How to use Maximum Encryption Settings on pfSense for Private Internet Access VPNdo

Comment

How to use Maximum Encryption Settings on pfSense for Private Internet Access VPNdo

Introduction

For many, running a VPN on their phone or laptop is sufficient. However, if you are a bit more technically inclined, you might enjoy the benefits to running your Private Internet Access (PIA) VPN client on your custom pfSense router instead! Here are some of those benefits:

  • Increased mobile device battery life - PIA on my Xperia Z5 android phone consumed 30% of my phones battery power on average (max encryption settings).
  • Increased VPN speeds on devices that do not have the processing power to encrypt and decrypt data at peak throughput - my Xperia Z5's internet speeds were bottlenecked to 15 Mbps download with VPN versus 93 Mbps download without VPN. Whereas, my laptop could sustain 93 Mbps without VPN and 90 Mbps with VPN (max encryption settings).
  • iOS devices on PIA are capped at default encryption settings.
  • Many devices don't support VPN's at all, such as AppleTV.
  • Taking full advantage of your probably overpowered pfSense router and Private Internet Access subscription.

Sadly, Private Internet Access's guides are all for running PIA on pfSense with mediocre encryption settings: AES-128 bit Data Encryption, SHA1 (160 bit) Data Authentication and RSA-2048 Handshake. Further, all guides were before the massive pfSense 2.3 UI refresh! This to me has always seemed a little questionable, considering most pfSense routers are overpowered and are not limited by battery constraints like our mobile devices.

This guide is for those who want to setup PIA VPN on their pfSense routers from scratch using maximum encryption settings: RSA 4096, SHA256, AES-256.

Step 1. Prevent DNS Leaks

Before we begin, I recommend making a backup of your configuration just in case something goes wrong. Go to Diagnostics/Backup & Restore to make a backup of your current configuration.

In this step, we will be setting custom DNS servers that the pfSense router will will be using instead of your ISP's DNS servers.

Go to System/General Setup

Set the DNS servers to Private Internet Access's "logless" DNS servers:
209.222.18.222 & 209.222.18.218

Next, disable "DNS Server Override." This prevents any connected modem that sits between the pfSense router and your connection to your WAN from changing your DNS servers.

Lastly, disable "DNS Forwarder." This isn't strictly necessary for PIA to work on pfSense, but DNS forwarder has been replaced by DNS resolver, and checking this box to disable DNS Forwarder cannot hurt.

System/General Setup

Step 2. Certificate Authority (CA) Setup

Under System/Cert Manager/CAs, click "add."

Set a description name. I set mine to "PIA-STRONG."

In the Certificate Data textbox, paste the following:

-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----

Click "Save."

System/Certificate Manager/CAs/Edit

Under System/Certificate Manager/CAs, click "Add" again. 

Under "Method," select "Create an internal Certificate Authority" from the dropdown.

Set a "Description name." I use "PIA-internal-CA."

Country Code, State or Province, City, Organization, Email Address can all be fake data. Just add anything (see screenshot bellow). Key length (bits), Digest Algorithm and Lifetime (days) should be left as default.

Set Common Name to "internal-ca."

Click "Save."

System/Certificate Manager/CAs/Edit

Step 3. Certificate Setup

Under System/Cert Manager/Certificates, click "Add."

Under the "Method," dropdown, select "Create an internal Certificate."

Set a "Descriptive name." I set mine to "PIA-Certificate."

Set "Certificate Authority" to "PIA-internal-CA" or whatever you named your internal certificate authority in the last step.

Country Code, State or Province, City, Organization, Email Address can all be fake data. Just add anything (see screenshot bellow). Key length (bits), Digest Algorithm and Lifetime (days) should be left as default.

Click "Save."

System/Certificate Manager/Certificates/Edit

Step 4. OpenVPN Setup

Here, we will be storing our Private Internet Access username and password in a .txt file on the pfSense hard disk for the OpenVPN client to access later.

Go to Diagnostics/Command Prompt.

