From 441c4b64eb0ecffb78ed6429e9a78db7b92880e1 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Tue, 1 Nov 2022 16:06:37 +0300 Subject: [PATCH] My opinion on privacyguides.org >I discovered new website called privacyguides.org and they seem support >privacy and security for censorship and cyberbullies. According to the >their website the best secure OSes are Fedora, Arch Linux and Qubes >(Whonix). Could you please check their claims? Initially when I saw their website, then I liked it, because at least it is just an up-to-date aggregator of various modern privacy-preserving software. However then looked at it narrowly, I discovered some very harmful and dangerous recommendations. Of course in my humble opinion. All people have varying criteria. I wanted to criticise several of their points, but let's walk over all of their recommendations. * Introduction to passwords: https://www.privacyguides.org/basics/passwords-overview/ Use unique passwords for every service, rotate only when you think of compromise -- good advices indeed. Use either randomly generated and securely stored password with password manager, or use diceware passphrases -- also very good advices, perfect ones. * Multi-Factor Authentication: https://www.privacyguides.org/basics/multi-factor-authentication/ In general there are no mistakes in that part of recommendations, but it totally lacks more simple and easier to remember fact, that authentication can be performed either by something you "know", or by something you "have", or by something you "are". Passwords is something you "know". Asymmetric cryptography keys are something you "have". Biometric information is something you "are". SMS, push notification, OTPs are something you also have. That page is silent about the fact, that private asymmetric cryptography key encrypted by your passphrase is already a two-factor authentication. So ordinary OpenSSH with encrypted private keys can be treated like 2-factor authentication from cryptography point of view. Unfortunately remote side can not prove are you using your keys securely, and most people won't use any strong passphrases with them (if any at all), so they tend to force people using often weaker (from cryptography point of view), but somehow forced hardware security tokens or SMS/push notifications. It is better for most people, who just do not understand importance of the strong authentication, but that does not mean that it will increase security of (for example) OpenSSH model with passphrase and encrypted private key, assuming that your hardware is not compromised of course. * Email security: https://www.privacyguides.org/basics/email-security/ They are right about insecure nature by default and inability to secure the metadata (message headers). They mention OpenPGP and S/MIME. And the fact, that there is no forward secrecy for those security measures (you have to use online protocols for forward secrecy and possible deniability). Everything is right here. * VPN: https://www.privacyguides.org/basics/vpn-overview/ They are right that VPN is *just* a shifting of point of trust from your ISP to someone else. I disagree with their strong "Yes" answer on "should I use VPN?" question. Everything depends on where you move you point of trust, who *will* monitor your traffic now. For example if I will use some widely spread service like NordVPN (I just searched for VPN and saw its name in first results), then my private data will be collected by that huge (12M+ of users, as they claim) provider, instead of my local one in my small town with several thousands of users. My private data for local ISP is probably so invaluable, that it won't even collect it for possible further usage. My NordVPN/whatever big ones will definitely collect it, because... why not, 12M+ of users is valuable source of data. But yes -- it will hide your IP address from the end-entity website/service you are using. Or maybe it can be used to bypass some censorship/firewall restrictions. It is questionable is it useful and favorable from ethical point of view. * Android: https://www.privacyguides.org/os/android-overview/ They are right that stock Android is full of closed non-free software with definitely possible backdoors and huge number of privacy related misfeatures. But they are silent about the fact, that majority of those devices have communication chip connected to the same bus/memory as Android OS itself. And you have no control over that chip, that is always on and connected to the cellular network and can execute remote commands transparently from Android OS itself. Nothing prevents it from reading your memory with ephemeral private keys used for E2EE. Moreover, I highly doubt that "problem could be solved by using a custom Android distribution". That year I tried (just out of curiosity) to build LineageOS, that claims to be fully "open source" and so on -- there are HUGE number of binary prebuilt packages involved in the build process. I do not want to say that it is not possible to build everything from the source code, but LineageOS definitely does not provide that automation at all. Maybe Replicant is more serious about that? I did not check, but the whole Android ecosystem is some kind of strongly biased towards active use of prebuilt binaries of many components and build tools. In general, I can not even imagine bearable security regarding any kind of modern smartphones. The whole ecosystem is built upon control over the user and his abilities. * I am glad that there is no information about iOS, where user is definitely under