Page History
...
HTTPS (HTTP Secure) is an extension of HTTP, the foundation of data communication on the Internet. A properly configured HTTPS application insures ensures that communication between you and the website is encrypted end-to-end encrypted, making it impossible for third parties to view/read what you send to websites (through forms, file uploads, etc.).
...
Never submit sensitive data to a website that's not secured!
On most modern browsers, a secured website will have a green lock and the address will show "https:", modern browsers also give you a clear warning that requires multiple clicks to bypass and to use an insecure site. But if you're using an older browser or one that doesn't have these safeguarding features, always look for a closed lock icon and "https" in the urladdress bar.
Secure website Insecure website 
Always make sure to type out "https://" to ensure complete end-to-end encryption
Info title Important! This is critically important if you're on a public/untrusted network (e.g. public WiFi). This also applies at the Internet Service Provider level, if you have reason to believe your ISP or its government are intercepting your data, always make sure to type out "https://"
Unfortunately, the internet was designed without any privacy and security features in mind, and these features were only added on later. But because these added measures required a time and monetary investment from website operators, adoption has been a very slow process. As a result, the internet effectively operates in two discrete modes, the new secure protocol (https) and the old insecure protocol (http), with http being the default.
Because the two modes are discrete, most websites support both protocols to allow users to simply type "example.com" instead of "https://example.com". "example.com" translates to the default protocol ("http://example.com") and then the website may redirect you to the https protocol.
An attacker can take advantage of this redirect with a technique known as "Man In The Middle", in which the attacker intercepts your insecure requests and sends them to the website through the secure protocol, it then receives the response from the website and sends them back to you after reading its content.Info title Techno-babel For a better understanding, here's an illustration of your communication with example.com when properly secured using https:
Notice how your communication with the website is encrypted end-to-end, and no outside party can view what you send and receive.
When browsing to example.com without typing "https", assuming the site implements a redirect, the initial communication with the website is insecure, the website then instructs your browser to communicate over the secure protocol insuring all future communication is secured and private.
An attacker (e.g. a malicious WiFi hotspot, ISP, etc) can take advantage of this by not sending the initial request to the website over the insecure protocol, instead but by sending your data to the website over the secure protocol after reading/manipulating the content instead, only to return it to you over the insecure protocol after again reading/manipulating the response.
Notice that example.com is communicating securely with the malicious network, it's acting as a Man In The Middle.
...
Virtual Private Networks (VPNs), employ end-to-end encryption technologies to creates a safe and encrypted connection over a less secure network, such as the Internet. For our purposes, VPNs are used to insure ensure our online activities cannot be snooped on by unauthorized parties.
Without a VPN, we rely on HTTPs and other forms of encryption to hide the contents of our interactions with a website, but that doesn't hide the fact that we communicated with the website. Think of HTTPS as using a special code language to communicate with each other in public, extending this analogy, VPN is the equivalent of going into a private meeting room from the front door, and through one door while your partner enters through he back door which is well hiddenthrough another door on the other side of the building. The observer knows that you entered the room, but we they don't know what you said or to whomwho else has entered the room.
As an example, let's say you are making a purchase of a product from example.com for $100, here is what an eavesdropper can observe:
| example.com | https://example.com | https://example.com over VPN |
|---|---|---|
|
|
That's all an observer is able to see, since even web requests are encrypted ; since all network traffic is end-to-end encrypted over VPN, the observer can't see any websites you attempt to access , or make any assumptions about what you did on said websites. |
...
It's important to recognize that while a VPN hides your activity from the public network you're on (or your ISP), your VPN provider VPN can see your activity clearly. It's very important to use a VPN from a trusted provider. The most important factors to look out for when choosing a VPN provider are:
- Do they keep access logs?
- Using a VPN to protect your privacy is pointless if everything you do is stored into in neat logs. The VPN providers we trust do not keep any logs.
- Do they use a modern and secure tunneling protocol?
