software updates, that
is completely incompatible with the privacy. Moreover widespread BSD
systems are much more lightweight, minimalistic and easier to deal
with, because there are just fewer number of unnecessary complex
components involved. BSD systems as a rule are complete operating
systems, done by the same developers throughout the whole components.
That is why their quality and user experience tend to be much higher.
Most security features appeared in GNU/Linux ecosystem were invented
in BSD OSes. BSDs are often ahead of GNU/Linux world by many features
and technologies, of proven quality and stability.
* DNS: https://www.privacyguides.org/advanced/dns-overview/
Mostly everything is written correctly. However they claim that
"unencrypted DNS always uses UDP" -- that is just not true, because
big queries may initiate TCP connection too. I will nag that you do
not need *encryption* to make your data unmodifiable. DNSSEC
records are not encrypted, but they can not be modified without
revealing that fact
* Tor: https://www.privacyguides.org/advanced/tor-overview/
They write that Tor is decentralized network. This is lie. It is
distributed, yes, but centralized -- they have got centralized
closed-source database servers keeping the state of all nodes and
censoring who can participate in the network (that already happened
several times). They claim that it is designed "with as much privacy
as possible" -- can not agree there too, because technically they
contain *very* primitive technologies, especially comparing to I2P
project as an example. Powerful adversary, like government, can
deanonymize Tor participants by monitoring network activities in Tor.
I2P really tries to hide timing information by using "garlic" packet
assembling and two unidirectional channels with independent network paths.
And although I was high-bandwidth Tor exit-node for years, having
multiple accidents and interrogations with local police forces, I
changed my mind about that network and strongly against supporting
that network. As with BitTorrent, I am convinced that it is unfair to
use it without participating back (by starting up relay node), without
sharing your resources too. And I am united in solidarity with
https://withblue.ink/2020/11/12/maybe-we-shouldnt-want-a-fully-decentralized-web.html
article, where you have to think about ethical questions, about the
responsibility. For me, Tor is a censorship-bypassing technology
mainly for spreading the propaganda.
* Page about centralized, federated and peer-to-peer network topologies
is pretty good indeed: https://www.privacyguides.org/advanced/communication-network-types/
And I like that they do not bias the reader to any type. Each of them
has their pros and cons. Even centralized Signal could be the best
choice for many people. Personally I am fan of federated networks.
* "Linux" choices: https://www.privacyguides.org/linux-desktop/
They recommend Fedora, openSUSE... but are not this website is solely
about privacy protection? I assume that they treat any GNU/Linux
distribution as already much better choice than either Microsoft
Windows, or Apple macOS. But that is not true and looks like just
harmful advice. Fedora, Ubuntu and similar widespread distributions
are not differ much from any of non-free OSes: by default they tend to
automatically and transparently deanonymize you (of course for your
better user experience), to leak your search queries, to leak mistyped
commands, to easily run non-free software (Flatpack, Snappy
technologies) out-of-box. Every time I have installed and run any of
those distributions (to check some of my software buildability and
workability under them) -- each damn time I find many bugs and awful
overall quality and stability. Latest Fedora is so damn slow and
bloated, that it can hardly even boot from not so fast USB flash
drive, leading to timeouts and programs to exit.
How any of those distributions can be secure, when they contain a
biggest pile of crap (yes, I intentionally emphasize my worst attitude
to that terrible anti-Unix mess of bugs and inflexibilities) called
systemd? Its authors once decided even to hard-code Google's public
nameservers -- no privacy-aware person can allow that step possibility.
https://suckless.org/sucks/systemd/
I really treat systemd-driven distributions no better than any of
Microsoft/Apple proprietary creations. The same experience, same
insecurity, same snake-oil with beautiful (meaningless in practice)
words about the importance of user's privacy.
However mention of NixOS is a good one. That distribution has very
interesting and attractive package system with reproducible builds.
* Router distributions: https://www.privacyguides.org/router/
Can not comment anything here, because I have never used any
specialized router software. I have always had just an ordinary OS
installed for that task on separate computer. However I dealt with
m0n0wall, that is base for pfSense, that is base for OPNsense and can
not say anything against it. If it is more convenient to you, then why not?
