Online Safety Tool and Procedure Kit
January 24, 2020 8:02 AM   Subscribe

All the tools you need to improve your online safety. An easy to read, one-stop checklis of tools and procedure to keep yourself safe online. A nice feature is you can sort them by cost and effort. e.g. start with "quick and easy" for the low-hanging fruit. Security Planner is a project of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. Their recommendations are made by a committee of experts in digital security and have gone through a rigorous peer review evaluation.
posted by storybored (47 comments total) 87 users marked this as a favorite
 
I've long wondered about built-in Windows AV versus third-party AV. Programmers all seem to think the built-in AV is good, but whenever I talk to someone who is in charge of IT infrastructure for an organization, they insist that third-party AV is a must. So it's interesting to see this come down in favor of built-in AV.
posted by Jpfed at 8:07 AM on January 24


Third-party AV is a waste of time on Windows machines, an ongoing source of breakage, performance problems, privacy violations and security holes. If you rely on Windows, you really don’t want anything except Win10 current with Windows Defender turned on.
posted by mhoye at 8:43 AM on January 24 [16 favorites]


Actual text directly from the linked page:
Improve your safety with tools for your needs.
[...]
JavaScript is disabled
This guide uses JavaScript. Please enable it in your browser settings to continue.
That could be packaged and sold in stores as "Irony Helper".
posted by sourcequench at 8:44 AM on January 24 [34 favorites]


I'm an IT admin and I like built-in AV paired with rational user actions and browser plugins. The third party AVs are just so horribly overbearing that they're not worth it.
posted by msbutah at 8:59 AM on January 24 [4 favorites]


I'm an IT admin and I like built-in AV paired with rational user actions and browser plugins. The third party AVs are just so horribly overbearing that they're not worth it.

I really appreciate hearing this; I tend to use 3rd party AV and it does drive me crazy with the constant pop-ups and scans and horrible interfaces that make it hard to manage. I like to think I'm a rational user, and I will also be looking at using some of the plugins being recommended.
posted by nubs at 9:04 AM on January 24 [1 favorite]


Conventional wisdom is that the 3rd-parties are better, so you cannot be faulted when something goes wrong. (It's not right, just conventional.)

And some of the push for IT professionals is that the 3rd-party AV tools have Enterprise management tools that let you monitor, enforce, and collect data from across the entire enterprise and integrate in with the 3rd-party firewall, patching system, etc from a single dashboard (like McAfee ePO). Microsoft is just getting to that point with the Azure integrations, but it's not quite there yet.

I don't like it but I do understand.
posted by jmauro at 9:21 AM on January 24 [4 favorites]


Programmers all seem to think the built-in AV is good, but whenever I talk to someone who is in charge of IT infrastructure for an organization, they insist that third-party AV is a must.

As an ex-programmer who spent some years in charge of IT infrastructure for an organization, I used to insist that third-party AV was a must on Windows boxes and pointless elsewhere. But there's OK third-party AV and shitty third-party AV, and the Big Three - Norton/Symantec, McAfee and Trend - have been exceedingly shitty for decades. Panda Free was the one I had fewest issues with.

However, unlike earlier versions, Windows 10 comes with an adequately competent anti-malware suite built in, and replacing it or running another one alongside it causes many more problems than it fixes. So don't do that. If your PC came bundled with a third party antivirus suite, uninstall it without a second thought. If you've already been inveigled into paying out good money for a third party suite's antivirus "protection" before reading this advice, I'm sorry; they saw you coming.

The single most effective anti-malware tool it is possible to install on any computing device is not an anti-virus suite but an advertising blocker. uBlock Origin is my current favourite ad-blocking web browser add-on. Running a Pi-Hole on your home network is a good idea as well.

Advertising has long been by far the most common vector for malware ingress. Turning it off entirely leaves Windows Defender with almost no work to do and makes web browsing faster and smoother at the same time.
posted by flabdablet at 9:22 AM on January 24 [14 favorites]


The third party AVs are just so horribly overbearing that they're not worth it.

