mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-10-01 01:35:57 -04:00
Feedback for encryption page, and other corrections (#847)
This commit is contained in:
parent
325f511234
commit
28d7c1b3c0
@ -4,7 +4,7 @@ icon: material/file-cloud
|
|||||||
---
|
---
|
||||||
If you are currently using a Cloud Storage Service like Dropbox, Google Drive, Microsoft OneDrive or Apple iCloud, you are putting complete trust in your service provider to not look at your files.
|
If you are currently using a Cloud Storage Service like Dropbox, Google Drive, Microsoft OneDrive or Apple iCloud, you are putting complete trust in your service provider to not look at your files.
|
||||||
|
|
||||||
Consider reducing the need to trust your provider, by using an alternative below that supports [end-to-end encryption (E2EE)](https://wikipedia.org/wiki/End-to-end_encryption).
|
Trust your provider by using an alternative below that supports [end-to-end encryption (E2EE)](https://wikipedia.org/wiki/End-to-end_encryption).
|
||||||
|
|
||||||
### Nextcloud
|
### Nextcloud
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
|
@ -4,12 +4,10 @@ icon: material/email-open
|
|||||||
---
|
---
|
||||||
Discover free, open-source, and secure email clients, along with some email alternatives you may not have considered.
|
Discover free, open-source, and secure email clients, along with some email alternatives you may not have considered.
|
||||||
|
|
||||||
??? Attention "Email does provide forward secrecy"
|
??? Attention "Email does not provide forward secrecy"
|
||||||
When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have [some metadata](/email/#email-metadata-overview) that is not encrypted in the header of the email.
|
When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have [some metadata](/email/#email-metadata-overview) that is not encrypted in the header of the email.
|
||||||
|
|
||||||
OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](/email/#email-encryption-overview).
|
OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](/email/#email-encryption-overview). Consider using a medium that forward secrecy:
|
||||||
|
|
||||||
Alternatively, consider using a medium that forward secrecy:
|
|
||||||
|
|
||||||
[Real-time Communication](/real-time-communication){ .md-button .md-button--primary }
|
[Real-time Communication](/real-time-communication){ .md-button .md-button--primary }
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
title: Encryption Software
|
title: Encryption Software
|
||||||
icon: material/file-lock
|
icon: material/file-lock
|
||||||
---
|
---
|
||||||
Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails, or file archives, you should pick an option here.
|
Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails, or files, you should pick an option here.
|
||||||
|
|
||||||
## Multi-platform
|
## Multi-platform
|
||||||
The options listed here are multi-platform and great for creating encrypted backups of your data.
|
The options listed here are multi-platform and great for creating encrypted backups of your data.
|
||||||
@ -15,6 +15,11 @@ The options listed here are multi-platform and great for creating encrypted back
|
|||||||
|
|
||||||
**VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
|
**VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
|
||||||
|
|
||||||
|
Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) and VeraCrypt has also been [audited seperately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
|
||||||
|
|
||||||
|
!!! attention
|
||||||
|
When encrypting with VeraCrypt, the user has the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest users **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and should stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
|
||||||
|
|
||||||
[Visit veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary }
|
[Visit veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary }
|
||||||
|
|
||||||
**Downloads**
|
**Downloads**
|
||||||
@ -28,7 +33,16 @@ The options listed here are multi-platform and great for creating encrypted back
|
|||||||
|
|
||||||
![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right }
|
![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right }
|
||||||
|
|
||||||
**GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems. GnuPG is a part of the Free Software Foundation's GNU software project, and has received major funding from the German government.
|
**GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize [PGP's shortcomings](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html). GnuPG is a part of the Free Software Foundation's GNU software project, and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government.
|
||||||
|
|
||||||
|
??? tip "Future default"
|
||||||
|
When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [ed25519](https://ed25519.cr.yp.to/).
|
||||||
|
```
|
||||||
|
gpg --quick-gen-key alice@example.com future-default
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! attention
|
||||||
|
When encrypting with GnuPG, the user has the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest users **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and should stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
|
||||||
|
|
||||||
[Visit gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Privacy Policy](https://gnupg.org/privacy-policy.html){ .md-button }
|
[Visit gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Privacy Policy](https://gnupg.org/privacy-policy.html){ .md-button }
|
||||||
|
|
||||||
@ -44,9 +58,9 @@ The options listed here are multi-platform and great for creating encrypted back
|
|||||||
|
|
||||||
![Cryptomator logo](/assets/img/encryption-software/cryptomator.svg){ align=right }
|
![Cryptomator logo](/assets/img/encryption-software/cryptomator.svg){ align=right }
|
||||||
|
|
||||||
**Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted filesystem.
|
**Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted file system.
|
||||||
|
|
||||||
Some of the libraries have been [audited](https://cryptomator.org/open-source/) by [cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf).