sole control of Apple, so forget about privacy. * "Linux" (actually Android is also "Linux", but they also mention GNU/Linux operating system to clarify that term): https://www.privacyguides.org/os/linux-overview/ They are right that "open source" will not magically make your software more secure, invulnerable to attacks, or privacy respecting. But free software is necessity for the possibility to create that kind of software. "FOSS" != "secure", but FOSS is *ability* to create it. They note that GNU/Linux system currently do not have so strong measures for "verified boot chain" and strong sandboxing. Maybe that is true, when compared to widespread non-free system. But "verified" boot chain is actually used for DRM (digital restrictions management) on them, for preventing user's abilities to make modification to his own device (yeah, yeah, because company thinks about user's security, as we heard many times before). And sandboxing is required on those systems because they are aimed to run non-free closed software, mainly with malicious misfeatures harming the privacy. Do I need strong sandboxing on my completely free software system? If it is fully free, then I expect it not to have something I wanted to avoid. At least I have got a possibility to do that in many cases. If I run trusted software, then it won't try to harm my computer, won't try to spy on me, won't do anything I will regret. So no need in sandboxing in that ideal world. But software contain bugs and can be attacked. So we need at least some exploit mitigations, that is true. That is why I can not treat "verified boot chain" and "sandboxing" as something highly required and necessary. They are made mainly to control user's abilities and aimed to run malicious proprietary software, that sane security/privacy-aware user do not want to run at all. They are right about "security-focused" distributions, that they are aimed for offence/attack, not defence. I strongly disagree with almost every other point they wrote: * They recommend "bleeding edge" distributions, saying that they will quickly apply security fixes to the packages. Strongly disagree with that, because every update in one of hundred/thousand packages you have is a risk of bringing yet another bug to it. Every update is a risk that something will misbehave or will stop working, because of slightly changed library's workflow. Every day you upgrade your bleeding edge system, you *will* expect something will be broken, something will be changed (maybe in backwards incompatible way). Some people will like that, some will want that. But the fact that you have constantly changing software, constantly having software that was not definitely by proven by time -- no way it can gain your security or privacy. Moreover, let's be honest: how many times any of your packages, libraries and software are affected by some *security* issue? I run my desktop system without any major upgrade for more than five years, following security announcements. And probably once or twice per year I really need to upgrade/patch anything. And non-bleeding edge distributions, like Debian, will anyway release serious/critical updates to their stable long-term versions. 99.99% of all software updates are about anything, but security issues. And only part of those issues will affect you and your system. For example if there is some vulnerability in kernel's PPP-module solely, then how it will affect people who used it last time more than twenty years ago? "Bleeding edge vs stable" versions is mainly a question of priorities and preferences. But stability is crucial for security. Real vulnerabilities are relatively seldom thing and they are fixed even in long-term stable distributions. * They strongly recommend against Linux-libre kernel, because they tend to treat constantly updating CPUs microcode as a security measure. Well, what can I say? I strongly recommend against using of kernel, that contains non-free software blobs, that downloads and changes your hardware ('s microcode), because noone knows what that yet another microcode update brings to you. Possibly yet another additional backdoor? Non-free software is completely unacceptable thing for anything related to security or privacy. Additional non-free software/blob/microcode/whatever -- decreased security. Automatically updated non-free software -- automatically decreased security and your computer is just remotely controlled. Their website literally recommends you to use *more* non-free closed software. Unacceptable thing and their site can be just silently closed and be forgotten. Moreover, are those CPU security vulnerabilities are applicable to the user who runs trusted free software? Nope, in general. So why bothering? But if users runs non-free software, understanding all negative consequences and his system breakage, then why he continues worrying about his privacy? If you have to run something untrusted, then use isolated separate computer for that task. At least only it will be affected by broken security countermeasures. Of course it is more expensive solution, but it is the only acceptable one I see. * They recommend Wayland, because X11 protocol allows screen recording and so on. Again -- why bothering, if you run trusted and controlled by *you* software? And if you run untrusted non-free software, then why bother about privacy at all? Why would you run non-free software? I am not against Wayland, but it is stupid advice concerning security. Question is simple: who controls your PC? If it is not you (you run non-free software), then