Merge pull request #177 from DaShoe/master

Update README.md
This commit is contained in:
Alicia Sykes 2022-04-22 13:38:20 +01:00 committed by GitHub
commit b1b858ee7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -166,7 +166,7 @@ The big companies providing "free" email service, don't have a good reputation f
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Only Use Fully End-to-End Encrypted Messengers** | Recommended | [End-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) is a system of communication where messages are encrypted on your device and not decrypted until they reach the intend recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can the anybody with access to the central servers where data is stored. Note that if an app is not completely open source, the extent to which the encryption is implemented cannot be verified, and it should not be trusted.
**Use only Open Source Messaging Platforms** | Recommended | If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by [doing a hash check](https://proprivacy.com/guides/how-why-and-when-you-should-hash-check) and comparing the digital signatures. It's important to note that, no piece of software that it totally bug free, and hence never truly secure or private- being open source, is in no way a guarantee that something is safe
**Use only Open Source Messaging Platforms** | Recommended | If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by [doing a hash check](https://proprivacy.com/guides/how-why-and-when-you-should-hash-check) and comparing the digital signatures. It's important to note that, no piece of software is totally bug free, and hence never truly secure or private- being open source, is in no way a guarantee that something is safe
**Use a "Trustworthy" Messaging Platform** | Recommended | When selecting an encrypted messaging app, ensure it's fully open source. It should be stable and actively maintained. Ideally it should be backed by reputable developers or at least be fully clear where funding originates from and/ or what their revenue model is. It should have undergone an independent code audit, with results publicly published
**Check Security Settings** | Recommended | Enable security settings, including contact verification, security notifications and encryption. Disable optional non-security features such as read receipt, last online and typing notification. If the app supports cloud sync either for backup or for access through a desktop or web app companion, this increases the attack surface and so should be disabled
**Ensure your Recipients Environment is Secure** | Recommended | Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a communications channel, is to target the individual or node with the least protection. They may not even be aware that their environment has been compromised, leading to sensitive information being captured by an adversary. The best solution to this is to educate and inform the participants in your conversation, about good security practices. Focus on secure authentication, device encryption, network security and malware prevention