Now you will need your Private Internet Access Username and Password. In the Execute Shell Command textbox, type:

echo "p1234567" > /etc/openvpn-passwd.txt; echo "BabyBaby123" >> /etc/openvpn-passwd.txt

Replace p1234567 with your username and BabyBaby123 with your password as can be seen bellow.

Press "Excecute."

Diagnostics/Dommand Prompt

Now, go to VPN/OpenVPN/Clients. Click "Add."

Change the settings to as follows:

  • Disabled = unchecked
  • Server Mode = Peer To Peer (SSL/TLS)
  • Protocol = UDP
  • Device Mode = tun
  • Interface = WAN
  • Local Port= (leave blank)
  • Server host or address = us-newyorkcity.privateinternetaccess.com (or any server you choose that PIA offers - click here for list of Server Addresses for all PIA servers)
  • Server Port = 1197
  • Proxy host or address = (leave blank)
  • Proxy port = (leave blank)
  • Proxy authentication extra options = none
  • Server host name resolution = checked, Infinitely resolve server
  • Description = PIA OpenVPN (or whatever you desire)
  • TLS Authentication = unchecked, Enable authentication of TLS packets
  • Peer Certificate Authority = PIA-STRONG
  • Client Certificate = webConfigurator default *In use
  • Encryption algorithm = AES-256-CBC (256-bit)
  • Auth Digest Algorithm = SHA256 (256-bit)
  • Hardware Crypto = No Hardware Crypto Acceleration
  • IPv4 Tunnel Network = (leave blank)
  • IPv6 Tunnel Network = (leave blank)
  • IPv4 Remote Network/s = (leave blank)
  • IPv6 Remote Network/s = (leave blank)
  • Limit outgoing bandwidth = (leave blank)
  • Compression = checked, Compress tunnel packets using the LZO algorithm
  • Type-of-Service = unchecked
  • Disable IPv6 = checked
  • Advanced  Configuration = (enter the following into the text field, one item per line with a semi-colon separating each)
    auth-user-pass /etc/openvpn-password.txt;
    verb 5;
    remote-cert-tls server

NOTE: If your pfSense box has an Intel or AMD processor, you should check if it has AES-NI or AMD Geode LX Security Block encryption hardware acceleration respectively. Google your processor name and look in the specifications. In the bellow screenshot, I Googled Intel i3-3220, and scrolled to the bottom of the page to find out if the processor supported AES-NI.

Checking Intel i3-3220 processor for AES-NI Encryption Hardware Acceleration

If your processor supports encryption hardware acceleration, change Hardware Crypto = No Hardware Crypto Acceleration to = BSD cryptodev engine.

Then, go to System/Advanced/Miscellaneous and enable your hardware acceleration type under "Cryptographic Hardware." AES-Ni if you have an Intel processor, or AMD Geode LX Security Block if you have an AMD processor.

System/Advanced/Miscellaneous

Step 5. Setup OpenVPN Network Interface

Go to Interfaces/(assign)

Under the "Available network ports:" dropdown, select "ovpnc1(PIA OpenVPN)" and then click "Add."

Click on OPT1 to edit the interface:

Configure as follows...
    - "Enabled" = [check]
    - "Description" = "PIA-Interface"
    - "IPv4 Configuration Type" = none
    - "IPv6 Configuration Type" = none
    - "MAC address" = (leave blank)
    - "MTU" = (leave blank)
    - "MSS" = (leave blank)
    - "Block private networks" = [unchecked]
    - "Block bogon networks" = [unchecked]


Now click "Save"
Now click "Apply changes"

Step 6. NAT Settings

Go to Firewall/NAT/Outbound.

Under "Mode," check the checkbox for "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)."

Press "Save."