Try Bitdefender's managed AV solution (I think it's called GravityZone). If you're an IT admin you may need to audit AV installation and usage. I would guess that you might be able to do that with Windows Defender if your organisation has an all-Microsoft IT infrastructure, and the expertise to manage and roll out Windows policies etc. But if your infrastructure isn't much more than a router, a Diskstation and a printer, having something like Bitdefender, which allows you to centrally manage AV and other security policies can be a real help. Plus it's just as unobtrusive as Defender.
posted by pipeski at 9:27 AM on January 24


Text and Call Privately with Signal ... When you use Signal your messages and phone calls are end-to-end encrypted, meaning no one can read or listen to the content of your conversations.

Only if all people involved in the call/conversation are also using Signal! That they don't mention that fairly fundamental requirement makes me question some of the rest of their advice.

In fact, WhatsApp uses the same encryption as Signal.

Maybe not the best comparison to make?
posted by Greg_Ace at 9:46 AM on January 24 [2 favorites]


I've installed and used Sophos, McAfee, CA, Norton and Trend Micro for the Enterprise, and I have my preferences. Truth is, all of the AV products out there rely on knowledge sharing and are reactive. Used to be that one was better than the other when an outbreak occurred, but they figured out that all of them would go out of business if they kept that up, so they formed an alliance to share knowledge.

Antivirus alone isn't going to protect you. You also need perimeter security. Most firewalls today include threat detection and scanning. But having a firewall and an antivirus package aren't enough. You also need spyware/malware protection, because AV is very specific about what it protects you from. But having AV, firewalls, threat detection and antispyware isn't enough, because you need all of your networked computers and peripherals to be patched against the latest bugs and vulnerabilities (this includes networking gear, servers, workstations - yes, even Macs - and printers...basically anything that plugs into or connects to the LAN). But having patched systems and updated firmware isn't enough, because you also need to have a way to update software, which itself has a series of vulnerabilities (and it really depends on the software provider to provide such a service)...if your software lives in the Cloud, then you don't have to worry about this internally, but you ARE beholden to the cloud software provider to do it for you.

None of it matters if your users, including executives, refuse to follow strict password safety protocols. Or are duped by phishing attempts in email. Or bring in their own devices and plug into your network. Or browse the Internet and don't care about suspicious web sites. Or download illegal software because your IT department can't convince management to remove Admin privileges on the workstations...

Sites like this are great, because frankly, every one of those things I talked about just now are beyond most people, including the new kids who literally grew up on the Internet. It's like getting the flu vaccine...doesn't really protect you from getting sick. Good to do anyway, but if you want to really protect yourself, you need to do more than get a shot every year.
posted by Chuffy at 9:52 AM on January 24 [8 favorites]


Signal also pledges, I believe, to not store messages on their end and that, combined with end to end encryption and Signal's ability to set an automatic deletion timer for messages, makes it pretty great in my book for leaving as minimal a paper trail as possible for messaging folks. Sure the other party could screenshot your message but that's not what Signal is trying to protect from so, yea, it's great.

We also call it the dementia app when used in this regard since it can make you a bit loopy when you try to remember if you told someone something but can't verify/check because the messages all delete 10 mins after being viewed.
posted by RolandOfEld at 9:55 AM on January 24


Greg_Ace: Maybe not the best comparison to make?

If your adversary is the US government (or the Russian government, or any other government with a well funded security service) then this advice is not for you.

Using Tor paints a massive sign on the side of your Internet traffic that says "please hack me". Using secure messaging is not much of a defence, because your adversary can suborn both the company that delivers apps to your phone and can and will use hacks that nobody else knows about to take over your phone (or other device).

If your adversary is some other entity, then all this is (mostly) good advice. They have separate advice for people who believe they might be the target of well funded security services.

(I say mostly, because VPNs are not only not worth it, in fact they are most likely actively harmful to your personal security. It’s impossible to tell whether they’re selling your connection data to third parties, whatever they might claim in public & concentrating all your data through a random third party makes them a juicy target for compromise themselves. US consumers are in a cleft stick here, because their ISP is almost certainly selling all their connection data already - I don’t have any good answers to this conundrum, but it’s probably a good idea to be aware that just using a VPN probably doesn’t change the fact that your internet connections are being sold on - just who exactly it is making a profit out of it.)
posted by pharm at 10:04 AM on January 24 [3 favorites]


 If your adversary is the … government … then this advice is not for you.

