mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-12-21 21:55:26 -05:00
Reduce reliance on external web resources (#1093)
Signed-off-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
parent
33dc6b1211
commit
b88beee846
@ -53,7 +53,7 @@ Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/d
|
|||||||
|
|
||||||
![DivestOS logo](assets/img/android/divestos.svg){ align=right }
|
![DivestOS logo](assets/img/android/divestos.svg){ align=right }
|
||||||
|
|
||||||
**DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/).
|
**DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/).
|
||||||
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
|
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
|
||||||
|
|
||||||
[Visit divestos.org](https://divestos.org){ .md-button .md-button--primary } [Privacy Policy](https://divestos.org/index.php?page=privacy_policy){ .md-button }
|
[Visit divestos.org](https://divestos.org){ .md-button .md-button--primary } [Privacy Policy](https://divestos.org/index.php?page=privacy_policy){ .md-button }
|
||||||
@ -103,7 +103,7 @@ The installation of GrapheneOS on a Pixel phone is easy with their [web installe
|
|||||||
A few more tips for purchasing a Google Pixel:
|
A few more tips for purchasing a Google Pixel:
|
||||||
|
|
||||||
- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
|
- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
|
||||||
- Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores.
|
- Consider price beating options and specials offered at brick and mortar stores.
|
||||||
- Look at online community bargain sites in your country. These can alert you to good sales.
|
- Look at online community bargain sites in your country. These can alert you to good sales.
|
||||||
- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EoL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
|
- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EoL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
|
||||||
|
|
||||||
@ -300,7 +300,9 @@ The Google Play Store requires a Google account to login which is not great for
|
|||||||
|
|
||||||
### F-Droid
|
### F-Droid
|
||||||
|
|
||||||
F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's [walled garden](https://en.wikipedia.org/wiki/Closed_platform) has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
|
F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
|
||||||
|
|
||||||
|
*[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.
|
||||||
|
|
||||||
Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version.
|
Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version.
|
||||||
|
|
||||||
|
@ -108,7 +108,7 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
|
|||||||
|
|
||||||
![Bromite logo](assets/img/browsers/bromite.svg){ align=right }
|
![Bromite logo](assets/img/browsers/bromite.svg){ align=right }
|
||||||
|
|
||||||
**Bromite** is a [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
|
**Bromite** is a Chromium-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
|
||||||
|
|
||||||
[Visit bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button }
|
[Visit bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button }
|
||||||
|
|
||||||
|
@ -5,8 +5,7 @@ icon: material/email-open
|
|||||||
Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](multi-factor-authentication) and prevent account theft.
|
Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](multi-factor-authentication) and prevent account theft.
|
||||||
|
|
||||||
??? Attention "Email does not provide forward secrecy"
|
??? Attention "Email does not provide forward secrecy"
|
||||||
|
When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
|
||||||
When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
|
|
||||||
|
|
||||||
OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](email.md#email-encryption-overview). Consider using a medium that provides forward secrecy:
|
OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](email.md#email-encryption-overview). Consider using a medium that provides forward secrecy:
|
||||||
|
|
||||||
@ -145,7 +144,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
|
|||||||
|
|
||||||
Canary Mail only recently released a Windows and Android client, we don't believe they are as stable as their iOS and Mac counterparts.
|
Canary Mail only recently released a Windows and Android client, we don't believe they are as stable as their iOS and Mac counterparts.
|
||||||
|
|
||||||
Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support [Pretty Good Privacy (PGP)](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) E2EE.
|
Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support PGP E2EE.
|
||||||
|
|
||||||
### NeoMutt
|
### NeoMutt
|
||||||
|
|
||||||
|
@ -326,7 +326,7 @@ We regard these features as important in order to provide a safe and optimal ser
|
|||||||
- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
|
- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
|
||||||
- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
|
- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
|
||||||
- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
|
- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
|
||||||
- [Catch all](https://en.wikipedia.org/wiki/Email_filtering) or [aliases](https://en.wikipedia.org/wiki/Email_alias) for users who own their own domains.
|
- Catch-all or alias functionality for users who own their own domains.
