Differences
This shows you the differences between two versions of the page.
learn:how-tos [2020/07/16 04:34] – old revision restored (2020/06/12 20:48) 127.0.0.1 | learn:how-tos [2022/05/08 11:42] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 95: | Line 95: | ||
==== Firefox Browser ==== | ==== Firefox Browser ==== | ||
- | For browsing that doesn' | + | For browsing that can' |
**Ad block plugins** | **Ad block plugins** | ||
Line 166: | Line 166: | ||
Uninstall Adobe Flash. | Uninstall Adobe Flash. | ||
- | ====== | + | ====== |
The following is for people running their own website. | The following is for people running their own website. | ||
Line 173: | Line 173: | ||
* Make your website available via HTTPS, or even better, redirect unencrypted connection attempts to the encrypted version. First follow these instructions for [[https:// | * Make your website available via HTTPS, or even better, redirect unencrypted connection attempts to the encrypted version. First follow these instructions for [[https:// | ||
- | ===== Closing | + | **Close |
- | + | ||
- | **Check open ports.** | + | |
From the command line, you can see which ports are open on which interface by typing: | From the command line, you can see which ports are open on which interface by typing: | ||
Line 185: | Line 183: | ||
'' | '' | ||
- | '' | + | '' |
Services can be removed, disabled, or configured to only listen locally. | Services can be removed, disabled, or configured to only listen locally. | ||
+ | |||
+ | |||
+ | ==== Secure communication ==== | ||
+ | |||
+ | **Public key encryption** | ||
+ | |||
+ | Uses who desire secure communication, | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | For people who want slightly more detailed look into how Diffie-Hellman and RSA algorithms work, see | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | **General principles** | ||
+ | |||
+ | * Symmetric encryption can protect content such as any length message, call, file, or even video stream. | ||
+ | * Symmetric encryption doesn' | ||
+ | * Key delivery of symmetric key is handled by asymmetric ciphers. | ||
+ | * Diffie-Hellman (derive key by combining private and public value) | ||
+ | * RSA (encrypt key with another key) | ||
+ | * Diffie-Hellman is better than RSA for key | ||
+ | |||
+ | **Encryption must be end-to-end** | ||
+ | |||
+ | * Client-server encryption is useful when browsing web, accessing online bank, bying things online: Effectively End-to-end encryption because other end is the server. | ||
+ | * When the other end becomes a buddy we want to talk to, server becomes an untrusted third party. | ||
+ | * Many bad messaging apps like Telegram by default send everything via client-server encryption, meaning server can read, modify, and copy the message content. | ||
+ | * For messaging with buddies we need end-to-end encryption, where messages are encrypted and decrypted only by you and your buddy. | ||
+ | * This is equally important, whether we're talking about email, instant messaging, calls, or video calls. | ||
+ | |||
+ | **End-to-end encryption requires two equally important parts** | ||
+ | |||
+ | * Private key(s) must never leave the user's device without password protection that only the user knows | ||
+ | * Public keys from contact' | ||
+ | |||
+ | |||
+ | ====== Chat ====== | ||
+ | |||
+ | ===== Signal protocol ===== | ||
+ | |||
+ | Signal-protocol is a modernized version of OTR-protocol that is designed to work in asynchronous environments such as on smartphones. This is because on smartphones apps open and close so frequently, OTR-sessions (that need to be established for each time they' | ||
+ | |||
+ | More information | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Applications that use Signal protocol or similar (so called [[https:// | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | |||
+ | ===== OTR ===== | ||
+ | |||
+ | **Warning, the OTRv3 is starting to show its age, e.g. wrt. the key size used (1536-bits). The [[https:// | ||
+ | |||
+ | Off-the-Record (OTR) messaging allows you to have private conversations over instant messaging by providing: | ||
+ | |||
+ | * **End-to-end encryption**: | ||
+ | * **Authentication**: | ||
+ | * **Deniability**: | ||
+ | * **Forward secrecy**: If you lose control of your private keys, no previous conversation is compromised (assuming control of log files was not lost at the same time). | ||
+ | |||
+ | A variety of chat clients are available which use OTR: | ||
+ | |||
+ | Clients that support the [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Clients with built in support for OTR | ||
+ | |||
+ | * ChatSecure ([[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | === How to use === | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Advanced: | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | |||
