mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-07-23 23:01:04 -04:00
simplex install instructions and VPN quote
This commit is contained in:
parent
03cb8ced90
commit
4fbd4e150e
4 changed files with 85 additions and 20 deletions
|
@ -26,8 +26,8 @@ For a more in-depth look at these various considerations, we recommend [The Guid
|
|||
|
||||
Anonymous public-facing projects have additional needs for encrypted communication, because they will be interacting with unknown (and untrusted) contacts:
|
||||
* Anyone can contact the project without requiring a separate channel
|
||||
* Resiliency to [correlation attacks](/glossary/#correlation-attack) from untrusted contacts
|
||||
* Resiliency to [exploits](/glossary/#exploit) from untrusted contacts
|
||||
* Resiliency to [correlation attacks](/glossary/#correlation-attack)
|
||||
* Resiliency to [exploits](/glossary/#exploit)
|
||||
* Multiple project members can access the same messages
|
||||
|
||||
The following options for encrypted messaging are listed from most metadata protection to least.
|
||||
|
@ -78,13 +78,13 @@ You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs
|
|||
|
||||
Anyone can connect to a public Cwtch account when it is online. In the future, Cwtch bots that are semi-trusted (which are hosted on a Cwtch server) will enable first contact when the public Cwtch account is offline.
|
||||
|
||||
**Resiliency to correlation attacks from untrusted contacts**
|
||||
**Resiliency to correlation attacks**
|
||||
|
||||
Real-time messaging applications are particularly susceptible to end-to-end correlation attacks because of the ability of an adversary, once they know their target's ID on the messaging platform, to trigger incoming network traffic on the target's side by sending them messages on the platform (when the target is online). "Appear Offline Mode" in Cwtch allows a user to selectively connect to trusted contacts and groups, while appearing offline to everyone else. An [issue](https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/712) is open to further address this.
|
||||
|
||||
[Content padding exists](https://docs.cwtch.im/security/components/tapir/packet_format) to frustrate correlation attacks via message size.
|
||||
|
||||
**Resiliency to exploits from untrusted contacts**
|
||||
**Resiliency to exploits**
|
||||
|
||||
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. For public-facing project accounts, we recommend that you do not enable the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
|
||||
|
||||
|
@ -106,7 +106,7 @@ If a project has multiple members, all of them should be able to access the same
|
|||
</summary>
|
||||
<br>
|
||||
|
||||
If you have decided to use a smartphone despite our [recommendation not to use phones](/posts/nophones/), Cwtch is available for Android. Install Cwtch as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
|
||||
Install Cwtch as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
|
||||
|
||||
<br>
|
||||
</details>
|
||||
|
@ -154,6 +154,8 @@ Cwtch on Whonix currently has an [issue](https://git.openprivacy.ca/cwtch.im/cwt
|
|||
<br>
|
||||
</details>
|
||||
|
||||
<br>
|
||||
|
||||
# SimpleX Chat
|
||||
|
||||

|
||||
|
@ -180,13 +182,13 @@ You can learn more about how to use SimpleX Chat with their [guide](https://simp
|
|||
|
||||
Unlike the one-time invitation links that are normally used by SimpleX Chat and shared through a separate channel, you also have a [long term address](https://simplex.chat/docs/guide/app-settings.html#your-profile-settings) that can be published online so that anyone can connect to you. We recommend not enabling "Auto-accept".
|
||||
|
||||
**Resiliency to correlation attacks from untrusted contacts**
|
||||
**Resiliency to correlation attacks**
|
||||
|
||||
Real-time messaging applications are particularly susceptible to end-to-end correlation attacks because of the ability of an adversary, once they know their target's ID on the messaging platform, to trigger incoming network traffic on the target's side by sending them messages on the platform (when the target is online). An [issue](https://github.com/simplex-chat/simplex-chat/issues/3197) is open to address this. Message "mixing" is also [planned](https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations).
|
||||
|
||||
[Content padding exists](https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations) to frustrate correlation attacks via message size.
|
||||
|
||||
**Resiliency to exploits from untrusted contacts**
|
||||
**Resiliency to exploits**
|
||||
|
||||
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). For public-facing project accounts, we recommend that you set SimpleX Chat preferences to only allow text (prohibiting voice messages and attachments).
|
||||
|
||||
|
@ -194,6 +196,64 @@ A vulnerability in any application can be targeted with exploits - a severe vuln
|
|||
|
||||
If a project has multiple members, all of them should be able to access the same messages independently. Currently, this is not possible with SimpleX Chat.