|
||||||
- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
|
- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
|
||||||
|
|
||||||
### Privacy
|
### Privacy
|
||||||
@ -421,7 +421,7 @@ E2EE is a way of encrypting email contents so that nobody but the recipient(s) c
|
|||||||
|
|
||||||
### How can I encrypt my email?
|
### How can I encrypt my email?
|
||||||
|
|
||||||
The standard way to do email E2EE and have it work between different email providers is with [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP). There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org).
|
The standard way to do email E2EE and have it work between different email providers is with OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org).
|
||||||
|
|
||||||
There is another standard that was popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480).
|
There is another standard that was popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480).
|
||||||
|
|
||||||
|
@ -90,7 +90,7 @@ BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-o
|
|||||||
|
|
||||||
??? example "Enabling BitLocker on Windows Home"
|
??? example "Enabling BitLocker on Windows Home"
|
||||||
|
|
||||||
To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0+) module.
|
To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module.
|
||||||
|
|
||||||
1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"
|
1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"
|
||||||
|
|
||||||
@ -221,7 +221,7 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h
|
|||||||
|
|
||||||
## OpenPGP
|
## OpenPGP
|
||||||
|
|
||||||
[OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
|
OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
|
||||||
|
|
||||||
When encrypting with PGP, the user has the option to configure different options in their `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
|
When encrypting with PGP, the user has the option to configure different options in their `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@ If you don't already use Linux, below are some distributions we suggest trying o
|
|||||||
|
|
||||||
[Visit getfedora.org](https://getfedora.org/){ .md-button .md-button--primary }
|
[Visit getfedora.org](https://getfedora.org/){ .md-button .md-button--primary }
|
||||||
|
|
||||||
Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_release) cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
|
Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
|
||||||
|
|
||||||
### openSUSE Tumbleweed
|
### openSUSE Tumbleweed
|
||||||
|
|
||||||
@ -28,7 +28,7 @@ Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_releas
|
|||||||
|
|
||||||
![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }
|
![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }
|
||||||
|
|
||||||
**openSUSE Tumbleweed** is a stable [rolling release](https://en.wikipedia.org/wiki/Rolling_release) distribution.
|
**openSUSE Tumbleweed** is a stable rolling release distribution.
|
||||||
|
|
||||||
openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.
|
openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.
|
||||||
|
|
||||||
@ -130,15 +130,15 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte
|
|||||||
|
|
||||||
### Drive Encryption
|
### Drive Encryption
|
||||||
|
|
||||||
Most Linux distributions have an installer option for enabling [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) FDE upon installation.
|
Most Linux distributions have an installer option for enabling LUKS FDE upon installation.
|
||||||
|
|
||||||
If this option isn’t set at installation time, the user will have to backup their data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [file systems](https://en.wikipedia.org/wiki/File_system) are [formatted](https://en.wikipedia.org/wiki/Disk_formatting).
|
If this option isn’t set at installation time, the user will have to backup their data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted.
|
||||||
|
|
||||||
When securely erasing storage devices such as a [Solid-state drive (SSD)](https://en.wikipedia.org/wiki/Solid-state_drive) you should use the [ATA Secure Erase](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase) command. This command can be issued from your UEFI setup. If the storage device is a regular [hard drive](https://en.wikipedia.org/wiki/Hard_disk_drive), consider using [`nwipe`](https://en.wikipedia.org/wiki/Nwipe).
|
When securely erasing storage devices such as a Solid-state drive (SSD) you should use the [ATA Secure Erase](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase) command. This command can be issued from your UEFI setup. If the storage device is a regular hard drive (HDD), consider using [`nwipe`](https://en.wikipedia.org/wiki/Nwipe).
|
||||||
|
|
||||||
### Swap
|
### Swap
|
||||||
|
|
||||||
Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM) by default.
|
Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM).
|
||||||
|
|
||||||
### Wayland
|
### Wayland
|
||||||
|
|
||||||
@ -183,3 +183,5 @@ The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Co
|
|||||||
This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer.
|
This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer.
|
||||||
|
|
||||||
openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file.
|
openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file.