The next step is to duplicate each of these rules...
    - but change the NAT Interface from "WAN" to "PIA-Interface."
    - Start with the first rule by clicking the icon that is between the pencil icon and trash can icon under the "Actions" column. Hovering your cursor over the icon should say "add a new NAT based on this one"

A new page will open configure as follows...
    - "Disabled" = (do not change) [unchecked]
    - "Do not NAT" = (do not change) [unchecked]
    - "Interface" = PIA-Interface
    - "Protocol" = (do not change)
    - "Source" = (do not change)
    - "Destination" = (do not change)
    - "Translation" = (do not change)
    - "No XMLRPC Sync" = (do not change)
    - "Description" = Auto created rule for ISAKMP - LAN to PIA-Interface
Now click "Save"

IMPORTANT!  Repeat this process for each of the other rules. 
    - When completed, it should resemble the screenshot bellow.
Now click "Apply changes" at the top of the page

Firewall/NAT/Outbound

Step 7. Verify the OpenVPN Service

Under Status/OpenVPN/Clients, click the restart button.

Private Internet Access should now be up and running. To verify, visit http://whatismyipaddress.com/ and check if your IP address is originating from the server you specified.

Conclusion

That's it! It's painful, so I'd recommend making a backup of your new pfSense configuration by going to Diagnostics/Backup & Restore. Happily, you will not not need to configure any devices within your network to use PIA VPN. If you have any corrections, concerns or suggestions, please leave them in the comments section.

I have been debating writing a guide on how to exclude users from using the VPN by letting some IP addresses use the WAN and other IP addresses use the PIA interface. Using this method, users can manually assign a IP using DHCP to switch between VPN and WAN interfaces. Another guide I have in mind is implementing Parental Controls in the means of blocking certain users by MAC address and Static IP during certain hours of the day. Most of the guides on this topic have been rather outdated, so let me know if you are interested in more.

Comment

What is Encryption & How is it Useful? Basics of Public Key Encryption

Comment

What is Encryption & How is it Useful? Basics of Public Key Encryption

Encryption is the act of encoding data into an unintelligible "ciphertext" until decrypted by a key.

A great example of this is PGP encryption. The text "I like rainbow waffles" when encrypted using PGP looks like this:

-----BEGIN PGP MESSAGE----- Comment: GPGTools - https://gpgtools.org

hQIMA1H82UVEZMDOARAAljhLee60mhmiISQ8X9y7/u9ZOgXrCJk0nLaCIezmY3sb lRz/ZgoyJerc/XLqT7BjbinJN3QE32Csn/VNl89ZUnQIYF2Fi4HkP0FlZtV5sl9t MZEmz/hzTfXg6Al69kXVzokNmP2+sr2lsh/F20FWw+Sn+t13Jd682F3p6O3EgTJV 8dZxvGFLpC5SiOajoYGZpa3100QaC438tyLP7g4tVZ7mVxsKtSOlXmnEc6Ge1xmM pxTcYeqdXQgUbCb1iLOFHctFEh6xrT6RoMawV7YmSzJaGJ+r3Hc205rSWUua202t aG+r/FMDIgBPz5Py9lKf9qcqhK8LGqPTVIN5uVbE53YeyEpWZOkpx+uSVFStziqJ iB7UIQB7UwllWPLmCo96j0YCB/O5ITSDkdEf9pGAAYw/HW1dm9w4+VcHCfwH+/2d 5+2f1iQX25EQvdj93H2Rw1qxYnDSt7s+5RfnEzPX9H+9b/KyCqGeh4/VGwpaO2n/ 1Su0B9wEUj4mbFfZQ54fwpUSZZHURmXsiTVE8UMQ+QjOxtKPreVDKSCMdhEbS8rs h26vr3qf51NT3ASNGHUbDC0GJR6MarwyUlgU0grX/g17oeLeh+9YhJG1POuPQ6jM 1Kn1LW261HHg/vYT9u7aPlXCfAUjZOH1DgOmS/puXmFkRXnPpuU9QHYWAqTn6BiM LgQDAwIXnfl85S/9puT5Y8rB+1W52kZpebaSCSre51W9fTtx93a3dI8gfaD4zHnS 6QFDeRz/pRyOduJVsA4BxmtvAmkUCjfcOruC1/t3jJ6NPwjdvmw8aWNzs/0Ey056 kPucintT1fuPwSO5+Gwa+7CG81YBnNJOQSoQQlLbpbvyAFYHV2QNkqyISqwuXqAN qYGs4Ch99od7O+5kqs1B5a70A/RHsXV2jaEUoqKUM24t+t75mgx71RYQTv0t4+Jp gG66psXiER6NP4ROXUm7bj8EpqdimM4B9EifY/gC9VnGJpmk+eZlbZwEGjd6j29F MOADJLHrsNDGBZGLNRywnA55y4DJ+EbAF1tPzYQHhqKyWlHsHx0xE/sWK0jJ5TgJ Tto7DmTJRMb4GKDUl1EqhfQZpD7eSXHKAnPkWsg1S92YFdZlhDi7SACAYXnBzELB /VeFyuXdjDDZz7B9tSoHaa7BIZuxq2Ae4n662SwkHuI4hvCBb+F4sUa5cGBMMDB9 ekdjUmostA/cUo4ZJzl+OApm/xKNH1Vzb1RLOTF7EHX8NgzWr7HMZ2e5WGDoD8KZ V4IrBhww2s4aunU6ODyaSJQkZuIzhfoUvGcRYhuWILqZUP4UtdKuk+eI2sZ9Ylqi pVW/CTlT9FoMaxEOpJzb4Y6SrMlY8IRdxJcDHQSU5FZnZHCfHKylZkPbn1L99yWs 1Olakan9vqSK5kbWss61X49xbm+LgaxcE5wHS6TntCnydp/c7t/rvsDI4myeaEht PaDz5yYHEtGxHz5S6x15lIoaHqYNZko6pzwu95/aIa1/myBd5ClZ6tye313a8QsX igsMY4bpLOl0aXvf4agR+wU3Ab4P/iHC80mQcihvcgNkdDgFlsHoxqLznGF4BzjQ A/t9HSCEgUo= =Vjd2 -----END PGP MESSAGE-----