It even says as much on the bottom of the page:
Important information for high-risk users

Security Planner provides research-based recommendations that are beneficial for a general population of users, most of the time. It is not a security manual for those facing targeted physical and digital threats who need additional support and more specialized advice. Moreover, if you are aware of a targeted effort to compromise your security, or if your security has already been compromised, you should seek additional help.

For a list of useful resources see the Connect with Specialists section on this page.
Citizen Lab have been around a long time. I remember volunteering for one of their online democracy projects back in 2002. They had a nice little storefront on a mews just north of Robarts Library.
posted by scruss at 10:22 AM on January 24 [1 favorite]


Going to come back to this post later with a specific list of nits, but I've got to say -- suggesting Tor as a blanket solution for the average user is a terrible idea.
posted by bfranklin at 10:22 AM on January 24 [6 favorites]


> Programmers all seem to think the built-in AV is good

Detection-based malware protection doesn't really work and hasn't for over a decade, whether it's Defender or one of the third-party products.

We say “use Defender” because:
  • at least it's lighter-weight and less buggy than most of the third party products (not to mention free)
  • because “don't use any AV” is a hard sell after years of security propaganda
  • because Microsoft are making it increasingly difficult to turn off Defender even if you wanted to
posted by BobInce at 10:32 AM on January 24 [1 favorite]


Oh wow, just what was I drawing on Potato's whiteboard on Wednesday night.
posted by Mrs Potato at 11:02 AM on January 24


Greg_Ace: Maybe not the best comparison to make?

If your adversary is the US government (or the Russian government, or any other government with a well funded security service) then this advice is not for you.


Who your adversary is doesn't matter in the context of the points I was making about incorrect or at least incomplete information being provided, i.e. the following claims:

- Signal encrypts your text messages, without also mentioning that doing so requires your recipient to be using Signal.

- The implication that WhatsApp is comparable to Signal in terms of security.
posted by Greg_Ace at 11:02 AM on January 24


From what little I know about Tor, I think the following might be accurate, but I'd love to read differing opinions here:


Tor browser by itself = bad.
Tor browser over VPN = not as bad.
posted by Chuffy at 11:04 AM on January 24


Has no one heard of AVG?
posted by Mrs Potato at 11:08 AM on January 24


Alright, let's get down to brass tacks on this. First things first -- "All the tools"? I know clickbait headlines are de rigeur. I think accurate titles are important and ethical when dealing with people at a knowledge deficit to experts. So let's try this as "Tools to help improve the safety of your online experience."