+ | ===== IRC ===== | ||
+ | |||
+ | ==== IRC over Tor ==== | ||
+ | |||
+ | Note that if you don't use the Tor Browser Bundle (but just tor) replace 9150 with **9050** | ||
+ | |||
+ | For the **XChat** | ||
+ | |||
+ | * Start Tor. | ||
+ | * In Xchat go to Settings→Options→Network Setup and enter the following: | ||
+ | |||
+ | < | ||
+ | Hostname: 127.0.0.1 | ||
+ | Port: 9150 | ||
+ | Type: Socks5 | ||
+ | Use Proxy for: both | ||
+ | </ | ||
+ | |||
+ | * Save and make sure you don't connect with the nickname you use without tor. | ||
+ | |||
+ | For the **irssi** | ||
+ | |||
+ | For the **mIRC** | ||
+ | |||
+ | * Press Alt+O to open the options dialog | ||
+ | * Go to Connect → Proxy section | ||
+ | * Under Connection select Both | ||
+ | * Under Protocol select Socks | ||
+ | * Under Hostname enter " | ||
+ | * Under Port enter 9150 & press OK. | ||
+ | |||
+ | There are also tor-internal IRC servers to which you can only connect once you set up the above. [[http:// | ||
+ | |||
+ | ==== IRC with I2P ==== | ||
+ | |||
+ | * Set up I2P [[: | ||
+ | * Start it, as well as your IRC-Client (ie mIRC or Xchat) | ||
+ | * Connect to a new server: 127.0.0.1 Port 6668 | ||
+ | * Done. There are also more IRC servers than the default one above. For learning how to join them read the bottom of [[http:// | ||
+ | * // | ||
+ | |||
+ | ===== Pidgin over Tor ===== | ||
+ | |||
+ | * Go to the Accounts, select your Account | ||
+ | * Select Edit Account | ||
+ | * Go to the Advanced Tab | ||
+ | * Under Proxy Options select proxy type SOCKS v5 | ||
+ | * Enter 127.0.0.1 for the host and 9150 for the port | ||
+ | * Leave user/pass blank | ||
+ | |||
+ | See also: [[https:// | ||
+ | |||
+ | ===== Securing pidgin on GNU/Linux ===== | ||
+ | |||
+ | * For information on how to secure pidgin on GNU/Linux [[https:// | ||
+ | * For information on how to properly install Apparmor: [[https:// | ||
+ | |||
+ | ===== Other ===== | ||
+ | |||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | |||
====== Email ====== | ====== Email ====== | ||
Line 193: | Line 348: | ||
===== Which provider? ===== | ===== Which provider? ===== | ||
- | With email, you // | + | Email, like all secure communication, has two aspects |
- | One good Email provider | + | For email protection, you want any provider |
+ | * Access the email with email client that offers end-to-end encryption (protection for content). | ||
+ | * Register and access the email account anonymously via Tor (protection for metadata). | ||
+ | * Doesn' | ||
- | For more control over your email, you have to either [[:learn: | + | Thus, if e.g. the service requires you to confirm |
- | * Ask a geek/nerd friend | + | Check [[https:// |
- | * Pay for the service (instead of paying with your data) | + | |
- | * Combine the above (actually the very best option) | + | |
- | * Use email from a non-profit organization (and donate money if you can) | + | |
- | * See [[https://we.riseup.net/riseuphelp+en/radical-servers|radical servers]] for some options. | + | |
- | ===== Crypto! (GPG-Encryption) | + | One good Email provider is [[https:// |
+ | |||
+ | ===== PGP end-to-end encryption | ||
+ | |||
+ | As you may know, your email goes through the data traffic like a postcard in snail-mail: Everyone can read it! | ||
+ | |||
+ | So, like snail-mail, it would make sense to put your emails in a closed envelope. The most common envelope is called **PGP**. The terminology around PGP is quite a jungle, so below is a dissection that explains the relation between these terms: | ||
+ | |||
+ | * PGP is an abbreviation of the Pretty Good Privacy, an encryption program originally written by Phil Zimmermann in 1991. | ||
+ | * PGP is a commercial product and is now owned by NortonLifeLock. | ||
+ | * [[https:// | ||
+ | * '' | ||
+ | * [[https:// | ||
+ | * Another OpenPGP client program is called [[https:// | ||
- | As you may know, your email goes through the data traffic like a postcard in snailmail: Everyone can read it! So, like snailmail, it would make sense to put your emails in a closed envelope. One possible envelope is called **GPG**. \\ The Pretty Good Privacy software was originally written by Phil Zimmermann, and is now owned by Symantec. The means of encryption defined by that software are also called PGP - these standarts are now freely available as OpenPGP which derived from the original PGP. \\ The GPG software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (and Symantec' | ||
==== Warning! ==== | ==== Warning! ==== | ||
Line 216: | Line 382: | ||
- **Lack of deniability**: | - **Lack of deniability**: | ||
- | These problems have since been solved in modern end-to-end encrypted messaging | + | These problems have since been solved in modern end-to-end encrypted messaging |
- | ==== Understand ==== | + | |
- | + | ||