This is obviously completely useless to someone who intercepts the message, but it is also useless to us. That is unless, you have the key. The key is usually although not always, passcode locked. Once authenticated, the key is used to decrypt the message back into its original form. Do note that encryption doesn't stop messages from being intercepted, but from being read.

Now that we have discussed encryption in the context of messaging, how does encryption work on hard disks? On a computer, phone or external hard drive etc, encrypting the device's storage turns the data on the device into a similar mess as seen above. Once booted, the device will only decrypt the data when a correct passcode is entered. Once authenticated, the key is then used to decrypt the devices storage. Once decrypted, the device works as normal. When the device is powered down, the storage is encrypted once again.

Public Key Encryption

Public Key Cryptography is the basis for most encryption used today. If you have seen a padlock in your browser or sent an email using Gmail or Outlook, Public Key Encryption was protecting the contents of your browsing, email or data. The following video discusses the basics of Public Key encryption.

When a person generates keys using dedicated software, a public and private key is generated for that one individual. When person A wants to send person B and email, person B must first provide person A his/her public key. Then, this public key is used by person A to encrypt the message so ONLY person B can decrypt it. That's the magic of public key encryption. When key pairs are generated, the private key is the one correct solution out of the 2^128 total possible wrong solutions to unlocking messages encrypted using the public key. Put simply, without a private key, it is impossibly difficult to break public key encryption by brute forcing it.

So the key takeaways are for a service using public key encryption to work, you must have the public key of your intended recipient. If you do not have it, you must have it sent to you. You can exchange public keys unencrypted out in the open, as a public key cannot be used to decrypt messages. Facebook even allows you to put your public key on your profile when using PGP email encryption.

Person A's private key are used to decrypt emails that were encrypted using person A's public key. Never, EVER share your private keys. Many public key encryption software managers do not easily allow exporting of public keys, to prevent a person from accidentally sharing their private key with anyone. I only keep a backup off my private key offline on encrypted hard drives. If someone were to attain your private key, they would be able to decrypt all your messages you have ever received using that key.