Things that I believe are great recommendations for the average person:
  • HTTPS Everywhere
  • Chrome and/or Firefox
  • Privacy Badger
  • Bitlocker/Mac Encryption/Phone Encryption/Any Drive Encryption
  • Automatic Updates, Windows or otherwise (I hate the reboots/restarts/reopening tabs as much as you. Do it)
  • Windows Defender (Defender would be competitive in the market if it wasn't free. It's not top tier, but it's very good and you can't beat the price. On the question regarding 3rd party AV in the enterprise -- we don't buy it anymore. Endpoint Detection and Response products (EDR) give us a ton of telemetry about what's happening and will do behavioral detection for attacks. If your enterprise isn't running one, it's below average in endpoint protection)
  • Backups. Seriously. Back your shit up.
  • MFA/2FA
  • Password Managers
  • Subscribing to a password breach notification service like Have I Been Pwned
  • Security Keys
  • Firewalls
  • Find my device tools
  • Installing apps from official stores only
So awesome, I agree with most of the recommendations! On the other hand, I take issue with a few:
  • Check website names -- this is onerous. A better option is to use openDNS or a proxy filtering service like Bluecoat's K9 to block browsing to known-bad. You should be vigilant about what you click on, but if you have to be as good as an infosec pro at sussing these things out, your security solutions are failing you.
  • Spot suspicious emails -- same thing. Use an email service that does a good job of filtering spam and attacks. Have a filtering service in case you click on something bad. Have Defender turned on and be patched in case you click on the wrong attachment. NEVER, EVER TURN ON THE DOCUMENT MACROS. Turning on document macros is akin to premarital sex in a horror movie.
The final two are a risk/reward thing:
  • Use a VPN or anonymizing service -- Not a bad idea, but there are two types of services. Proxies and VPN tunnels. The latter is going to be better than the former, and you still need to use things like HTTPS Everywhere to ensure your VPN provider isn't a problem. We've recently seen Nord VPN hacked. These are high value targets, so you need to think about layering security. Also, know WHY you're using a VPN. If it's anonymity, make sure you're pairing it with defenses against tracking technologies. If it's not being attacked while on public wifi, only use it on public wifi.
  • Using Tor -- I think this is a great idea if someone might kill you for your speech. This is a terrible idea if you're a citizen in a democratic country. Tor breaks a lot of the assumptions that underlie SSL. The simplest explanation is that with Tor, you have to 100% trust the exit node not to tamper. The tor project tries to maintain a list of these nodes because it's something that actually happens - not theoretical. There is no way I would browse to anything that I need to send a password to via Tor.
I also think that we're missing some recommendations for DNS security on this page. Transparent DNS tampering is a thing that a LOT of ISPs do for tracking purposes.

Regarding WhatsApp and Signal -- I know what they do, but I don't use them and haven't read enough about them to offer comment.
posted by bfranklin at 11:28 AM on January 24 [11 favorites]


Also, if it's not clear, I really don't think this is an exhaustive list of security practices. You are not safe if you do everything I think is a good idea. I can think of 4 or 5 other things I've dealt with in the past month that are security issues people should be careful about.

The list is a good start of the heavy hitters, though. From a Pareto perspective, the list will get you to very good quickly.
posted by bfranklin at 11:34 AM on January 24 [2 favorites]


Not to belabor the point (I know, too late), but to back up my comments above:

Messages to and from non-Signal contacts are sent using regular SMS text messaging and are not secure. When sending an insecure text message you are warned that it is insecure and are encouraged to invite your contact to use Signal.

I'm not saying Signal is bad, just that leaving the above (probably overwhelmingly typical) use case out of the article is misleading.
posted by Greg_Ace at 12:07 PM on January 24


Check website names -- this is onerous.

Do you not glance up at the browser bar with the website's URL sitting right there anymore? Like this, see:

https://www.metafilter.com/185288/Online-Safety-Tool-and-Procedure-Kit#7864409

The website's name is Metafilter.
posted by Mrs Potato at 12:35 PM on January 24 [2 favorites]


*looks down to see if one leg is longer than another*
posted by Mrs Potato at 12:38 PM on January 24 [2 favorites]


Do you not glance up at the browser bar with the website's URL sitting right there anymore?

Here's the thing -- by the time it's in the address bar, we're already under attack. I initiate incident response on the basis of a user successfully accessing a malicious site. We need to be checking website names before we go to them -- hovering in emails, hovering on links. And we've got to be 100% accurate every time if we're relying on manually checking for the bad ones.
posted by bfranklin at 12:43 PM on January 24 [8 favorites]


welp, I do all that because I can't afford any better. I junk a suspicious email first and then open it.
posted by Mrs Potato at 1:06 PM on January 24 [1 favorite]


I do all that because I can't afford any better.

OpenDNS Home is free if you give up your email address and your DNS requests (your ISP is already selling those, fwiw), and with some quick configuration lets you block phishing and malware sites.

I junk a suspicious email first and then open it.

Junking it isn't going to provide any security against attacks. Note, though, you're generally not going to be "hacked" by just opening an email message. Attachments and links are generally where the risk is. OpenDNS protects you from the links. If you're unsure on attachments, VirusTotal is a good way to check. Just be aware that anything you upload to virustotal can be seen and downloaded by licensed security researchers. A PDF you're not expecting that claims to be an invoice from a utility? Probably fine to send there. A PDF you're not expecting that claims to be your paystub? Maybe call your employer to check if the source email address is correct rather than uploading to VirusTotal.
posted by bfranklin at 1:17 PM on January 24 [3 favorites]


Microsoft's motivation in providing anti-virus software is to keep Windows users safe and feeling safe.