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
|
||||
**SimpleX Chat Installation on GrapheneOS**
|
||||
|
||||
</summary>
|
||||
<br>
|
||||
|
||||
Install SimpleX Chat as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
|
||||
|
||||
<br>
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
|
||||
**SimpleX Chat Installation on Tails**
|
||||
|
||||
</summary>
|
||||
<br>
|
||||
|
||||
* Start Tails with an Adminstration Password.
|
||||
* Download the [AppImage](https://simplex.chat/downloads/#desktop-app) with Tor Browser
|
||||
* According to our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB and Persistent Storage should not be enabled. Copy the .AppImage file to such a personal data LUKS USB.
|
||||
* Make the AppImage executable
|
||||
* In the File Manager, browse to the directory with the file. Right click in the File Manager and select "Open a Terminal Here"
|
||||
* Run `chmod +x simplex-desktop-x86_64.AppImage` and enter the Administration Password when prompted.
|
||||
* To launch, in the Terminal, run:
|
||||
* `./simplex-desktop-x86_64.AppImage`
|
||||
* With Persistent Storage disabled, configuration and profile data must be restored from backup every session. Backup `/home/amnesia/.local/share/simplex` to the personal data LUKS USB, and copy it back to `/home/amnesia/.local/share` in your next session.
|
||||
|
||||
<br>
|
||||
</details>
|
||||
|
||||
|
||||
<details>
|
||||
<summary>
|
||||
|
||||
**SimpleX Chat Installation on Qubes-Whonix**
|
||||
|
||||
</summary>
|
||||
<br>
|
||||
|
||||
SimpleX Chat on Whonix is not guaranteed to have Tor [Stream Isolation](/posts/qubes/#whonix-and-tor) from other applications in the same qube, so we will install it in a dedicated qube. SimpleX Chat is installed in an App qube, not a Template (because it is an AppImage).
|
||||
|
||||
* Download the [AppImage](https://simplex.chat/downloads/#desktop-app) using Tor Browser in a disposable Whonix qube.
|
||||
* [Create an App qube](/posts/qubes/#how-to-organize-your-qubes) with the Template `whonix-ws-16` and networking `sys-whonix`.
|
||||
* Copy the file to your new App qube
|
||||
* Make the AppImage executable
|
||||
* In the File Manager, browse to the directory with the file. Right click in the File Manager and select "Open a Terminal Here"
|
||||
* Run `chmod +x simplex-desktop-x86_64.AppImage`
|
||||
* Reboot the App qube for SimpleX Chat to show up in the **Settings > Applications** tab
|
||||
|
||||
<br>
|
||||
</details>
|
||||
|
||||
<br>
|
||||
|
||||
# Signal
|
||||
|
||||

|
||||
|
@ -208,7 +268,7 @@ The Signal Protocol has a moderate amount of metadata protection; [sealed sender
|
|||
|
||||
Signal is not peer-to-peer; it uses centralized servers that we must trust. Signal will work with Tor if used on an operating system that forces it to, such as Whonix or Tails.
|
||||
|
||||
Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must still control - due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained - most people will not do this. There have been unfounded rumors that Signal plans to remove the need for a phone number after the release of a username feature - however, [registration will still require a phone number](https://mastodon.world/@Mer__edith/110895045552696836).
|
||||
Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must still control - due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained - most people will not do this.
|
||||
|
||||
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
|
||||
|
||||
|
@ -216,7 +276,7 @@ These barriers to anonymous registration mean that Signal is rarely used anonymo
|
|||
|
||||
In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. The phones of suspects were accessed through physically seizing them during arrests and house raids, as well as through spyware, and then Signal contacts and group members were identified. These identities were added to the list of suspects who were subsequently investigated.
|
||||
|
||||
A compromised device contributing to network mapping is partly mitigated by the [username feature](https://community.signalusers.org/t/public-username-testing-staging-environment/56866) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. In **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
|
||||
A compromised device contributing to network mapping is partly mitigated by the [username feature](https://community.signalusers.org/t/public-username-testing-staging-environment/56866) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor as [we recommend](/posts/grapheneos/#how-to-install-software), then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
|
||||
|
||||
A company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
|
||||
|
||||
|
@ -236,7 +296,7 @@ Signal was designed to bring encrypted communication to the masses, not for an a
|
|||
</summary>
|
||||
<br>
|
||||
|
||||
If you have decided to use a smartphone [despite our recommendation not to use phones](/posts/nophones/), we recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are familiar with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal needs to be registered on a smartphone before it can be connected to a computer. Install Signal as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
|
||||
We recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are familiar with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal needs to be registered on a smartphone before it can be connected to a computer. Install Signal as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
|
||||
|
||||
[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal for anarchists, and extending trust to the Molly team is made easier by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't available in the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
|
||||
|
||||
|
@ -273,7 +333,7 @@ Some of the [Signal Configuration and Hardening Guide](https://blog.privacyguide
|
|||
|
||||
* Go to **Applications menu → Qubes Tools → Qube Manager**
|
||||
* Clone whonix-ws-16 and name it something like whonix-ws-16-signal.