Note the fact the encryption and decryption occurs at person A's and person B's devices only, and no external server ever decrypts the contents of ones message. This is known as End-to-End encryption. Further discussions about End-to-End encryption and link encryption can be found here: How to Send Secure Encrypted Instant Messages & Calls.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

How to Send Secure Encrypted Instant Messages & Calls

Comment

How to Send Secure Encrypted Instant Messages & Calls

These days, it would be pretty much essential for your information to be encrypted in some way. Some encryption is stronger than others however. The most common form of encryption (Link Encryption), used by Gmail, the HTTPS version of Facebook, Outlook etc does not protect the contents of messages once the message has reached Gmail, Facebook, Outlook etc's servers. The two most important types of encryption are End-to-End and Link Encryption. We will discuss the differences, between the two, identify messaging/calling services that use the best form of encryption and how to use them.

End-to-End Encryption vs Link Encryption

In Link Encryption, there are two devices and a central server. When a message is sent, the server must decrypt the message, in order to send it in the right direction, and encrypt it again. The weakness here is that the service can see your messages, not to mention, your messages will probably be stored in the services server. Additionally, the server(s) may bounce the message unencrypted between servers, before finally dispatching the message to the intended recipient.

End-to-End Encryption takes this central server out of the equation (mostly). Instead of the server decrypting the entire message, it only encrypts the message enough to know where to send the message to. The encryption and decryption of the contents of the message occurs on the devices involved in the messaging conversation. The central server cannot see the message contents. nor can anyone running the network. Only the people that are actually in the conversation can see the contents of messages. Even if a government was to ask the service for the contents of the message, if the service used E2EE, they would not be able to divulge the content of the message. Just note that E2EE protects the contents, not the traffic pattern of your messaging. Additionally, it is possible to implement E2EE and Link Encryption at the same time to protect both the contents and destination information. Though, this is uncommon as of publication.

E2EE is also far harder to hack, as the key to encrypt messages is known between individuals. If the individuals check if each others public keys are valid, they can be sure their messages are going to the intended recipients. Link Encryption does not inherently allow for such verification, as the server manages the public and private keys on your behalf. More on this and Man in The Middle Attacks later.

Traditionally, E2EE has been used in email encryption such as PGP or X.509. Unfortunately, PGP has earned itself a reputation for being hard to setup and difficult to understand, albeit probably the most secure way to send an email. Happily however, E2EE apps are now becoming increasingly popular, and do not require a basic knowledge of public key encryption to operate. Its usually as simple as having both people using the same application (inherent with E2EE).

Examples of Link Encrypted Services

  • Gmail
  • Outlook
  • HTTPS websites (padlock in the browser indicates a website is encrypted using HTTPS)

Examples of End-to-End Encrypted Services

  • PGP (email)
  • X.509 (email)
  • Signal
  • Whatsapp
  • iMessage

With that out of the way, lets discuss what messaging services using E2EE I can recommend and how to use them effectively.

Signal

I recommend the Signal app from Open Whisper Systems for iOS and Android. Signal replaces Androids default messaging app, and has a standalone app for iOS (due to Apple's OS limitations on apps in it's app store). On top of that, Signal supports audio and video calling, group conversation and file exchange. Best of all, it's free! Signal can only send encrypted messages to other Signal users. Thus, on Android, if you send a message to someone who is not using Signal, the message will be sent as a standard unencrypted SMS/MMS. For Android way you can tell if Signal will use E2EE for data exchange between your particular contact is the phone icon will have a lock placed next to it:

In both screenshots, note the call icon on the top right. If there is a padlock, the contact is using Signal and therefore, the messages and calls are all using E2EE. If there is no padlock as shown in the right most picture, the recipient is not using Signal, and the message will send as an unencrypted SMS/MMS. Additionally, the padlock shown inmessages boxes indicate the message was sent encrypted.  As Apple users can only message Signal users via the iOS Signal app, you don't have to worry about this. All your messages and calls will use E2EE.