The business model for third-party anti-virus is to keep users terrified and resubscribing. Letting users get suckered from time to time may actually be good for their business.
posted by Western Infidels at 1:20 PM on January 24 [6 favorites]


Tor browser by itself = bad.
Tor browser over VPN = not as bad.


TB is a special Firefox configured to use the Tor network for everything.
I don't see any benefit in using TB with a VPN because the Tor network by design is much more private than a VPN. No individual relay in a given Tor circuit can simultaneously know who you are and what you're doing, while your VPN always knows both.

If you don't care about the privacy properties of Tor and a VPN is enough, just use your normal browser with it.


Tor breaks a lot of the assumptions that underlie SSL.

If you don't trust the browser's CA then there's not much to be done other than inspecting the certificates manually, Tor connection or not.
If you do trust the browser, then it will loudly complain if an exit node is misbehaving.

* uses Tor for DNS resolution and all web browsing with few exceptions, never had any issues other than developing a healthy and justified hatred of CloudFlare, Google and reCaptcha *
posted by Bangaioh at 2:30 PM on January 24 [1 favorite]


If you do trust the browser, then it will loudly complain if an exit node is misbehaving.

For a subset of misbehaving. Any SSL/TLS downgrade attack will work. If the end site allows negotiation of a NULL SSL cipher, for example, that wouldn't throw an error and you can't detect it. Any exit node that can spoof or attack a certificate can also inject said certificate -- the recent curveball vulnerability is an example of where this could be exploited. SHA1 certs are another good example.

If you don't trust the browser's CA then there's not much to be done other than inspecting the certificates manually, Tor connection or not.

Well, not really. I can insist on TLS 1.2, I can restrict the supported list of ciphers. Someone has to compromise the route to inject bad things into my session, rather than inviting unknown systems into my route via Tor. I just don't see it as a worthwhile tradeoff for privacy. YMMV.
posted by bfranklin at 2:46 PM on January 24 [1 favorite]


I can insist on TLS 1.2, I can restrict the supported list of ciphers

Aren't those browser configurable and thus orthogonal to using Tor or not?

Though as of right now, I think both regular Firefox and TB allow downgrading all the way to TLS 1.0 by default and it's not something I'd expect a regular user to override, so point taken.
posted by Bangaioh at 3:05 PM on January 24


Yeah, you're correct. I really should have broken the comment about Tor inviting a mitm in out to it's own paragraph to make the point clearer.

I see Tor increasing the probability piece of the risk equation. I don't think the average person can readily educate themselves to make an informed decision. Hence, blanket Tor recommendation is dangerous.
posted by bfranklin at 4:51 PM on January 24 [1 favorite]


Has no one heard of AVG?

When AVG was first released it was pretty good. The freebie version was plenty good enough for individual Windows boxes and for a few years there I was also using their managed version on the school fleet; also pretty good, and far more reasonably priced than its competition.

But as versions rolled by, AVG bloated up, slowed down and got ever more in-your-face with warnings and gratuitous self-promotion. Once it had got to the point where it was making formerly completely adequate school workstations frustratingly slow to start up and log in and out of and just generally use, I switched the school to Panda's freebie instead.

This cost me AVG's central AV monitoring features, and it also required me to roll my own deployment and update process, but it worked so much better for my end users as to be worth it.

Before cutting over to Panda I had also investigated Microsoft Security Essentials, later to be rolled into Windows Defender. MSE was attractive because it was free and it used the existing Windows Update mechanism for its own updates, eliminating all the extra failure modes inherent in third-party updaters. But I found that it caused some very weird behaviour in some unpredictable and inconsistent subset of workstations, decided that working out why was going to be more work than implementing central deployment and update for Panda (also free for use in non-profits, which the school definitely was) and went with that instead.