* DNS recommendation: https://www.privacyguides.org/dns/
Awful and pretty harmful recommendation is using some huge network
like Cloudflare. Instead of your ISP collecting the DNS data, you
move that collection to the huge world-wide company, just helping
privacy-hating corporations to spy on you more easily. It is the same
as to use Facebook solely for all actions. For example I completely
(once again) distrusted Firefox, when they enabled DoH feature by
default, leading millions of users to leak their DNS queries to one of
the biggest companies in the world. Completely unacceptable and insane.
Another option they misses: just setting up your own DNS recursive
resolver on VPS (that are very cheap nowadays) and setting ordinary
IPsec/WireGuard tunnel to secure requests/responses to it, without
using specialized unnecessary higher level protocols for that task.
* Email provider recommendation: https://www.privacyguides.org/email/
Actually that is the most hated page by me. Considering ProtonMail
completely depreciates any value of the whole website, because it is
total snake-oil.
First of all, what does email provider intended to do? It is just
always available server that temporary stores some outgoing
correspondence from you, until destination server is available and
receives it. And it stores incoming correspondence probably long-term,
until you receive it with you mail user agent (MUA). Email ecosystem
does not require connections between email providers to be encrypted
and authenticated. In practice many of them does not support that at
all. And noone can force TLS usage, because there just can not exist
common trust anchor for their authentication (geopolitics and so on).
So you can never be sure that your email correspondence is passed over
encrypted/authenticated transports solely. That is why you can only do
end-to-end encryption for assuring correspondence confidentiality.
Who can be responsible for encryption and authentication while you
communicate with other people? I assume that this is obvious that only
*you* can be that responsible person, because only you (and whom you
talk to) is interested in that. And of course technically encryption
and authentication can be done in a trusted way only on the computer
controlled by you. If computer is not under your control -- no privacy
and security can be expected. If third-party does encryption/authentication
instead of you -- the same applies.
So again, what could you expect from email provider? Actually just a
reliable work with enough storage. You can neither force, nor expect
it to use encrypted transport. And your encryption/authentication,
that is done on you computer, does not require any support from the
provider. So there is practically no difference between any of email
providers from security point of view if you REALLY do end-to-end
secure communications. Some of email providers require you to give
real world identities, some of them require cellphone number binding.
But in general they are just temporary buffers in the network, nothing
more.
I heard that ProtonMail did not provide ability to use SMTP/POP3/IMAP4
on free accounts. That means that you can not use ordinary MUA on the
computer under your control. So their free account just can not be
used for secure communications. They offer (offered?) only web-based
access, that requires you to run some automatically downloaded
software from their server (JavaScript code inside the browser).
The most awful thing is that they provide OpenPGP functionality based
on that JavaScript code. That means that your computer runs *their*
software (that can be changed anytime without you notice that fact).
Complete understanding of some data channel insecurity -- is ok. But
false sense of security (when you believe about security, but that can
be false assumption) is much worse: you can not make adequate risk
management. And ProtonMail just gives exactly the fail sense of
security. Even if your private key is kept in encrypted form on their
server and is decrypted only inside your browser, nothing prevents
them to slightly modify the code *you* run in your browser to make
your key/message/whatever leaked.
EVERYTHING that relies on code running inside your browser, that is
downloaded from remote server not under your control -- can not be
trusted and you literally has no control over your computer.
I did not read/check about other email providers, because either it is
the same snake-oil, or just irrelevant from security point of view.
I can not comment anything about self-hosting email section, because
it relies on assumption that you would use webmail solution, that is
just can not be (securely) compatible with OpenPGP in a sane way.
Email has to be used through MUA.
* Disk encryption: https://www.privacyguides.org/encryption/
It is pure insanity to recommend BitLocker. Ok, that is already
insanity to use Windows and expect any kind of security from it, but
BitLocker is known (https://media.ccc.de/v/35c3-9671-self-encrypting_deception)
just to silently bypass encryption and rely on built-in SSD methods,
that are known often to be complete snake-oil.
There are much information about various software. There are many
proprietary closed-source non-free ones, so, again, shame on that
resource -- non-free software never can be a choice regarding security
or privacy. Of course there are good software mentioned too, like
Syncthing, Mutt, GnuPG and similar things. But considering non-free or
JavaScript-driven solutions brings a false sense of security, that is
much worse than adequate understanding of lack of security.
[оставить комментарий]