Whatsapp

As of the 5th of April 2016, Open Whisper Systems has collaborated with Whatsapp to implement E2EE. With over a billion users worldwide and E2EE enabled by default , Whatsapp is another great service to securely message on. It is worth noting however that many Whatsapp users have not updated their apps since April 5th. To check if your messages will be sent using E2EE, open their contact and note the padlock:

If you see the open padlock, E2EE will not be used, and the contact must update their app before E2EE can be used.

Man in The Middle Attacks (E2EE)

To understand Man in the Middle Attacks, we must understand the basics of encryption. In particular, public key encryption. Read more about this at my article: What is Encryption & How is it Useful? Please note that knowing the basics of Public key encryption as discussed in the article are not mandatory to run E2EE messaging apps. However, it does provide a more comprehensive understanding of encryption and how to protect yourself from certain threats. To recap, a public key encrypts messages, a private key decrypts messages.

In the context of E2EE, a Man In The Middle Attack (MITMA) is the act of an attacker exchanging your public key for his own public key during the key exchange process in E2EE apps. Effectively, the hacker would then receive your messages instead of your intended recipient and decrypt them using the keys exchanged. To avoid detection, the attacker would then send off the message using his own private key to your intended recipient. The way we secure ourselves against MITMA's is by verifying our recipient's public keys and vice versa. Using Whatsapp as an example, click the lock (pictured above) and a QR code and a string of random digits will display (pictured bellow).

How to verify your recipients public key.

Enable This Setting to Detect MITMA's after you have verified public keys with that particular recipient.

To verify your contacts public key, you will have to exchange this QR code or string of numbers to your recipient, ideally on another messaging service, or by stating the code during a phone call. Verifying public keys using a different service than the one you are using is known as Out-of-Band verification. If you go the phone call route, be sure to state every single digit, as the attacker may change only one number in your recipients public key. This single digit could be the difference between your messages going to your intended recipient and an attacker. You will only have to do this once, as Whatsapp has another setting that warns you when a persons public key suddenly changes. To enable this go to settings -> accounts -> security and enable "Show Security Notifications."

Signal's main way to exchange public keys is to call the user using Signal (make sure to the padlock is on the phone icon if your using Android). Your screen should look like this if your using Android, but the Apple version is fundamentally the same:

Call Screenshot from Android

Note where it says "classroom pedigree." At the beginning of your call, verify if this text matches your recipients. If it does, your calling him directly. If the text is different between you and your recipient, you are falling victim to a man in the middle attack.

iMessage for Apple also supports E2EE. Albeit without protection from man in the middle attacks and cross-brand compatibility.

Although key verification may seem irritating, it is good to practice good security practices. However, if it is just too much, it is still far safer to use E2EE messaging apps that using Link Encrypted Messaging apps (i.e. Gmail) or unencrypted messaging services like Facebook. Note that Facebook messaging can use SSL/TLS encryption (Link Encryption) when browsing on the HTTPS version of Facebook (not HTTP). Install HTTPS Everywhere on Firefox or Chrome to enable this by default. This is most useful on unsecured wireless networks, where hackers can sniff the contents of all unencrypted traffic without the need to break any encryption or passwords.

 

Signal also can be accessed using Google Chrome on Desktop by downloading the extension.

Whatsapp vs Signal vs iMessage

iMessage does not allow for any form of key verification nor support for calling and can only be used between Apple devices.

Whatsapp can be used securely, but be sure to turn of iCloud/Android backups. Otherwise, your Whatsapp messages will be stored unencrypted in Apple/Google's servers. Be sure your contacts do the same. Similarly, taking screenshots of conversations usually results in the image being uploaded to the cloud. Whether it is via iCloud, Dropbox, Google Photos, Onedrive, etc. Sadly, none of these services encrypt data stored in their cloud storage servers. Currently, governments don't even need a warrant to access a persons cloud storage data, so I'd advise against this. Signal has a setting enabled by default that prevents screenshots from being taken from within the app. Additionally, Signal, unlike Whatsapp, does not automatically upload its messages to the cloud when cloud backups are enabled on your phone's operating system. You can also have the app delete your messages automatically after a specified number of messages.