exactly that is the main problem you have to solve, not the X11/Wayland-protocol security. * Why there is no mention of BSD operating systems? I am convinced and sure that they are undoubtedly more secure and privacy respecting out of box. Each year I consider how less control you have other modern popular GNU/Linux distributions. Many (and page about "Linux" also notes that) distributions tend to automatically generate some unique identifier and use it during enabled-by-default software updates, that is completely incompatible with the privacy. Moreover widespread BSD systems are much more lightweight, minimalistic and easier to deal with, because there are just fewer number of unnecessary complex components involved. BSD systems as a rule are complete operating systems, done by the same developers throughout the whole components. That is why their quality and user experience tend to be much higher. Most security features appeared in GNU/Linux ecosystem were invented in BSD OSes. BSDs are often ahead of GNU/Linux world by many features and technologies, of proven quality and stability. * DNS: https://www.privacyguides.org/advanced/dns-overview/ Mostly everything is written correctly. However they claim that "unencrypted DNS always uses UDP" -- that is just not true, because big queries may initiate TCP connection too. I will nag that you do not need *encryption* to make your data unmodifiable. DNSSEC records are not encrypted, but they can not be modified without revealing that fact * Tor: https://www.privacyguides.org/advanced/tor-overview/ They write that Tor is decentralized network. This is lie. It is distributed, yes, but centralized -- they have got centralized closed-source database servers keeping the state of all nodes and censoring who can participate in the network (that already happened several times). They claim that it is designed "with as much privacy as possible" -- can not agree there too, because technically they contain *very* primitive technologies, especially comparing to I2P project as an example. Powerful adversary, like government, can deanonymize Tor participants by monitoring network activities in Tor. I2P really tries to hide timing information by using "garlic" packet assembling and two unidirectional channels with independent network paths. And although I was high-bandwidth Tor exit-node for years, having multiple accidents and interrogations with local police forces, I changed my mind about that network and strongly against supporting that network. As with BitTorrent, I am convinced that it is unfair to use it without participating back (by starting up relay node), without sharing your resources too. And I am united in solidarity with https://withblue.ink/2020/11/12/maybe-we-shouldnt-want-a-fully-decentralized-web.html article, where you have to think about ethical questions, about the responsibility. For me, Tor is a censorship-bypassing technology mainly for spreading the propaganda. * Page about centralized, federated and peer-to-peer network topologies is pretty good indeed: https://www.privacyguides.org/advanced/communication-network-types/ And I like that they do not bias the reader to any type. Each of them has their pros and cons. Even centralized Signal could be the best choice for many people. Personally I am fan of federated networks. * "Linux" choices: https://www.privacyguides.org/linux-desktop/ They recommend Fedora, openSUSE... but are not this website is solely about privacy protection? I assume that they treat any GNU/Linux distribution as already much better choice than either Microsoft Windows, or Apple macOS. But that is not true and looks like just harmful advice. Fedora, Ubuntu and similar widespread distributions are not differ much from any of non-free OSes: by default they tend to automatically and transparently deanonymize you (of course for your better user experience), to leak your search queries, to leak mistyped commands, to easily run non-free software (Flatpack, Snappy technologies) out-of-box. Every time I have installed and run any of those distributions (to check some of my software buildability and workability under them) -- each damn time I find many bugs and awful overall quality and stability. Latest Fedora is so damn slow and bloated, that it can hardly even boot from not so fast USB flash drive, leading to timeouts and programs to exit. How any of those distributions can be secure, when they contain a biggest pile of crap (yes, I intentionally emphasize my worst attitude to that terrible anti-Unix mess of bugs and inflexibilities) called systemd? Its authors once decided even to hard-code Google's public nameservers -- no privacy-aware person can allow that step possibility. https://suckless.org/sucks/systemd/ I really treat systemd-driven distributions no better than any of Microsoft/Apple proprietary creations. The same experience, same insecurity, same snake-oil with beautiful (meaningless in practice) words about the importance of user's privacy. However mention of NixOS is a good one. That distribution has very interesting and attractive package system with reproducible builds. * Router distributions: https://www.privacyguides.org/router/ Can not comment anything here, because I have never used any specialized router software. I have always had just an ordinary OS installed for that task on separate computer. However I dealt with m0n0wall, that is base for pfSense, that is base for OPNsense and can not say anything against it. If it is more convenient to you, then why not? * DNS recommendation: https://www.privacyguides.org/dns/ Awful and pretty harmful recommendation is using some huge network like Cloudflare. Instead of your ISP collecting the DNS data, you move that collection to the huge world-wide company, just helping privacy-hating corporations to spy on you more easily. It is the same as to use Facebook solely for all actions. For example I completely (once again) distrusted Firefox, when they enabled DoH feature by default, leading millions of users to leak their DNS queries to one of the biggest companies in the world. Completely unacceptable and insane. Another option they misses: just setting up your own DNS recursive resolver on VPS (that are very cheap nowadays) and setting ordinary IPsec/WireGuard tunnel to secure requests/responses to it, without using specialized unnecessary higher level protocols for that task. * Email provider recommendation: https://www.privacyguides.org/email/ Actually that is the most hated page by me. Considering ProtonMail completely depreciates any value of the whole website, because it is total snake-oil. First of all, what does email provider intended to do? It is just always available server that temporary stores some outgoing correspondence from you, until destination server is available and receives it. And it stores incoming correspondence probably long-term, until you receive it with you mail user agent (MUA). Email ecosystem does not require connections between email providers to be encrypted and authenticated. In practice many of them does not support that at all. And noone can force TLS usage, because there just can not exist common trust anchor for their authentication (geopolitics and so on). So you can never be sure that your email correspondence is passed over encrypted/authenticated transports solely. That is why you can only do end-to-end encryption for assuring correspondence confidentiality. Who can be responsible for encryption and authentication while you communicate with other people? I assume that this is obvious that only *you* can be that responsible person, because only you (and whom you talk to) is interested in that. And of course technically encryption and authentication can be done in a trusted way only on the computer controlled by you. If computer is not under your control -- no privacy and security can be expected. If third-party does encryption/authentication instead of you -- the same applies. So again, what could you expect from email provider? Actually just a reliable work with enough storage. You can neither force, nor expect it to use encrypted transport. And your encryption/authentication, that is done on you computer, does not require any support from the provider. So there is practically no difference between any of email providers from security point of view if you REALLY do end-to-end secure communications. Some of email providers require you to give real world identities, some of them require cellphone number binding. But in general they are just temporary buffers in the network, nothing more. I heard that ProtonMail did not provide ability to use SMTP/POP3/IMAP4 on free accounts. That means that you can not use ordinary MUA on the computer under your control. So their free account just can not be used for secure communications. They offer (offered?) only web-based access, that requires you to run some automatically downloaded software from their server (JavaScript code inside the browser). The most awful thing is that they provide OpenPGP functionality based on that JavaScript code. That means that your computer runs *their* software (that can be changed anytime without you notice that fact). Complete understanding of some data channel insecurity -- is ok. But false sense of security (when you believe about security, but that can be false assumption) is much worse: you can not make adequate risk management. And ProtonMail just gives exactly the fail sense of security. Even if your private key is kept in encrypted form on their server and is decrypted only inside your browser, nothing prevents them to slightly modify the code *you* run in your browser to make your key/message/whatever leaked. EVERYTHING that relies on code running inside your browser, that is downloaded from remote server not under your control -- can not be trusted and you literally has no control over your computer. I did not read/check about other email providers, because either it is the same snake-oil, or just irrelevant from security point of view. I can not comment anything about self-hosting email section, because it relies on assumption that you would use webmail solution, that is just can not be (securely) compatible with OpenPGP in a sane way. Email has to be used through MUA. * Disk encryption: https://www.privacyguides.org/encryption/ It is pure insanity to recommend BitLocker. Ok, that is already insanity to use Windows and expect any kind of security from it, but BitLocker is known (https://media.ccc.de/v/35c3-9671-self-encrypting_deception) just to silently bypass encryption and rely on built-in SSD methods, that are known often to be complete snake-oil. There are much information about various software. There are many proprietary closed-source non-free ones, so, again, shame on that resource -- non-free software never can be a choice regarding security or privacy. Of course there are good software mentioned too, like Syncthing, Mutt, GnuPG and similar things. But considering non-free or JavaScript-driven solutions brings a false sense of security, that is much worse than adequate understanding of lack of security. -- 2.50.0