|
Some of the Cryptomator Crypto Libraries have been [audited](https://cryptomator.org/open-source/) by [Cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf). The scope of those libraries included [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). It did not include [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift) which is now used on iOS.
|
||||||
|
|
||||||
[Visit cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button }
|
[Visit cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button }
|
||||||
|
|
||||||
@ -67,8 +81,6 @@ The options listed here are multi-platform and great for creating encrypted back
|
|||||||
|
|
||||||
**Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features.
|
**Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features.
|
||||||
|
|
||||||
We think the best usecase for this is if you need to encrypt some files, or archives.
|
|
||||||
|
|
||||||
[Visit github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary }
|
[Visit github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary }
|
||||||
|
|
||||||
**Downloads**
|
**Downloads**
|
||||||
@ -80,22 +92,56 @@ The options listed here are multi-platform and great for creating encrypted back
|
|||||||
## Operating system included Full Disk Encryption (FDE)
|
## Operating system included Full Disk Encryption (FDE)
|
||||||
Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki/Disk_encryption) and will utilize a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor).
|
Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki/Disk_encryption) and will utilize a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor).
|
||||||
|
|
||||||
### Bitlocker
|
### BitLocker
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
|
|
||||||
![Bitlocker logo](/assets/img/encryption-software/bitlocker.png){ align=right }
|
![BitLocker logo](/assets/img/encryption-software/bitlocker.png){ align=right }
|
||||||
|
|
||||||
**Bitlocker** is the default full volume encryption that comes with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [Elcomsoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it: [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/).
|
**BitLocker** is the default full volume encryption that comes with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/).
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise, and Education editions of Windows. It can be enabled on Home editions provided that they meet the prequesites.
|
||||||
|
|
||||||
[Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview){ .md-button .md-button--primary }
|
??? tip "Enabling BitLocker on Windows Home"
|
||||||
|
To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0+) module.
|
||||||
|
|
||||||
### Filevault
|
1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"
|
||||||
|
|
||||||
|
2. Check to see partition table format:
|
||||||
|
```
|
||||||
|
powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk!
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Check TPM version. The value returned must be "3 True". The spec must be 1.2 or above.
|
||||||
|
```
|
||||||
|
powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm | findstr "IsActivated IsEnabled IsOwned SpecVersion"
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Access Windows 10 "Advanced Startup Options". (Press "reboot" while holding shift button). *Troubleshoot > Advanced Options > Command Prompt*
|
||||||
|
|
||||||
|
5. Login with your account that has admin privileges and type this to start encryption:
|
||||||
|
```
|
||||||
|
manage-bde -on c: -used
|
||||||
|
```
|
||||||
|
|
||||||
|
6. Close the command prompt, and enter into PowerShell:
|
||||||
|
```
|
||||||
|
manage-bde c: -protectors -add -rp -tpm
|
||||||
|
manage-bde -protectors -enable c:
|
||||||
|
manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
Backup `BitLocker-Recovery-Key.txt` on a separate storage device. Loss of this recovery code, may result in loss of data.
|
||||||
|
|
||||||
|
[Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary }
|
||||||
|
|
||||||
|
### FileVault
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
|
|
||||||
![Filevault logo](/assets/img/encryption-software/filevault.png){ align=right }
|
![FileVault logo](/assets/img/encryption-software/filevault.png){ align=right }
|
||||||
|
|
||||||
**Filevault** is the on-the-fly disk encryption that comes with MacOS. We recommend it because tightly intergrates with the [Apple T2 Security Chip](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/1/web/1).
|
**FileVault** is the on-the-fly disk encryption that comes with macOS. We recommend it because tightly intergrates with the [Apple T2 Security Chip](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/1/web/1).
|
||||||
|
|
||||||
[Visit support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary }
|
[Visit support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary }
|
||||||
|
|
||||||
@ -106,30 +152,30 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
|
|||||||
|
|
||||||
**LUKS** is the default full disk encryption method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.
|
**LUKS** is the default full disk encryption method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.
|
||||||
|
|
||||||
## Creating encrypted containers
|
??? "Creating and opening encrypted containers"
|
||||||
```
|
```
|
||||||
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
|
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
|
||||||
sudo cryptsetup luksFormat /path-to-file
|
sudo cryptsetup luksFormat /path-to-file
|
||||||
```
|
```
|
||||||
|
|
||||||
## Opening encrypted containers
|
#### Opening encrypted containers
|
||||||
We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can now unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface.
|
We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface.