For this reason, I recommend Signal, but I also use Whatsapp. Just know the precautions you must take in order to secure your data fully, and encrypt your phone with a strong passphrase. Lastly, its great that you may be taking steps to protect your data. However, if your recipient doesn't do the same, your efforts may be futile.

Conclusion

The result of these E2EE messaging services is that Signal, Apple, Whatsapp and others who use E2EE do not store any data regarding the content of your conversations and voice calls. This also effectively subverts government surveillance and hackers, as although the data is intercepted, the data is safely encrypted. Additionally, governments can't attain the information from Signal or Whatsapp, as all the information is stored only on the users hopefully encrypted phones. Put simply, only you and the person you are messaging can read the conversation, nobody else. The obvious downside to E2EE services is that you are going to have to convince people to use the app with you. Though, once you have your friends using the app, you can have your own private community of private messengers, immune to all ease droppers.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

Pretty Good Privacy (PGP) Email Encryption Guide - GPGTools (MacOS)

Comment

Pretty Good Privacy (PGP) Email Encryption Guide - GPGTools (MacOS)

Many will be shocked to become cognizant that emails, even when using traditional means of encryption, are not encrypted once the email reaches the email providers servers. Since emails often travel across the world before they reach their final destination, your unencrypted emails will have likely been intercepted and stored in a government database.

The aptly named Pretty Good Privacy (PGP) encryption standard is one of the most (if not the most) secure ways to encrypt a email, End-to-End. Ever since whistle blower Edward Snowden used PGP to email Glenn Greenwald about the revelations about NSA spying in 2013, many journalists now put their public key in plain view on social media. Presumably, hoping that they will be the ones to leak classified information from their source. It's not only journalists that use PGP. Anyone who wants to encrypt emails End-to-End rather than by conventional (and inferior) Link Encryption methods such as SSL and TLS, will have found what they are looking for in PGP. For more information on End-to-End Encryption and how it compares to traditional Link Encryption, see my article: How to Send Secure Encrypted Instant Messages & Calls.

PGP works on the basics of Public Key Cryptography. To understand how to use PGP and why it functions as it does, you'll definitely need a basic knowledge of the topic. Learn about the basics at my article: What is Encryption & How is it Useful? Basics of Public Key Encryption. Consider this a prerequisite.

With the basics out of the way, lets discuss how we can use PGP to secure our email communications.

How to Setup PGP

In order to use PGP, you'll need a compatible mail client like Mozilla Thunderbird and a software package that incorporates PGP into your respective mail client. In this case, we will be incorporating MacOS's built in Mail client with GPGTools. Follow the link and install the package. Once you run GPGTools you should find yourself finding yourself needing to generate your very own key pair (your private and public key):

Generate Key Pairs in GPGTools for Mac

Type your name and your email address. The first consider you may want to make is, do you want to put your real name in the name field? After all, you are using PGP to encrypt traffic, using a fake name may ensure you additional anonymity. You will probably want to Upload your public key to the key servers so others can find,  verify and sign your key later. You can upload your key at anytime. However, you can't delete your key off the key servers. You ca only revoke the key. More on this later.

Although email addresses are usually not case sensitive, it is in GPGTools. So if your contact lists you as having uppercase letters, you'll want to type with uppercase letters here. Do keep in mind your contacts will also need to type in your email address with the correct upper/lowercase letters in order to send you an email. You'll be able to add more email addresses to your private key later, including the same email address using uppercase and lowercase letters. The advanced options can be left as is. You may want to disable the "Key expires" checkbox (you can also change this later if you so wish). Lastly, enter a secure passphrase. Information on passphrases at my article: Passphrases, Password Managers & Multi Factor Authentication. This passphrase will be your last line of defense if your private key is acquired by a hacker. Click "Generate Key."

 

Add Email Addresses to Your Private Key

You will only be able to send encrypted emails if your using an email address that has been entered under the "User IDs" of GPGTools. Once again, you must type your email case sensitive for this to work. If your having problems, add the same email addresses with uppercase letters if commonly used.