|
||||||
|
|
||||||
|
--8<-- "includes/abbreviations.en.md"
|
||||||
|
@ -89,7 +89,7 @@ One of the problems with Secure Boot particularly on Linux is that only the [cha
|
|||||||
|
|
||||||
- Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
|
- Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
|
||||||
- [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
|
- [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
|
||||||
- Using [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
|
- Using TPM to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
|
||||||
|
|
||||||
After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
|
After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ Our website generally uses the term “Linux” to describe desktop GNU/Linux di
|
|||||||
|
|
||||||
## Release cycle
|
## Release cycle
|
||||||
|
|
||||||
We highly recommend that you choose distributions which stay close to the stable upstream software releases. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
|
We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
|
||||||
|
|
||||||
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
|
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
|
||||||
|
|
||||||
|
@ -163,7 +163,7 @@ Governments, in particular [China](https://www.zdnet.com/article/china-is-now-bl
|
|||||||
|
|
||||||
### Online Certificate Status Protocol (OCSP)
|
### Online Certificate Status Protocol (OCSP)
|
||||||
|
|
||||||
Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a [HTTPS](https://en.wikipedia.org/wiki/HTTPS) website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.
|
Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.
|
||||||
|
|
||||||
The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.
|
The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.
|
||||||
|
|
||||||
|
@ -170,7 +170,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
|
|||||||
|
|
||||||
If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN.
|
If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN.
|
||||||
|
|
||||||
If you're looking for added **security**, you should always ensure you're connecting to websites using [HTTPS](https://en.wikipedia.org/wiki/HTTPS). A VPN is not a replacement for good security practices.
|
If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.
|
||||||
|
|
||||||
[Learn more :material-arrow-right:](vpn.md)
|
[Learn more :material-arrow-right:](vpn.md)
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
|
|||||||
|
|
||||||
If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN.
|
If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN.
|
||||||
|
|
||||||
If you're looking for added **security**, you should always ensure you're connecting to websites using [HTTPS](https://en.wikipedia.org/wiki/HTTPS). A VPN is not a replacement for good security practices.
|
If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.
|
||||||
|
|
||||||
[Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button }
|
[Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button }
|
||||||
|
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
*[Exif]: Exchangeable image file format
|
*[Exif]: Exchangeable image file format
|
||||||
*[FDE]: Full Disk Encryption
|
*[FDE]: Full Disk Encryption
|
||||||
*[FIDO]: Fast IDentity Online
|
*[FIDO]: Fast IDentity Online
|
||||||
|
*[fork]: In software development, a fork is created when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software.
|
||||||
*[GPG]: GNU Privacy Guard (PGP implementation)
|
*[GPG]: GNU Privacy Guard (PGP implementation)
|
||||||
*[GPS]: Global Positioning System
|
*[GPS]: Global Positioning System
|
||||||
*[GUI]: Graphical User Interface
|
*[GUI]: Graphical User Interface
|
||||||
@ -41,6 +42,7 @@
|
|||||||
*[P2P]: Peer-to-Peer
|
*[P2P]: Peer-to-Peer
|
||||||
*[PGP]: Pretty Good Privacy (see OpenPGP)
|
*[PGP]: Pretty Good Privacy (see OpenPGP)
|
||||||
*[QNAME]: Qualified Name
|
*[QNAME]: Qualified Name
|
||||||
|
*[rolling release]: An update release cycle in which updates are released very frequently, instead of at set intervals.
|
||||||
*[RSS]: Really Simple Syndication
|
*[RSS]: Really Simple Syndication
|
||||||
*[SELinux]: Security-Enhanced Linux
|
*[SELinux]: Security-Enhanced Linux
|
||||||
*[SMS]: Short Message Service (standard text messaging)
|
*[SMS]: Short Message Service (standard text messaging)
|
||||||
@ -52,6 +54,7 @@
|
|||||||
*[TEE]: Trusted Execution Environment
|
*[TEE]: Trusted Execution Environment
|
||||||
*[TLS]: Transport Layer Security
|
*[TLS]: Transport Layer Security
|
||||||
*[TOTP]: Time-based One-Time Password
|
*[TOTP]: Time-based One-Time Password
|
||||||
|
*[TPM]: Trusted Platform Module
|
||||||
*[U2F]: Universal 2nd Factor
|
*[U2F]: Universal 2nd Factor
|
||||||
*[UDP]: User Datagram Protocol
|
*[UDP]: User Datagram Protocol
|
||||||
*[VPN]: Virtual Private Network
|
*[VPN]: Virtual Private Network
|
||||||
|
Loading…
Reference in New Issue
Block a user