|
||||||
```
|
```
|
||||||
udisksctl loop-setup -f /path-to-file
|
udisksctl loop-setup -f /path-to-file
|
||||||
udisksctl unlock -b /dev/loop0
|
udisksctl unlock -b /dev/loop0
|
||||||
```
|
```
|
||||||
|
|
||||||
## Backup of volume headers
|
!!! Warning "Back up volume headers"
|
||||||
We recommend you always [backup your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with:
|
We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with:
|
||||||
|
|
||||||
```
|
```
|
||||||
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
|
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
|
||||||
```
|
```
|
||||||
|
|
||||||
[Visit gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary }
|
[Visit gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary }
|
||||||
|
|
||||||
## Browser-based
|
## Browser-based
|
||||||
Web based encryption can be useful when you need to encrypt a file, and you cannot install software or apps on your device.
|
Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device.
|
||||||
|
|
||||||
### hat.sh
|
### hat.sh
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
@ -137,7 +183,7 @@ Web based encryption can be useful when you need to encrypt a file, and you cann
|
|||||||
![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right }
|
![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right }
|
||||||
![hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right }
|
![hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right }
|
||||||
|
|
||||||
**Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be selfhosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies.
|
**Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies.
|
||||||
|
|
||||||
[Visit hat.sh](https://hat.sh){ .md-button .md-button--primary }
|
[Visit hat.sh](https://hat.sh){ .md-button .md-button--primary }
|
||||||
|
|
||||||
@ -145,7 +191,7 @@ Web based encryption can be useful when you need to encrypt a file, and you cann
|
|||||||
- [:fontawesome-brands-github: Source](https://github.com/sh-dv/hat.sh)
|
- [:fontawesome-brands-github: Source](https://github.com/sh-dv/hat.sh)
|
||||||
|
|
||||||
## Command-line
|
## Command-line
|
||||||
Tools with commandline interfaces are useful for intergrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script).
|
Tools with command-line interfaces are useful for intergrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script).
|
||||||
|
|
||||||
### Kryptor
|
### Kryptor
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
@ -154,7 +200,7 @@ Tools with commandline interfaces are useful for intergrating [shell scripts](ht
|
|||||||
|
|
||||||
**Kryptor** is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, user friendly alternative to GPG.
|
**Kryptor** is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, user friendly alternative to GPG.
|
||||||
|
|
||||||
[Visit kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary }
|
[Visit kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Privacy Policy](https://www.kryptor.co.uk/features#privacy){ .md-button }
|
||||||
|
|
||||||
**Downloads**
|
**Downloads**
|
||||||
- [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk)
|
- [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk)
|
||||||
@ -167,7 +213,7 @@ Tools with commandline interfaces are useful for intergrating [shell scripts](ht
|
|||||||
|
|
||||||
![Tomb logo](/assets/img/encryption-software/tomb.png){ align=right }
|
![Tomb logo](/assets/img/encryption-software/tomb.png){ align=right }
|
||||||
|
|
||||||
**Tomb** is an is a commandline shell wrapper around LUKS. It includes uses some [third party tools](https://github.com/dyne/Tomb#how-does-it-work) to provide [steganography](https://en.wikipedia.org/wiki/Steganography).
|
**Tomb** is an is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work).
|
||||||
|
|
||||||
[Visit dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary }
|
[Visit dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary }
|
||||||
|
|
||||||
|
@ -6,7 +6,7 @@ icon: 'material/two-factor-authentication'
|
|||||||
|
|
||||||
**Two-Factor Authentication** (also known as **2FA**, **Multi-Factor Authentication**, or **MFA**) is a security mechanism that requires additional steps beyond simply your username/email and password. If you've ever had to enter a 6-digit code sent to your phone to log in to a website, that's an example of 2FA.
|
**Two-Factor Authentication** (also known as **2FA**, **Multi-Factor Authentication**, or **MFA**) is a security mechanism that requires additional steps beyond simply your username/email and password. If you've ever had to enter a 6-digit code sent to your phone to log in to a website, that's an example of 2FA.
|
||||||
|
|
||||||
The idea behind 2FA is that even if a hacker is able to figure out your password (something you *know*), they will still need a device you own like your phone (something you *have*) in order to generate the code needed to log in to your account. 2FA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your 2FA method, the better. Examples of 2FA methods from strongest to weakest are Email or SMS codes, Push Notifications, Software (TOTP) Code-Generating Apps, and Hardware Keys.
|
The idea behind 2FA is that even if a hacker is able to figure out your password (something you *know*), they will still need a device you own like your phone (something you *have*) in order to generate the code needed to log in to your account. 2FA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your 2FA method, the better. 2FA methods include: Email or SMS codes, Push Notifications,Software (TOTP) Code-Generating Apps, Hardware Keys.
|
||||||
|
|
||||||
## MFA Method Comparison
|
## MFA Method Comparison
|
||||||
==**SMS Codes** or Emailed Codes are better than nothing at all, but only marginally.== Getting a code over SMS or Email takes away from the "something you *have*" idea, because there are a variety of ways a hacker could take over your phone number or gain access to your emails without having physical access to any of your devices at all!