- | For your first time, you should get a basic understanding at least of the concept of asymmetric encryption (often called **public key encryption**). Please watch one of those videos before you begin using it: | + | |
- | + | ||
- | * [[http:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
==== Use a Mailclient with GPG support ==== | ==== Use a Mailclient with GPG support ==== | ||
Line 389: | Line 546: | ||
* [[https:// | * [[https:// | ||
- | |||
- | ====== Chat ====== | ||
- | |||
- | ===== OTR ===== | ||
- | |||
- | Off-the-Record (OTR) messaging allows you to have private conversations over instant messaging by providing: | ||
- | |||
- | * **End-to-end encryption**: | ||
- | * **Authentication**: | ||
- | * **Deniability**: | ||
- | * **Forward secrecy**: If you lose control of your private keys, no previous conversation is compromised (assuming control of log files was not lost at the same time). | ||
- | |||
- | A variety of chat clients are available which use OTR: | ||
- | |||
- | Clients that support the [[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | Clients with built in support for OTR | ||
- | |||
- | * ChatSecure ([[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | === How to use === | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | Advanced: | ||
- | |||
- | * [[https:// | ||
- | |||
- | ===== Signal protocol ===== | ||
- | |||
- | Signal-protocol is a modernized version of OTR-protocol that is designed to work in asynchronous environments such as on smartphones. This is because on smartphones apps open and close so frequently, OTR-sessions (that need to be established for each time they' | ||
- | |||
- | More information | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | Applications that use Signal protocol or similar (so called [[https:// | ||
- | |||
- | * [[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | ===== IRC ===== | ||
- | |||
- | ==== IRC over Tor ==== | ||
- | |||
- | Note that if you don't use the Tor Browser Bundle (but just tor) replace 9150 with **9050** | ||
- | |||
- | For the **XChat** | ||
- | |||
- | * Start Tor. | ||
- | * In Xchat go to Settings→Options→Network Setup and enter the following: | ||
- | |||
- | < | ||
- | Hostname: 127.0.0.1 | ||
- | Port: 9150 | ||
- | Type: Socks5 | ||
- | Use Proxy for: both | ||
- | </ | ||
- | |||
- | * Save and make sure you don't connect with the nickname you use without tor. | ||
- | |||
- | For the **irssi** | ||
- | |||
- | For the **mIRC** | ||
- | |||
- | * Press Alt+O to open the options dialog | ||
- | * Go to Connect → Proxy section | ||
- | * Under Connection select Both | ||
- | * Under Protocol select Socks | ||
- | * Under Hostname enter " | ||
- | * Under Port enter 9150 & press OK. | ||
- | |||
- | There are also tor-internal IRC servers to which you can only connect once you set up the above. [[http:// | ||
- | |||
- | ==== IRC with I2P ==== | ||
- | |||
- | * Set up I2P [[: | ||
- | * Start it, as well as your IRC-Client (ie mIRC or Xchat) | ||
- | * Connect to a new server: 127.0.0.1 Port 6668 | ||
- | * Done. There are also more IRC servers than the default one above. For learning how to join them read the bottom of [[http:// | ||
- | * // | ||
- | |||
- | ===== Pidgin over Tor ===== | ||
- | |||
- | * Go to the Accounts, select your Account | ||
- | * Select Edit Account | ||
- | * Go to the Advanced Tab | ||
- | * Under Proxy Options select proxy type SOCKS v5 | ||
- | * Enter 127.0.0.1 for the host and 9150 for the port | ||
- | * Leave user/pass blank | ||
- | |||
- | See also: [[https:// | ||
- | |||
- | ===== Securing pidgin on GNU/Linux ===== | ||
- | |||
- | * For information on how to secure pidgin on GNU/Linux [[https:// | ||
- | * For information on how to properly install Apparmor: [[https:// | ||
- | |||
- | ===== Other ===== | ||
- | |||
- | * [[http:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | * [[http:// | ||
- | * [[https:// | ||
Line 518: | Line 563: | ||
A darknet is an internet or private network, where information and content are shared by darknet participants anonymously. More accurately all of them share being //anonymous overlay networks//. | A darknet is an internet or private network, where information and content are shared by darknet participants anonymously. More accurately all of them share being //anonymous overlay networks//. | ||
- | ===== Tor Hidden | + | ===== Tor Onion Services ===== |
- | Tor can also provide anonymity to websites and other servers. Servers configured to receive inbound connections only through Tor are called hidden services. Rather than revealing a server' | + | Tor can also provide anonymity to websites and other servers. Servers configured to receive inbound connections only through Tor are called |
* Follow the [[: | * Follow the [[: | ||
- | * That's it already. [[http:// | + | * That's it already. [[http:// |
===== I2P ===== | ===== I2P ===== |