- Avoid VPN services that only support PPTP.
- Where are they based?
- Are they based where the government of your place of residence has jurisdiction?
- Are they based in the "Five Eyes"? (Australia, Canada, New Zealand, and the United States of America). These countries are bound by the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.
- Are they based in the "Nine Eyes", consisting of the Five Eyes plus Denmark, France, the Netherlands, and Norway?
- Are they based in the "Fourteen Eyes", consisting of the same countries as the Nine Eyes plus Germany, Belgium, Italy, Spain, and Sweden?
- Other considerations:
- How many servers do they have? Do they have servers physically near you? The closer you are physically to the server, the faster your connections will be.
- Do they have bandwidth limits? Do they throttle speeds for any reason?
- How many concurrent connections can you make? Can you secure all your devices?
...
- NordVPN (https://nordvpn.com/)
- They don't keep logs
- Based in Panama, can't be compelled to produce any logs
- OpenVPN protocol, most modern
- Modern and secure.
- Kill-switch. When setupset up, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
- Plus
- Fast, reliable
- Works with Netflix
- Affordable
- Double VPN feature - Just a gimmick In my opinion, but not a bad thing
- They don't keep logs
- Mozilla VPN (https://www.expressvpn.commozilla.org/en-US/products/vpn/)
- They don't keep logs
- Based in British Virgin Islands, can't be compelled to produce any logs
- WireGuard protocol
- Modern, secure, and audited. Faster than OpenVPN.
- Kill-switch. When setupset up, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
- Provided by the Mozilla foundation.
- Can they be trusted? It's complicated, but we trust them.
- Mozilla Foundation is based in the United States (Five Eyes) which normally would be a big red flag, but the Mozilla Foundation is a well-established leader and has a proven track record of protecting and advocating for user privacy.
- Mozilla VPN is actually offered through a partnership with Mullvad VPN, based in Sweden (Fourteen Eyes). This should be noted, but we trust Mozilla to fully vet who they partner with.
- They don't keep logs
- ExpressVPN (https://www.expressvpn.com/)
- They don't keep logs
- Based in the British Virgin Islands, can't be compelled to produce any logs
- OpenVPN
- Modern and secure
- Kill-switch. When set up, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
- Plus
- Fastest tested, reliable
- Works with Netflix
- More expensive than NordVPN, though consistently faster.
- They don't keep logs
...
- PersonalVPN by Witopia (https://www.personalvpn.com/) <- Overall not recommended!
- Overall, PersonalVPN is a solid VPN service that's relatively easy to use, fast, and reliable. However, at the time of testing, it has a serious privacy issue. Furthermore, it is slow to offer modern features , and still lacks behind the competition in several areas. My recommendation is to switch to NordVPN or ExpressVPN.
- They don't keep logs, but they are based in the Five Eyes, so be careful.
- Very fast
- Leaks your DNS! This is a major flaw, potentially gives away your real IP address. Beware!
- No kill-switch. Risky.
- On the expensive side.
...
With more and more online services requiring account creation, and our growing dependence on online services, it can be difficult to keep track of and remember all the passwords for all the different accounts. For passwords to accounts and services aimed at insuring ensuring privacy, remember those by heart; for everything else (Netflix, Facebook, etc), use a password manager. A text document or a spreadsheet is not a secure way to store your passwords!
Password managers come in two flavors, local storage, and cloud storage. Password managers can be used for a lot more than passwords, secure notes, credit card numbers, private encryption keys, and other sensitive information can be securely and safely stored in secure password management software.
...
We recommend KeePass for offline password management (https://keepass.info). It uses proven encryption technologies and has a proven track record of properly implementing them, it's open-source, and it's portable (meaning you can run it off a USB drive, without installing any software to your computer.
...
- You need an active internet connection to be able to access your passwords
- You don't have to worry about backing up your own database file
- On the flip side, there is a risk of the provider losing the data
We recommend LastPass BitWarden for cloud password management (https://lastpassbitwarden.com/).
- Use a strong password
Your password, a short memorable phrase, is all that stops unauthorized access to all your data. Be sure to choose a strong and secure password. General tips:
...
Birthdays, anniversary dates, pet or loved ones' names are all terrible ideas for passwordpasswords. So are favorite quotes, famous names, or any piece of information that can be easily guessed by knowing you or talking to you.
...
Consider the following two passwords: "yM&Lqg4?S" and "atone long pod wordy calve", we've been led to believe that the first one is the more secure password, in fact, the second password would fail most "password strength" tests for not containing numbers or special characters, but in reality, the first password is more difficult for us to memorize, and far easier for the a computer to guess.
Choose a password that's easy to remember, sufficiently long, and optionally introduce easy-to-remember typos or letter substitutions to make it more difficult for a computer to guess.
| Info | ||
|---|---|---|
| ||
There are two types of "guessing" attacks to break into a password-protected system by attempting to guess the password, brute-force and dictionary; these attacks are effectively useless against online systems, even if not secured properly, the latency alone makes them impractical. However, these attacks are very effective against local encrypted files (like your password database, or any other file you encrypt for privacy). Let's compare the two attacks against our two passwords. Let's assume the attacker is using an array of modern processors that is capable of going through Brute Force This technique relies on trying every possible combination of characters until the correct one is guessed, hence the name brute force. If we consider a typical brute force algorithm that attempts to guess the password with the 26 characters of the English alphabet in both upper and lower case, 10 numerical digits, and 33 special characters easily found on a qwerty keyboard, we find:
Dictionary Attack: A dictionary attack aims to address the slowness of a brute force attack by taking advantage of people's tendency to use simple words as their passwords, this relies on the password consisting of a word or two, or it becomes a brute force attack. The English language is rather rich, we'll consider a medium-sized "dictionary" of 450,000 words for this attack (note that the bigger the dictionary, the more likely it is to produce a successful guess, and the slower it is, the most popular password cracking dictionary at the time of this writing contains 1,493,677,782 words).
|
...
The basic concept of most two-factor authentication systems is to use something you know (your password) as well as something you have (fingerprint, access to a cell phone, or a secure token). Even if someone gets a hold ahold of your password, they won't be able to access your files/accounts without also having access to your second authentication factor.
It is recommended to always use two-factor authentication when available, in today's world where attackers have more and more ways to intercept passwords, a second factor of authentication is often the only way to stop unauthorized access.
When setting up two-factor authentication, you're given the option to generate permanent recovery codes, these are to be used if you lose access to your second factor (your phone, for example). Write these codes down and store them in a secure location. If you lose access to your second factor, and you don't have a recovery code, you may not be able to regain access to your accounts.
For software-based token authentication, we recommend using BitWarden's built-in authenticator functionality. We also recommend LastPass Authenticator (https://lastpass.com/auth/). If used in conjunction with LastPass password manager, it allows you to securely and easily backup your authentication codes in your LastPass vault, making it easy to recover access to all your accounts in case your phone gets lost or damaged.
Antivirus
...
Modern operating systems are designed with security in mind, and modern web browsers are very good at telling us when a website seems risky, but at the end of the day the computer will do what we tell it , and if we accidentally tell it to trust an infected file, antivirus can act as a last resort to stop the spread of the infection. The key takeaway here is that we want antivirus to be a the last resort, just in case, we shouldn't solely rely on it for safety and security.
- All Operating Systems are vulnerable to some degree
Don't believe the common myth that a specific OS is impenetrable, malware can affect all kinds of consumer operating systems.
However, all modern operating systems have built-in features that protect against the most common types of malware, and they may never get infected as long as we are careful when using them. Again I stress that antivirus should be a last resort, you want your antivirus to be there if you make a mistake, but our goal is to never need to use it. Do use an antivirus program, but also finish reading this section.
As of June 2018, we recommend these Antivirus programs, for their consistently high catch rate (percentage of threats neutralized) and low false catch rate (false alarms that inconveniently block safe programs), as well as low usage of system resources:- For Windows:
- Bitdefender (https://www.bitdefender.com/)
- ESET(https://www.eset.com/us/)
- For Mac OS
- Bitdefender (https://www.bitdefender.com/)
- Trend Micro (https://www.trendmicro.com/en_us/business.html)
- AV Test Institute (https://www.av-test.org/en)
- AV-Comparatives (https://www.av-comparatives.org)
- Use common sense
- Keep your software up to date, always install security updates when they are available. Update address critical vulnerabilities in your operating system and applications, keeping software up to date is the easiest and most effective method of securing it.
- Know what software you're running!
- Don't grant administrative access to applications you don't trust. Always read dialog boxes that your operating system presents you!
- Pay attention to the permissions an app is requesting on your phone, do they make sense for what the app is supposed to do?
- Avoid risky websites. Look for obvious signs like promising paid content for free, brand name products for sale at prices too good to be true, etc.
- Keep an eye out for popups that warn you that your computer is damaged, if it's not coming from your antivirus software, it's fake.
- Never grant remote access to your computer to unsolicited callers. Microsoft/Apple will never call you about problems with your computer.
- Use a good ad-blocker to minimize your exposure to potential scams. We recommend uBlock Origin for Google Chrome (https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en)
- Don't open any attachments from unknown and unsolicited senders.
- Even if you trust the sender, exercise common sense when opening attachments. Read message boxes carefully, if an application like Microsoft Word, for example, is informing you that it's opening the attachment in "Protected View" and to "be careful", while the attachment itself is telling you to disable protected view, trust your application.
- Never share your personally identifiable information with unsolicited callers/emails.
- Businesses (Apple, your bank, power company, etc) will never ask you to share your password with them.
- If a business you deal with calls you and asks you to verify your personal information, politely inform them that you're going to hang up and call back; this is standard practice and they should be trained to expect that. Call the business on their main line and publically listed phone numberand confirm that they were the ones calling you.
- Be careful when clicking on links in emails, it may not be the real website of the business, but a fake copy of it. Never type your password into a website if you don't recognize the address, even if it looks like the real thing.
- You can use the browser extension Web Of Trust to help you identified trusted websites (https://www.mywot.com/en/download)
- Backup and Recovery
The most common and profitable malware today is known as ransomware, once they convince you to execute the infected file, the virus starts encrypting files on the computer and gives you a specific period of time to pay a ransom to decrypt your files. The attacker often has no motivation, intention, or ability to decrypt your files, even after paying the requested ransom. The best way to recover from this type of attack is to restore from a clean backup; this also holds true for any cause of data-loss.- Backup
Backup any and all files you wouldn't be able to replace: important documents, family photos and videos, or any other irreplaceable data. - Backup often
Backup your files often as they are modified or updated. - Backup smart
Use the 3-2-1 backup strategy to insure the safety of your data. Always keep at least 3 copies of all data you cannot replace, on at least 2 devices, with at least 1 copy stored off-site.
For example, keep your data on your laptop computer, store a copy on a portable hard drive, and upload the rest to a cloud backup service.
For cloud backups, we recommend Backblaze (https://www.backblaze.com), they offer unlimited backups for $5/month, all your files are encrypted locally and they offer the option to provide your own private encryption key (see Encryption section), meaning you control the encryption and they cannot decrypt your data on their end.
- Backup
...
For encrypting personal data for long-term storage and/or secure off-site backup, we recommend using AES. Advanced Encryption Standard (AES) is a symmetric key algorithm ratified as a standard by the National Institute of Standards and Technology of the United States; AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET information.
...
The tool we recommend using for encrypting personal files is 7-zip (https://www.7-zip.org/). 7-Zip is a free and open-source compression and packaging program with a strong implementation of AES-256 encryption.
For MacOS X, Keka (https://www.keka.io/en/) is a port of 7-zip that offers the same level of encryption. A guide for using Keka can be found here: https://github.com/aonez/Keka/wiki/Compressing-with-Keka
We recommend 7-zip because it is a very popular archiving tool, and it doesn't scream "I'm encrypting files!", satisfying the Security-through-obscurity principal.
For a more convenient - but less obscure - experience, I we recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html). It allows you to mount a logical drive (think a USB drive plugged into your computer), where everything you save to the drive is encrypted. You can then safely upload the whole volume (or "drive" file).
...
This allows you to share the public key freely, which a sender would use to encrypt their data before sending it to you, and only you can decrypt the data with your private key. In contrast, when you want to send sensitive data to another person, you must use their public key to encrypt it.
...
When sharing sensitive information, such as passwords or private encryption keys, always insure ensure the data is encrypted end-to-end; that is, encrypted on the sender's local device, and decrypted on the receiver's local device.
Services like protonmail.com rely on public-key encryption to insure ensure your emails are encrypted end-to-end, but to make it easy to use, they hold on to your private key and store it securely in their own servers. The private key is itself encrypted on their servers and is only decrypted when you successfully login to your account, it is then decrypted and sent to your browser where it is stored in memory to decrypt the emails. In theory, ProtonMail cannot access your private key, but since we don't know how they encrypt it, we cannot know for sure that it's securely encrypted. Therefore, we rely on them to not access it or allow anyone else to access it. For most communications, ProtonMail is considered highly secure.
It's important to note that emails sent through proton mail are only end-to-end encrypted when sent to a proton mail recipient. This is our unlisted ProtonMail account if you wish to reach us through it: quietwizard@protonmail.com
...
Click on the Advanced Settings button, and make sure you're using RSA 4096 bits, the checkbox for "+RSA" is optional , and can be used for signing, go ahead and check it.
...
Note that we unchecked the "Encrypt for me" option , since we're using the public key of the recipient. We checked the "Encrypt for others" option and chose the imported public key by searching for the name on the key ("XXXXX").
...
The Gpg4Win suite has also installed extensions to allow you to easily encrypt/decrypt emails within Outlook , if you happen to have that installed.
...
You can use the previously discussed encryption methods to securely encrypt and send private information, but they maybe may be too cumbersome to use if you only want to prevent eavesdropping while the data is in transit. If the information doesn't have to remain encrypted once it reaches its target, there's a far better approach: Perfect Forward Secrecy (PFS). PFS is designed for ongoing communication (like your web - browser communicating with a website over a browsing session, or a messaging application), it works in a very similar way to the previously discussed encryption methods, but it differs in that it generates a unique key-pair for every subsequent communication, this insuring thus ensuring that even in the unlikely event that an attacker can guess a key, they can that one message - leaving the rest of the communication session private and secure.
...
We recommend the following messaging applications for secure and private communication:private communication:
- Signal Private Messenger
- Signal Private Messenger (Android: https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms, iOS: https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8)
- WhatsApp (Android: https://play.google.com/store/apps/details?id=comorg.thoughtcrime.whatsappsecuresms, iOS: https://itunes.apple.com/us/app/whatsappsignal-private-messenger/id310633997id874139669?mt=8)
- Google Allo (in incognito mode): (WhatsApp (Android: https://play.google.com/store/apps/details?id=com.google.android.apps.fireball, iOSwhatsapp, iOS: https://itunes.apple.com/us/app/googlewhatsapp-allomessenger/id1096801294id310633997?mt=8)
Keep in mind, that Google Allo only employs the signal protocol during incognito sessions, but this has the added benefit of easily deleting the conversation when it's read, removing the risk of it sitting un-encrypted. - Skype and Facebook Messenger both have a Private Conversation mode, which switches to a session protected by the Signal Protocol, but the default chat mode is not.
...