|
==**SMS Codes** or Emailed Codes are better than nothing at all, but only marginally.== Getting a code over SMS or Email takes away from the "something you *have*" idea, because there are a variety of ways a hacker could take over your phone number or gain access to your emails without having physical access to any of your devices at all!
|
||||||
|
@ -1,9 +1,7 @@
|
|||||||
---
|
---
|
||||||
icon: material/chat-processing
|
icon: material/chat-processing
|
||||||
---
|
---
|
||||||
|
|
||||||
## Encrypted Instant Messengers
|
## Encrypted Instant Messengers
|
||||||
|
|
||||||
### Signal
|
### Signal
|
||||||
|
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
@ -33,7 +31,6 @@ Signal requires your phone number as a personal identifier.
|
|||||||
The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
|
The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
|
||||||
|
|
||||||
### Element
|
### Element
|
||||||
|
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
|
|
||||||
![Element logo](/assets/img/messengers/element.svg){ align=right }
|
![Element logo](/assets/img/messengers/element.svg){ align=right }
|
||||||
@ -62,7 +59,6 @@ When using [element-web](https://github.com/vector-im/element-web), you must tru
|
|||||||
The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
|
The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
|
||||||
|
|
||||||
### Briar
|
### Briar
|
||||||
|
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
|
|
||||||
![Briar logo](/assets/img/messengers/briar.svg){ align=right }
|
![Briar logo](/assets/img/messengers/briar.svg){ align=right }
|
||||||
@ -85,7 +81,6 @@ Briar has a fully [published specification](https://code.briarproject.org/briar/
|
|||||||
Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol.
|
Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol.
|
||||||
|
|
||||||
### Session
|
### Session
|
||||||
|
|
||||||
!!! recommendation
|
!!! recommendation
|
||||||
|
|
||||||
![Session logo](/assets/img/messengers/session.svg){ align=right }
|
![Session logo](/assets/img/messengers/session.svg){ align=right }
|
||||||
@ -113,7 +108,6 @@ Session was independently audited in 2020. The protocol is described in a whitep
|
|||||||
There are several network architectures commonly used to relay messages between users. These networks can provide different different privacy guarantees, which is why it's worth considering your [threat model](https://en.wikipedia.org/wiki/Threat_model) when making a decision about which app to use.
|
There are several network architectures commonly used to relay messages between users. These networks can provide different different privacy guarantees, which is why it's worth considering your [threat model](https://en.wikipedia.org/wiki/Threat_model) when making a decision about which app to use.
|
||||||
|
|
||||||
### Centralized Networks
|
### Centralized Networks
|
||||||
|
|
||||||
![Centralized networks diagram](/assets/img/layout/network-centralized.svg){ align=left }
|
![Centralized networks diagram](/assets/img/layout/network-centralized.svg){ align=left }
|
||||||
|
|
||||||
Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization.
|
Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization.
|
||||||
@ -137,7 +131,6 @@ Some self-hosted messengers allow you to set up your own server. Self-hosting ca
|
|||||||
|
|
||||||
|
|
||||||
### Federated Networks
|
### Federated Networks
|
||||||
|
|
||||||
![Federated networks diagram](/assets/img/layout/network-decentralized.svg){ align=left }
|
![Federated networks diagram](/assets/img/layout/network-decentralized.svg){ align=left }
|
||||||
|
|
||||||
Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network.
|
Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network.
|
||||||
@ -160,7 +153,6 @@ When self-hosted, users of a federated server can discover and communicate with
|
|||||||
- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with users on those servers.
|
- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with users on those servers.
|
||||||
|
|
||||||
### Peer-to-Peer (P2P) Networks
|
### Peer-to-Peer (P2P) Networks
|
||||||
|
|
||||||
![P2P diagram](/assets/img/layout/network-distributed.svg){ align=left }
|
![P2P diagram](/assets/img/layout/network-distributed.svg){ align=left }
|
||||||
|
|
||||||
[P2P](https://en.wikipedia.org/wiki/Peer-to-peer) messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server.
|
[P2P](https://en.wikipedia.org/wiki/Peer-to-peer) messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server.
|
||||||
@ -186,7 +178,6 @@ P2P networks do not use servers, as users communicate directly between each othe
|
|||||||
|
|
||||||
|
|
||||||
### Anonymous Routing
|
### Anonymous Routing
|
||||||
|
|
||||||
![Anonymous routing diagram](/assets/img/layout/network-anonymous-routing.svg){ align=left }
|
![Anonymous routing diagram](/assets/img/layout/network-anonymous-routing.svg){ align=left }
|
||||||
|
|
||||||
A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three.
|
A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three.
|
||||||
|
Loading…
Reference in New Issue
Block a user