Quick Security/Privacy Notes

notes.md

Personal Security/Privacy Notes

This is a set of notes for personal privacy and security by a non-professional (I'm an ML engineer).

Assumptions

These guidelines are based on the following assumptions:

• Public services provided by any organization, for-profit or not (looking at your Mozilla), do not respsect your privacy. If you provide them data, they will store it unencrypted and will not delete it, even if explicitly asked. Only exception to this is large enough regulatory pressure (i.e. GDPR/CCPA), and only if the service is 100% compliant.
• Public services can and will be have data leaks and breaches. It's not a question of "if" but "when".
• Any data that is publicly available is not bound by any form of Terms of Service and will be scraped and stored illegally.
• Your internet service provider and governemnt are both public services under these assumptions, and any and all unencrypted traffic leaving your devices can and will be logged.
• Any federated or decentralized service (i.e. Bitcoin or Mastodon) has no delete option. Data submitted to these are permanently recorded and will not be removed.

General

• Use an open source password database.
  • Avoid cloud-based services like LastPass, Dashlane, 1Password. If they are compromised, there's a high likelihood of your raw login credentials being leaked.
  • Suggested: Keepass
    • File based database. Only requires syncing a file across multiple locations. Can be placed in a cloud storage (i.e. Google Drive, OneDrive)
    • AES-256 encrypted.
    • Keepass
    • Best to use multi-factor authentication on opening the database.
  • Randomly generate all of your passwords.
    • Exception: platforms without copy/paste nor app support for the password database. (i.e. Nintendo Accounts on the Nintendo Switch)
• Use MFA (Multi-Factor Authentication) wherever possible.
  • Avoid SMS based authentication, disable it if possible.
  • Suggested: TOTP Codes
    • Relies on a cryptographic PRNG (pseudo-random number generator) to create time-based one-time-passcodes to verify identity.
    • Easy to integrate into existing Keepass clients.
    • Do not lose keys. Be sure to save backup codes to avoid lockout.
  • Suggested/Optional: Security Key (i.e. Yubico's Yubikey)
    • Physical key inserted into USB-A/C slot or NFC on mobile devices. Contains a similar TOTP key that is only available when physically interacted with by a human.
    • Physically verifies identity and human interaction (i.e. not just another bot with your login credentials)
• Use a VPN.
  • Do not use a public VPN in the cloud. Especially the "free" ones. These all log your network traffic, even if they claim not to. These do have the benefit that it obfuscates your public internet traffic by mixing it with all of the other users on the VPN. This, however, also presents a security risk, as other users on the VPN may have direct access to your personal devices or home network depending
  • Self-host your own VPS with a VPN server.

Personal Internet Based Accounts

• Email: When signing up for online accounts, set up unique randomized email aliases instead of using your main email account. (i.e. use "12evgIAQfA4IIlX0hO6y4mWpEBtx7ckf2e0y3fR7StwpgvyLky@mydomain.com" instead of "xyz@gmail.com"). This can be done with various email aliasing services (i.e. AnonAddy) or a self-hosted mail server. This prevents your main email from being leaked when the service you are signing up for is breached.
• Email: Avoid large email hosts like Google, Microsoft, etc.
• Authentication: Avoid using OAuth based authentication schemes where possible (commonly known as social logins). These are convenient in that you only need to maintain one set of login credentials, but it becomes a single point of failure for all linked accounts and provides the OAuth provider undue insight into your other online activities.
• GDPR/CCPA compliant services must delete your account and data from their systems within 90 (?) days of your request to do so. In these cases, it's best to delete any accounts that are no longer necessary.
• If you are unable to delete Disable all forms of ad personalization and tracking in the provided dashboards for given accounts

Web Browsing

• Use a web-browser that does not track report your web browsing history to a public service. Right now, this might only include Firefox. All other browsers are based on Chromium, which may or may not report any browsed URL to Google.
• Add the following add-ons:
  • uBlock Origin: Element-based ad-blocker. Prevents ad networks from loading.
  • NoScript: Disables all JavaScript, except from certain domains which you explicitly allow.
  • Decentraleyes: Locally serves common CDN (Content Delivery Network) sourced content (i.e. JQuery/AngularJS).
  • ClearURLs: Removes tracking query parameters from URLs to avoid reporting unnecessarily on your browsing session when navigatig from page to page.
  • SmartHTTPS: Forces HTTPS where it can. HTTP-only sites are still navigatable, but HTTPS is the default, and does not require a server-side redirect to achieve this.

Home Network

• Use a hardware firewall at your network gateway.
  • Default to dropping all traffic on all ports.
  • Allowlist only specific ports:
    • Outgoing ports 80/443 and the corresponding responses for only TCP and UDP. This is required for normal web traffic.
    • Outgoing ports 123 and the corresponding responses for UDP. This is required for NTP requests.
    • Outgoing ports for custom DNS port (i.e. 5353) for TCP. Do not allow port 853 (DNS-over-TLS) out.
    • Block common DNS-over-HTTPS IP addresses on all ports to avoid use of DoH to bypass your blocking DNS resolver.
    • The above will likely break many existing applications in your home network (i.e. network printing and SMB/NFS fileshares). This is OK. Log all connections that get dropped from the firewall, and only allow the necessary ports to keep your applications running. Be sure to research the nature of these communications to make sure they're 100% necessary.
  • Mirror the same firewall settings on indivdiual devices. Do not strictly rely on the network firewall to block traffic properly.
• DNS (Domain Name Service)
  • Used to resolve domain names (i.e. "google.com") to IP addresses.
  • By default, sent over the network unencrypted. Can be easily used by any middlemhttps://github.com/0xERR0R/blockyan, including your ISP and government, to track your traffic.
  • Self-host a local DNS server that block ads, telemetry, and malicious sites. Adguard Home is advised here, with Blocky as a runner up, and Pi-Hole last. Pi-Hole has had quite a few CVEs, mostly involving it's PHP based web-frontend, and lacks some features like DNS-over-TLS and DNS-over-HTTPS client support.
  • By default, these local blocking DNS servers will use upstream caching DNS resolvers (i.e. Google's 8.8.8.8, CloudFlare's 1.1.1.1, or even Quad9's 9.9.9.9), which are all public services, and thus likely all log your IP and any responses they get. Avoid these where possible.
  • Set up a remote VPS (Virtual Private Server) to self-host a unbound recursive DNS resolver.
    • unbound directly contacts authoritative DNS servers for DNS resolution and caches the results instead of relying on
    • Enable QNAME minimization on unbound to minimize the information sent to each authoritative name server at every step. This avoids sending the fully qualified domain name to all of the DNS servers in the chain. (i.e. when querying for "cloud.linode.com" the ".com" server is only sent "linode.com")
    • Disable logging of all forms to minimize what is readable in the case the VPS is broken into.
    • Use only DNS-over-HTTPS or DNS-over-TLS on a non-standard port to communicate between your local blocking DNS server and this VPS-hosted unbound server. This prevents your ISP from reading the contents of and/or hijacking the request.
    • Do not host this locally. Unbound will make unencrypted requests to the authoritative name servers on port 53, which can and will be read and/or hijacked.