This was all on XP and 7. I never used anything third-party on Windows 10.

Messages to and from non-Signal contacts are sent using regular SMS text messaging and are not secure. When sending an insecure text message you are warned that it is insecure and are encouraged to invite your contact to use Signal.

Every Signal message compose window has a little lock icon that tells you whether or not the message will be sent securely, which is nice. The fact that it can take over from the standard Android text messaging client is a convenience, and like every convenience feature it does involve a tradeoff with security. You don't have to make Signal the default text messaging client, and if you don't, it will only talk to other Signal endpoints and do so securely; in fact I'm not sure that on iOS you even can make it handle SMS.

The other good end-to-end encrypted platform I've been completely happy with is Keybase. If you haven't played with it, do. As well as end-to-end encrypted messaging with optional auto-expiry it also offers 100GB of end-to-end encrypted online storage exposed as a local filesystem, an integrated Stellar cryptocurrency wallet, an integrated encrypted GitHub repository, well-organized teams/groups, device-linked rather than password-reliant authentication, the ability to create robust paper keys for account recovery in case all your linked devices go up in smoke, and stronger guarantees than Signal about who you're talking to always being who you think they are. Very tidy, very easy to live with.
posted by flabdablet at 9:19 PM on January 24 [2 favorites]


I appreciate all the comment on antivirus, which definitely bolsters my choice to drop third part antivirus on my new build. Does anyone have any experience with Winston as an adblocker / privacy solution? It looks attractive for a non it professional, but there’s a subscription model.
posted by Otherwise at 5:04 AM on January 25


Signal encrypts your text messages, without also mentioning that doing so requires your recipient to be using Signal.

Man this confused me because I had no idea until right this second that Signal could even communicate with people who don't also use Signal. Opening the app right now (on iOS) its not obvious how I would use it to send regular SMS - the contacts are filtered for Signal users - which is good, I guess.
posted by atoxyl at 9:22 PM on January 25


I don't think Tor over VPN really gets you much that Tor doesn't, except making you look like a guy who is using a VPN instead of a guy who is using Tor?
posted by atoxyl at 9:37 PM on January 25


Opening the app right now (on iOS) its not obvious how I would use it to send regular SMS

My current understanding is that this is simply not something that the iOS version of Signal can do because iOS does not allow it to. Arbitrary replacement of the system default SMS handler by third party apps is an Android convenience.
posted by flabdablet at 10:19 PM on January 25 [1 favorite]


I've used eset's NOD 32 antivirus for about a decade, and it seems to do the job. It warns me about dangerous pages and lets me scan downloads for malware (I now see Windows Defender will do that, too). It gets top marks from the security services linked to in the Antivirus section at SecurityPlanner. Can it really be useless?
posted by bryon at 10:32 PM on January 26


>Someone has to compromise the route to inject bad things into my session, rather than inviting unknown systems into my route via Tor. I just don't see it as a worthwhile tradeoff for privacy. YMMV.

My threat model says the data goes over unknown systems whether TCP, TLS-piped TCP, a VPN or Onion-routed. Can you explain more about what you mean?
posted by k3ninho at 11:46 PM on January 26


I am also confused by that claim. Because although Tor nodes can certainly be run by Internet randos as well as by reputable service providers, it seems to me that relying on the good intentions of every machine operator along the routing path is completely unsound as a strategy for preventing injection of bad things. One has to start from the assumption that every intermediate hop between the two endpoints is compromised.

In any case, injection of bad things is not the threat that Tor was designed to mitigate. Tor's job is to make it more difficult for somebody harvesting source and destination IP addresses from traffic in and out of your machine to work out what endpoint you're actually communicating with.

Tor does a better job of this than a VPN because Tor traffic emerges onto the wider Internet from multiple exit points. With a plain VPN, packet size and timing analysis of traffic between your machine and your VPN provider and traffic from that VPN provider to the wider Internet, can give the game away even if you're using one of the many providers that keeps no logs. Applying the same kind of method to Tor would require it to be done at a substantial fraction of Tor exit nodes.

Tor breaks a lot of the assumptions that underlie SSL. The simplest explanation is that with Tor, you have to 100% trust the exit node not to tamper.

I disagree that Tor breaks SSL's underlying assumptions. Badly implemented elliptic curve libraries certainly will, but that's not Tor's fault. Without Tor, the degree of trust you're talking about extending to Tor exit nodes needs to be extended to every single router between your machine and whatever other endpoint it's talking to; and it seems to me that in any case, extending any degree of trust greater than zero is Doing It Wrong.
posted by flabdablet at 5:54 AM on January 27 [1 favorite]


Alas, Avast/AVG. This is perhaps a symptom of the hardening economics of 3rd party antivirus market.
posted by storybored at 7:21 AM on January 30 [1 favorite]


My threat model says the data goes over unknown systems whether TCP, TLS-piped TCP, a VPN or Onion-routed. Can you explain more about what you mean?

I am also confused by that claim. Because although Tor nodes can certainly be run by Internet randos as well as by reputable service providers, it seems to me that relying on the good intentions of every machine operator along the routing path is completely unsound as a strategy for preventing injection of bad things. One has to start from the assumption that every intermediate hop between the two endpoints is compromised.

Without Tor, the degree of trust you're talking about extending to Tor exit nodes needs to be extended to every single router between your machine and whatever other endpoint it's talking to; and it seems to me that in any case, extending any degree of trust greater than zero is Doing It Wrong.

If routers on the internet backbone or deployed by your ISP, both having economic incentives to abide by independently audited security standards, are equivalent to routers run by I-don't-know-who in your threat model... Well, we have very different threat models.

I think there's a conversation to be had about probability vs. possibility.
posted by bfranklin at 9:22 AM on January 30


Again, I come back to the point that attempting to make message interception and corruption impossible via properly implemented end-to-end encryption is the Right Thing, while trying to weigh up the message interception and corruption probabilities for various possible MITM attack points is almost laughably insufficient.

If you're running properly implemented end-to-end encryption, that deals with MITM attacks against your messaging. It just does. The only relevant intermediary-quality considerations then become those around the likelihood of straight-up denial of service.

But end-to-end encryption won't deal with MITM attacks against your metadata. If you care about protecting the privacy of who you're communicating with as much as that of what you're communicating, you can achieve that with Tor or (probably eventually better) I2P.

If you're not running one of these protocols, it's just a fact that both your ISP and any government security service that cares to look for it have access to your communication history and also, if you're not running properly implemented end-to-end encryption as well, read/write access to your communication content. Independently audited security standards can't change that. And although that might not be a threat you care about, it's sure as hell one that many many people have good and sufficient reason to take seriously.

If you have reason to be confident in the implementation of the cryptographic software running on your own equipment and you understand the provable guarantees it offers, you don't need to evaluate the probability of MITM attacks mounted at intermediate waypoints because all those ever become capable of doing, even in the unlikely worst case of massive conspiracy, is slowing your traffic down (possibly to the point of interrupting it entirely).
posted by flabdablet at 10:39 AM on January 30 [1 favorite]


Also, just because it doesn't appear to have had a mention here yet: if what you want is a desktop computing environment and what you care about is security then you'd be well advised to choose an ecosystem built on free software such as BSD or a desktop Linux distro, preferably a community-maintained one like Debian, in preference to that around any proprietary operating system and particularly in preference to Windows.

Windows has long been the market leader in desktop operating systems, making it the one with by far the biggest bang for the attacker's buck. It's also completely closed-source, which means the only folks capable of fixing its flaws work for its proprietor.

The free software developer community is much larger and pretty red-hot on rapid fixes for security flaws. If you're all about minimizing the number of attacks you get exposed to and the length of time your equipment remains vulnerable to them, run free software. Likewise if being endlessly and increasingly advertised at by your proprietary environment of choice has started to give you the shits.

There is a tradeoff inherent in choosing a free software desktop environment: the increased security and decreased hard-sell comes at the expense of incompatibility with many of the specific software packages you might be accustomed to using to get specific tasks done. But in many cases there are adequately functional alternatives available, and if your main concern is security then investigating those will certainly be worth your time.

If you're not ready to dump your proprietary environment because of concerns about application software compatibility, you might care to investigate free software alternatives to the application suites you're currently relying on to see if you can make the free alternatives work for you instead. Lots of free software is also cross-platform, the Firefox web browser being the most notable example. If you get to a point where all you're running on Windows is cross-platform free stuff, making the jump to a free underlying OS becomes very easy indeed.
posted by flabdablet at 11:05 AM on January 30 [2 favorites]


Also also: beware spurious conveniences. If you've always got along perfectly fine without a voice recognizing digital home assistant or lightbulbs that need a phone app to turn them off and on, don't talk yourself into needing them just because they're offered to you.

Neo-Luddism is a perfectly respectable position, and I say that as one whose house was paid for by working in IT.
posted by flabdablet at 11:07 AM on January 30 [2 favorites]


That's a big wall o' text.

attempting to make message interception and corruption impossible via properly implemented end-to-end encryption is the Right Thing

100% agree. Let's be clear though, you're defining end-to-end as providing 100% guaranteed confidentiality and integrity. Modern cryptographic solutions ONLY come close to providing this with preloaded strong keys, symmetric or otherwise. Trust chains as with SSL do not provide that guarantee in practice. This is why we have key injection facilities for hardware PIN pads that provide end-to-end encryption.

I mean, let's be honest, certificate transparency is a thing for a reason. Certificate pinning for mobile apps is a thing for a reason.

while trying to weigh up the message interception and corruption probabilities for various possible MITM attack points is almost laughably insufficient.

One doesn't need a precise calculation to distinguish order of magnitude differences. We can argue about the estimations, but you're confusing accuracy and precision.

And although that might not be a threat you care about, it's sure as hell one that many many people have good and sufficient reason to take seriously.

I said earlier that if you're going to be killed for what you say, Tor is a great idea. For the average person in a democraticly run country it's probably (for my calculation of probable) not worth the risk of a compromised exit node. Empirically, exit nodes tamper in a malicious fashion at a far greater rate than backbone routers.

So yes, if you care about privacy, and you've got the chops to detect and defend against MITM, have at. Your average user, in practice, is going to click right through that browser certificate warning and not think twice. Over the backbone, there's at least going to be a network security analyst noticing some bogus BGP and taking action.

Perfect security doesn't exist. The GRC-checkbox-tickers have one thing right -- you need to define what you're most concerned about, and spend your efforts protecting against that because everything is a tradeoff.

Honestly, I think the certitude with which you're arguing about absolute guarantees from implemented, real world security is somewhat terrifying.

If you're running properly implemented end-to-end encryption, that deals with MITM attacks against your messaging. It just does.

If.
posted by bfranklin at 7:25 PM on January 30


Your average user, in practice, is going to click right through that browser certificate warning and not think twice.

This does indeed appear to be another piece missing from the Online Safety Tool and Procedure Kit, and it probably belongs on the Check Website Names page:

If you encounter a browser security warning telling you that a site you're attempting to visit has configured a security certificate improperly, don't visit it.

Firefox will generate more of these warnings than other browsers because it manages security certificates internally rather than relying on facilities provided by the OS to do so. That means that "security" products such as AVG Web Shield, which inject their own root certificates into the Windows trusted store on installation in order to enable man-in-the-middle attacks hosted on your own machine against all your SSL-encrypted traffic for content filtering purposes, may cause Firefox to block sites that other browsers allow you to visit. Firefox is not just being obstreperous in this case: it's telling you that something is trying to break your end-to-end encryption, which it is.

Bear in mind at all times that security is not a thing you can buy, it's an attitude you can learn. You could spend thousands of dollars on fitting your house with the strongest possible front door and the toughest possible lock, but if you always leave it open because it's more convenient that way then you've done your dough for nothing.
posted by flabdablet at 9:28 PM on January 30


« Older Enhance 34 to 46. Pull back - wait a minute. Go...   |   Our knowledge of the past is odourless Newer »


This thread has been archived and is closed to new comments