|
||||
* We do this so as not to add attack surface to the base Whonix Workstation template. If you also install other messaging applications like Element Desktop, they could share a cloned template with a name like whonix-ws-16-e2ee
|
||||
* We do this so as not to add attack surface to the base Whonix Workstation template. If you also install other messaging applications like SimpleX Chat, they could share a cloned template with a name like whonix-ws-16-e2ee
|
||||
* Open a Terminal in the new Template: **Applications menu → Template: whonix-ws-16-signal: Xfce Terminal**
|
||||
* Run the commands in the [Signal installation guide](https://www.signal.org/download/linux/) to install Signal Desktop in the Template.
|
||||
* Note that the layout of the Signal installation guide is a bit confusing for users unfamiliar with the command line; `wget` and `cat` are separate commands, but `echo` in #2 is a command so long that it takes two lines (which is why the second line is indented).
|
||||
|
@ -294,7 +354,6 @@ https_proxy = 127.0.0.1:8082
|
|||
<br>
|
||||
</details>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
# PGP Email
|
||||
|
@ -317,17 +376,17 @@ PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to
|
|||
|
||||
Anyone can send a message to a public email account regardless of whether the recipient is online or offline.
|
||||
|
||||
**Resiliency to correlation attacks from untrusted contacts**
|
||||
**Resiliency to correlation attacks**
|
||||
|
||||
Email is not a real-time messaging application - this means that it is not particularly susceptible to end-to-end correlation attacks via time.
|
||||
|
||||
No content padding exists to frustrate correlation attacks via message size in email protocols, but if you access the mail servers through Tor then the traffic is padded.
|
||||
|
||||
**Resiliency to exploits from untrusted contacts**
|
||||
**Resiliency to exploits**
|
||||
|
||||
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Email can be accessed through webmail (via Tor Browser) or through a client like Thunderbird - these have different attack surfaces. For example, a Cwtch developer found an exploit to [turn Thunderbird into a decryption oracle](https://pseudorandom.resistant.tech/disclosing-security-and-privacy-issues-in-thunderbird.html) when it displays messages with HTML.
|
||||
|
||||
We recommend using Thunderbird, using the setting to display email as "Plain Text" rather than as HTML: View → Message Body As → Plain Text. Most webmail will not function with Tor Browser in "Safest" mode.
|
||||
We recommend using Thunderbird (which is available in Tails and Qubes-Whonix by default) with the setting to display email as "Plain Text" rather than as HTML: View → Message Body As → Plain Text. Most webmail will not function with Tor Browser in "Safest" mode.
|
||||
|
||||
**Multiple project members can access the same messages**
|
||||
|
||||
|
@ -337,9 +396,11 @@ If a project has multiple members, all of them should be able to access the same
|
|||
>
|
||||
>PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [explanation](/posts/tails-best/#appendix-3-gpg-explanation).
|
||||
|
||||
<br>
|
||||
|
||||
# Warnings
|
||||
|
||||
We recommend to not use:
|
||||
We do *not* recommend:
|
||||
* **Telegram**: Telegram has no end-to-end encryption for group chats, and it is opt-in for one-on-one chats. The encryption doesn't use established protocols, and has had cryptographers describe it as ["the most backdoor-looking bug I’ve ever seen"](https://words.filippo.io/dispatches/telegram-ecdh/).
|
||||
* **Matrix/Element**: Matrix has a problem that is inherent in federated networks - terrible [metadata leakage](https://anarc.at/blog/2022-06-17-matrix-notes/#metadata-handling) and [data ownership](https://anarc.at/blog/2022-06-17-matrix-notes/#data-retention-defaults). It has no forward secrecy, the Element client has a large attack surface, and there is a [long list of other issues](https://telegra.ph/why-not-matrix-08-07). What's more, the developers are very friendly with various [national police agencies](https://element.io/blog/bundesmessenger-is-a-milestone-in-germanys-ground-breaking-vision/).
|
||||
* **XMPP Clients**: Regardless of the client, an XMPP server will [always be able to see your contact list](https://coy.im/documentation/security-threat-model/). Additionally, server-side parties (e.g., administrators, attackers, law enforcement) can [inject arbitrary messages, modify address books, log passwords in cleartext](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/) and [act as a man-in-the-middle](https://notes.valdikss.org.ru/jabber.ru-mitm/).
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue