This is a simplified guide to encryption, security, and digital privacy. The programs and tools recommended here are tested and trusted by Reliant, but they are not the only suitable option. The goal of this write-up is to guide you towards the best level of privacy without adding unnecessary complications, to strike a balance between a solution that's "good enough" and easy to use. 

Online Security

HTTPS

---

HTTPS (HTTP Secure) is an extension of HTTP, the foundation of data communication on the Internet. A properly configured HTTPS application ensures that communication between you and the website is end-to-end encrypted, making it impossible for third parties to view/read what you send to websites (through forms, file uploads, etc.). 

Always make sure to pay attention to the following:

• Never submit sensitive data to a website that's not secured!

  On most modern browsers, a secured website will have a green lock and the address will show "https:", modern browsers also give you a clear warning that requires multiple clicks to bypass to use an insecure site. But if you're using an older browser or one that doesn't have these safeguarding features, always look for a closed lock icon and "https" in the address bar. 

  Secure website	Insecure website

• Always make sure to type out "https://" to ensure complete end-to-end encryption

  Important!

  This is critically important if you're on a public/untrusted network (e.g. public WiFi). This also applies at the Internet Service Provider level, if you have reason to believe your ISP or its government are intercepting your data, always make sure to type out "https://" 

  Unfortunately, the internet was designed without any privacy and security features in mind, and these features were only added on later. But because these added measures required a time and monetary investment from website operators, adoption has been a very slow process. As a result, the internet effectively operates in two discrete modes, the new secure protocol (https) and the old insecure protocol (http), with http being the default. 

  Because the two modes are discrete, most websites support both protocols to allow users to simply type "example.com" instead of "https://example.com". "example.com" translates to the default protocol ("http://example.com") and then the website may redirect you to the https protocol. 
  An attacker can take advantage of this redirect with a technique known as "Man In The Middle", in which the attacker intercepts your insecure requests and sends them to the website through the secure protocol, it then receives the response from the website and sends them back to you after reading its content.

  Techno-babel

  For a better understanding, here's an illustration of your communication with example.com when properly secured using https:
  Notice how your communication with the website is encrypted end-to-end, and no outside party can view what you send and receive. 

  
  
  

  When browsing to example.com without typing "https", assuming the site implements a redirect, the initial communication with the website is insecure, the website then instructs your browser to communicate over the secure protocol insuring all future communication is secured and private.

  An attacker (e.g. a malicious WiFi hotspot, ISP, etc) can take advantage of this by not sending the initial request to the website over the insecure protocol, but by sending your data to the website over the secure protocol after reading/manipulating the content instead, only to return it to you over the insecure protocol after again reading/manipulating the response.
  Notice that example.com is communicating securely with the malicious network, it's acting as a Man In The Middle.
  

VPN

---

Virtual Private Networks (VPNs), employ end-to-end encryption technologies to creates a safe and encrypted connection over a less secure network, such as the Internet. For our purposes, VPNs are used to ensure our online activities cannot be snooped on by unauthorized parties. 

Without a VPN, we rely on HTTPs and other forms of encryption to hide the contents of our interactions with a website, but that doesn't hide the fact that we communicated with the website. Think of HTTPS as using a special code language to communicate with each other in public, extending this analogy, VPN is the equivalent of going into a private meeting room through one door while your partner enters through another door on the other side of the building. The observer knows that you entered the room, but they don't know who else has entered the room. 

As an example, let's say you are making a purchase of a product from example.com for $100, here is what an eavesdropper can observe:  

It's important to recognize that while a VPN hides your activity from the public network you're on (or your ISP), your VPN provider can see your activity clearly. It's very important to use a VPN from a trusted provider. The most important factors to look out for when choosing a VPN provider are:

• Do they keep access logs? 
  • Using a VPN to protect your privacy is pointless if everything you do is stored in neat logs. The VPN providers we trust do not keep any logs.
• Do they use a modern and secure tunneling protocol? 
  • Avoid VPN services that only support PPTP.
• Where are they based? 
  • Are they based where the government of your place of residence has jurisdiction? 
  • Are they based in the "Five Eyes"? (Australia, Canada, New Zealand, and the United States of America). These countries are bound by the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.
    • Are they based in the "Nine Eyes", consisting of the Five Eyes plus Denmark, France, the Netherlands, and Norway?
    • Are they based in the "Fourteen Eyes", consisting of the same countries as the Nine Eyes plus Germany, Belgium, Italy, Spain, and Sweden?
• Other considerations:
  • How many servers do they have? Do they have servers physically near you? The closer you are physically to the server, the faster your connections will be.
  • Do they have bandwidth limits? Do they throttle speeds for any reason?
  • How many concurrent connections can you make? Can you secure all your devices?

VPN services we recommend:

• NordVPN (https://nordvpn.com/)
  • They don't keep logs
    • Based in Panama, can't be compelled to produce any logs
  • OpenVPN protocol
    • Modern and secure.
  • Kill-switch. When set up, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
  • Plus
    • Fast, reliable
    • Works with Netflix
    • Affordable
    • Double VPN feature
• Mozilla VPN (https://www.mozilla.org/en-US/products/vpn/)
  • They don't keep logs
  • WireGuard protocol
    • Modern, secure, and audited. Faster than OpenVPN.
  • Kill-switch. When set up, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
  • Provided by the Mozilla foundation.
  • Can they be trusted? It's complicated, but we trust them.
    • Mozilla Foundation is based in the United States (Five Eyes) which normally would be a big red flag, but the Mozilla Foundation is a well-established leader and has a proven track record of protecting and advocating for user privacy.
    • Mozilla VPN is actually offered through a partnership with Mullvad VPN, based in Sweden (Fourteen Eyes). This should be noted, but we trust Mozilla to fully vet who they partner with. 
• ExpressVPN (https://www.expressvpn.com/)
  • They don't keep logs
    • Based in the British Virgin Islands, can't be compelled to produce any logs
  • OpenVPN
    • Modern and secure
  • Kill-switch. When set up, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
  • Plus
    • Fastest tested, reliable
    • Works with Netflix
    • More expensive than NordVPN, though consistently faster. 

Additional reviewed VPN services:

• PersonalVPN by Witopia (https://www.personalvpn.com/) <- Overall not recommended!
  • Overall, PersonalVPN is a solid VPN service that's relatively easy to use, fast, and reliable. However, at the time of testing, it has a serious privacy issue. Furthermore, it is slow to offer modern features and still lacks behind the competition in several areas. My recommendation is to switch to NordVPN or ExpressVPN.
  • They don't keep logs, but they are based in the Five Eyes, so be careful. 
  • Very fast
  • Leaks your DNS! This is a major flaw, potentially gives away your real IP address. Beware!
  • No kill-switch. Risky.
  • On the expensive side. 
    
    

If you're curious about another VPN service, get in touch with us and we'll try to assess it.

Passwords

---

Your emails or encrypted files may be secure, but it doesn't matter if an attacker can get hold of your password.

• Never reuse passwords!

The most common way an attacker gains access to an important online account (gmail, banking, etc) is not by defeating the security of the high profile services, but by trying the same password that was used on a less secure service. It's important to use unique passwords for all the accounts that matter.

It's vital that the difference between passwords be ambiguous. Do not use the same password differing only by including the service name, for example.

• Use a password manager

With more and more online services requiring account creation, and our growing dependence on online services, it can be difficult to keep track of and remember all the passwords for all the different accounts. For passwords to accounts and services aimed at ensuring privacy, remember those by heart; for everything else (Netflix, Facebook, etc), use a password manager. A text document or a spreadsheet is not a secure way to store your passwords!

Password managers come in two flavors, local storage, and cloud storage. Password managers can be used for a lot more than passwords, secure notes, credit card numbers, private encryption keys, and other sensitive information can be securely and safely stored in secure password management software. 

• • Local Password Manager

Local password managers store your passwords in an encrypted file that is saved locally on your device, giving you complete control over the data.

• • You can save the encrypted password database file onto a USB drive for portability and ease of access to your passwords and other sensitive data when Internet access is unreliable or unavailable
  • You don't have to worry about the password management service provider losing the data, or rely on them to properly back it up
  • On the flip side, you have to make sure you properly back up your file.

We recommend KeePass for offline password management (https://keepass.info). It uses proven encryption technologies and has a proven track record of properly implementing them, it's open-source, and it's portable (meaning you can run it off a USB drive, without installing any software to your computer. 

• • Cloud Password manager

Cloud password managers store your passwords in an encrypted file that is stored on the provider's servers

• • You need an active internet connection to be able to access your passwords
  • You don't have to worry about backing up your own database file
  • On the flip side, there is a risk of the provider losing the data

We recommend BitWarden for cloud password management (https://bitwarden.com/).

• Use a strong password

Your password, a short memorable phrase, is all that stops unauthorized access to all your data. Be sure to choose a strong and secure password. General tips:

• • Don't use personally identifiable information

Birthdays, anniversary dates, pet or loved ones' names are all terrible ideas for passwords. So are favorite quotes, famous names, or any piece of information that can be easily guessed by knowing you or talking to you. 

Your password should be chosen randomly, it should not reflect your thoughts or feelings. 

• • Entropy matters!

Forget conventional wisdom and outdated practices, random letters and numbers do not make the best passwords unless they are very long, which makes them next to impossible to remember. Your passwords (unless seldom used and stored in a password manager) should be nearly impossible to guess, but very easy to remember. 

Consider the following two passwords: "yM&Lqg4?S" and "atone long pod wordy calve", we've been led to believe that the first one is the more secure password, in fact, the second password would fail most "password strength" tests for not containing numbers or special characters, but in reality, the first password is more difficult for us to memorize, and far easier for a computer to guess. 

Choose a password that's easy to remember, sufficiently long, and optionally introduce easy-to-remember typos or letter substitutions to make it more difficult for a computer to guess. 

Two Factor Authentication

---

Two-factor authentication is a method of confirming a user's identity with two pieces of identification (factors), to add an extra layer of security. Your password may be very well crafted, but it's only secure as long as no one else can see it. If your password becomes known to a third party, a second factor of authentication can keep your information secure. 

The basic concept of most two-factor authentication systems is to use something you know (your password) as well as something you have (fingerprint, access to a cell phone, or a secure token). Even if someone gets ahold of your password, they won't be able to access your files/accounts without also having access to your second authentication factor. 

It is recommended to always use two-factor authentication when available, in today's world where attackers have more and more ways to intercept passwords, a second factor of authentication is often the only way to stop unauthorized access. 

When setting up two-factor authentication, you're given the option to generate permanent recovery codes, these are to be used if you lose access to your second factor (your phone, for example). Write these codes down and store them in a secure location. If you lose access to your second factor, and you don't have a recovery code, you may not be able to regain access to your accounts. 

For software-based token authentication, we recommend using BitWarden's built-in authenticator functionality. We also recommend LastPass Authenticator (https://lastpass.com/auth/). 

Antivirus

---

Modern operating systems are designed with security in mind, and modern web browsers are very good at telling us when a website seems risky, but at the end of the day the computer will do what we tell it and if we accidentally tell it to trust an infected file, antivirus can act as a last resort to stop the spread of the infection. The key takeaway here is that we want antivirus to be the last resort, just in case, we shouldn't solely rely on it for safety and security. 

• All Operating Systems are vulnerable to some degree
  Don't believe the common myth that a specific OS is impenetrable, malware can affect all kinds of consumer operating systems.
  However, all modern operating systems have built-in features that protect against the most common types of malware, and they may never get infected as long as we are careful when using them. Again I stress that antivirus should be a last resort, you want your antivirus to be there if you make a mistake, but our goal is to never need to use it. Do use an antivirus program, but also finish reading this section. 
  As of June 2018, we recommend these Antivirus programs, for their consistently high catch rate (percentage of threats neutralized) and low false catch rate (false alarms that inconveniently block safe programs), as well as low usage of system resources:
  • For Windows:
  1. Bitdefender (https://www.bitdefender.com/)
  2. ESET(https://www.eset.com/us/)
  • For Mac OS
  1. Bitdefender (https://www.bitdefender.com/)
  2. Trend Micro (https://www.trendmicro.com/en_us/business.html)
  For other Operating System recommendations and for up to date test results, these groups do monthly independent tests of the top antivirus suites:
  • AV Test Institute (https://www.av-test.org/en)
  • AV-Comparatives (https://www.av-comparatives.org)

• Use common sense
  • Keep your software up to date, always install security updates when they are available. Update address critical vulnerabilities in your operating system and applications, keeping software up to date is the easiest and most effective method of securing it.
  • Know what software you're running! 
    • Don't grant administrative access to applications you don't trust. Always read dialog boxes that your operating system presents you!
    • Pay attention to the permissions an app is requesting on your phone, do they make sense for what the app is supposed to do?
  • Avoid risky websites. Look for obvious signs like promising paid content for free, brand name products for sale at prices too good to be true, etc. 
  • Keep an eye out for popups that warn you that your computer is damaged, if it's not coming from your antivirus software, it's fake. 
    • Never grant remote access to your computer to unsolicited callers. Microsoft/Apple will never call you about problems with your computer.
    • Use a good ad-blocker to minimize your exposure to potential scams. We recommend uBlock Origin for Google Chrome (https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en)
  • Don't open any attachments from unknown and unsolicited senders. 
    • Even if you trust the sender, exercise common sense when opening attachments. Read message boxes carefully, if an application like Microsoft Word, for example, is informing you that it's opening the attachment in "Protected View" and to "be careful", while the attachment itself is telling you to disable protected view, trust your application. 
  • Never share your personally identifiable information with unsolicited callers/emails. 
    • Businesses (Apple, your bank, power company, etc) will never ask you to share your password with them. 
    • If a business you deal with calls you and asks you to verify your personal information, politely inform them that you're going to hang up and call back; this is standard practice and they should be trained to expect that. Call the business on their publically listed phone numberand confirm that they were the ones calling you. 
    • Be careful when clicking on links in emails, it may not be the real website of the business, but a fake copy of it. Never type your password into a website if you don't recognize the address, even if it looks like the real thing. 
    • You can use the browser extension Web Of Trust to help you identified trusted websites (https://www.mywot.com/en/download)
• Backup and Recovery
  The most common and profitable malware today is known as ransomware, once they convince you to execute the infected file, the virus starts encrypting files on the computer and gives you a specific period of time to pay a ransom to decrypt your files. The attacker often has no motivation, intention, or ability to decrypt your files, even after paying the requested ransom. The best way to recover from this type of attack is to restore from a clean backup; this also holds true for any cause of data-loss. 
  • Backup
    Backup any and all files you wouldn't be able to replace: important documents, family photos and videos, or any other irreplaceable data. 
  • Backup often
    Backup your files often as they are modified or updated.
  • Backup smart
    Use the 3-2-1 backup strategy to insure the safety of your data. Always keep at least 3 copies of all data you cannot replace, on at least 2 devices, with at least 1 copy stored off-site.
    For example, keep your data on your laptop computer, store a copy on a portable hard drive, and upload the rest to a cloud backup service. 
    For cloud backups, we recommend Backblaze (https://www.backblaze.com), they offer unlimited backups for $5/month, all your files are encrypted locally and they offer the option to provide your own private encryption key (see Encryption section), meaning you control the encryption and they cannot decrypt your data on their end. 

Encryption

Encryption is the process of scrambling data through complicated mathematical formulas that make them unrecognizable, we'll discuss three use-cases for encryption, and the types of encryption and tools for each use-case. 

Personal Encryption

---

For encrypting personal data for long-term storage and/or secure off-site backup, we recommend using AES. Advanced Encryption Standard (AES) is a symmetric key algorithm ratified as a standard by the National Institute of Standards and Technology of the United States; AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET information.

At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it.

A symmetric block cipher uses a single encryption key to encrypt and to decrypt data, making it useful to encrypt personal documents but useless for sharing sensitive information with a third party.

AES is:

• Easy to use
• Does not rely on trusting a third party
• Suitable for encrypting data for secure storage

Once properly encrypted, data can safely be duplicated for off-site backups or removal from local device. 

The tool we recommend using for encrypting personal files is 7-zip (https://www.7-zip.org/). 7-Zip is a free and open-source compression and packaging program with a strong implementation of AES-256 encryption. 
For MacOS X, Keka (https://www.keka.io/en/) is a port of 7-zip that offers the same level of encryption. A guide for using Keka can be found here: https://github.com/aonez/Keka/wiki/Compressing-with-Keka

We recommend 7-zip because it is a very popular archiving tool, and it doesn't scream "I'm encrypting files!".

For a more convenient - but less obscure - experience, we recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html). It allows you to mount a logical drive (think a USB drive plugged into your computer), where everything you save to the drive is encrypted. You can then safely upload the whole volume (or "drive" file).

Encryption for secure data sharing

---

For encrypting data for the purpose of sharing it with others, we recommend using RSA. RSA is a public-key cryptosystem, which uses an asymmetric key algorithm. The most important concept to understand about asymmetric key encryption is that it uses a public-private key pair, the public key is used to encrypt data, and the private key is used to decrypt it.

This allows you to share the public key freely, which a sender would use to encrypt their data before sending it to you, and only you can decrypt the data with your private key. In contrast, when you want to send sensitive data to another person, you must use their public key to encrypt it.

At present, there is no known practical attack that would allow someone without knowledge of the private key to read data encrypted by RSA when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it.

RSA is:

 

• Suitable for sharing private information
• Suitable for encrypting personal data for secure storage
  Depending on implementation:
  Delegated implementation (with services like protonmail.com): 
  
  • Relies on trusting a third party
  • Easy to use
  Manual implementation (as described in this write-up)
  
  • Difficult to learn and tedious to use 
  • Does not rely on trusting a third party with decryption keys

When sharing sensitive information, such as passwords or private encryption keys, always ensure the data is encrypted end-to-end; that is, encrypted on the sender's local device, and decrypted on the receiver's local device. 

Services like protonmail.com rely on public-key encryption to ensure your emails are encrypted end-to-end, but to make it easy to use, they hold on to your private key and store it securely in their own servers. The private key is itself encrypted on their servers and is only decrypted when you successfully login to your account, it is then decrypted and sent to your browser where it is stored in memory to decrypt the emails. In theory, ProtonMail cannot access your private key, but since we don't know how they encrypt it, we cannot know for sure that it's securely encrypted. Therefore, we rely on them to not access it or allow anyone else to access it. For most communications, ProtonMail is considered highly secure. 
It's important to note that emails sent through proton mail are only end-to-end encrypted when sent to a proton mail recipient. This is our unlisted ProtonMail account if you wish to reach us through it: quietwizard@protonmail.com 

For the ultimate security and privacy, we must manually encrypt our data. 

For Windows:

Creating the private-public keypair

For computers running on the Windows Operating System, we're going to use Gpg4Win (https://www.gpg4win.org/) a free and Open Source suite of tools for email and file encryption.  

After installing the Gpg4Win suite, the first thing we need to do is create the key pair. It consists of a public key used to encrypt data, and a private key used to decrypt data encrypted with the public key. 

To create a key pair, launch Kleopatra and choose "New Key Pair" from the File menu:

 

Choose the "Create a personal OpenPGP key pair option:

Although it says optional for both, the program requires some text to be entered for either the Name or Email fields, feel free to just enter anything in the name field if you don't wish to disclose your name. 

Click on the Advanced Settings button, and make sure you're using RSA 4096 bits, the checkbox for "+RSA" is optional and can be used for signing, go ahead and check it. 

 

The next step is to choose a password, create a unique and secure password for your key pair. 

Once your key is generated, make a backup of your key pair by clicking the appropriate button

When prompted, save the file to a secure storage location. 

 You can now hit finish, and you'll see your certificates listed:

 

From here, you can right click on your certificate to export your private (or secret) key. Be very careful when doing so, remember this key is used to decrypt your data, and it must be stored securely. Make sure you encrypt your exported private key with AES before storing it long-term. 

Now right click on your newly created certificate and click on "Export." Choose a place to save the file and give it a name, and hit save. This is your public key, you share this key freely, people would use this key to encrypt messages sent to you, and only you can decrypt those messages using your private key. Go ahead and send us your public key, we will use it to communicate sensitive information with you. 

This is our public key, if you wish to send us encrypted data, use this key to encrypt the data: https://reliant.org/publickey.txt (save as a local file, and import it into your Kleopatra certificate cache). 

Encrypting data:

The Gpg4Win suite has added new options to your windows context menu (when you right click on a file) 

When you click on "Sign and encrypt" or "Encrypt", you're presented with Kleopatra's encryption dialog:

Signing is optional, and you sign with your key pair if you chose the +RSA option. When encrypting for personal use, you can use your key pair to encrypt, but when encrypting to send to someone, you choose the public-key of the recipient which we imported earlier. 

Note that we unchecked the "Encrypt for me" option since we're using the public key of the recipient. We checked the "Encrypt for others" option and chose the imported public key by searching for the name on the key ("XXXXX"). 

The encrypted file is saved in the same directory as the original file, by default. You can choose another location if you'd like. You can now send the encrypted file knowing that no one can read its contents except the intended recipient (the owner of the public key). 

The Gpg4Win suite has also installed extensions to allow you to easily encrypt/decrypt emails within Outlook if you happen to have that installed. 

Encryption for secure communication

---

 

You can use the previously discussed encryption methods to securely encrypt and send private information, but they may be too cumbersome to use if you only want to prevent eavesdropping while the data is in transit. If the information doesn't have to remain encrypted once it reaches its target, there's a far better approach: Perfect Forward Secrecy (PFS). PFS is designed for ongoing communication (like your web browser communicating with a website over a browsing session, or a messaging application), it works in a very similar way to the previously discussed encryption methods, but it differs in that it generates a unique key-pair for every subsequent communication, thus ensuring that even in the unlikely event that an attacker can guess a key, they can that one message - leaving the rest of the communication session private and secure. 

The Signal messaging protocol employs perfect forward secrecy, and when implemented properly, it is the most secure way to privately send messages. Keep in mind that once the messages are decrypted by the messaging application, they sit on the receiver's device en-encrypted. 

We recommend the following messaging applications for secure and private communication:

• Signal Private Messenger (Android: https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms, iOS: https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8)
• WhatsApp (Android: https://play.google.com/store/apps/details?id=com.whatsapp, iOS: https://itunes.apple.com/us/app/whatsapp-messenger/id310633997?mt=8)
• Skype and Facebook Messenger both have a Private Conversation mode, which switches to a session protected by the Signal Protocol, but the default chat mode is not.