Double click your key in the GPG Keychain menu to access this window:

Add Email Addresses to GPGTools

Press the "+" icon to add an email address:

What Happens if I Want to Delete My Private Key?

If someone has acquired your private key or you delete your last copy of your private key, you'll want to revoke it from the key servers. You cannot delete a key from the key servers. Hence, PGP public keys are still out there from the 1990s readily accessible from the key servers. Click "Key" and then "Revoke:"

This will show other users

Backup Yours Keys

If you somehow loose your private key, you will no longer be able to decrypt messages. On top of that, you'll have to generate a new key, and revoke your key from the key server. It is therefore imperative that you keep an offline and preferably offsite backup of your private and public keys as well as the aforementioned Revoke Certificate. Be sure if you backup the keys that you encrypt the disk with a strong password. Do note, USB flash drives have a terrible shelf life for archiving.

Sending Encrypted Emails

You'll notice a OpenPGP button on the top right. To encrypt the email, click the padlock. If you want to sign, click the tick. Usually, you'll want to do both. More on signing keys and key verification in the next section.

Sending mail Using GPGTools in MacOS

These options will be greyed out unless you satisfy two conditions. First, your email address you are sending from must have been added to GPGTools. Second, you must have added your recipients public key to GPGTools. Usually, you will attain your recipients public key in the form of a ".asc" file. Open the file using GPGTools by clicking the import button on the top left.

Why Sign an Email? Key Verification

Signing an email may not encrypt the email, but it sends a copy of your private key in the form of an ".asc" file. This allows others to encrypt emails to you in future. In addition, a recipient will be able to verify the email was sent using your private key (assuming they already have your public key). Presumably, confirming the email was sent by you. If they suddenly notice your public key changes, that may be a sign of a man in the middle attack. More information on key verification at my article: How to Send Secure Encrypted Instant Messages & Calls. Keep in mind you can verify an email even if the email is encrypted.

What Does PGP Encrypt?

GPG encrypts email contents. This includes text in the body, subject line and attachments. This does not include your email address or recipient of the email. Email encryption also doesn't hide your metadata such as your IP address and hence, your location unless you are using a proxy/Tor/VPN/Tails OS etc.

Signing Friends Keys

PGP has a ingenious way of building reputations of the legitimacy of a persons public key. As you may have noticed, GPGTools has a column on the far right called "Validity." You can boost a persons public key's "Validity" by signing it with your own. Click their public key, then click "Key" on the top toolbar and then "Sign."

You'll be greeted with a brief synopsis of what your doing. Choose your private/secret key that you will be using to sign (likely, you will only have one private key). Then, choose how certain you are the person's public key you are signing actually belongs to whomever it states it does.

Facebook PGP Email Encryption

To begin with, you may have very little use for PGP. However, Facebook can encrypt all emails to you using PGP. So as a bonus to this guide, lets discuss how we can setup Facebook to send all emails to you encrypted using PGP. Do note, this includes account recovery emails, and if you loose your private key, you will not be able to decrypt these emails. This can both be an advantage or a disadvantage, as even if a hacker gains access to your emails, they won't be able to decrypt the password recovery emails anyway.

First, go to your Facebook Security Settings:

Facebook Settings Screen

Download Facebook's public key and place your public key in the textbox. Generate your public key by exporting your key using GPGTools and then opening the the file in TextEdit (Mac).

Public Key for Facebook PGP

Email Sent by Facebook Confirming You Can Decrypt Their Message

Conclusion

In conclusion, PGP may seem irritating to setup, but it really gives you a comprehensive understanding of Public Key Cryptography. If you truly value the contents of your emails, PGP may be one of the best methods of ensuring the contents of your emails are only read by the intended recipient.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

Top Privacy & Security Browser Extensions - Firefox, Chrome, Opera, Safari

Comment

Top Privacy & Security Browser Extensions - Firefox, Chrome, Opera, Safari

Your data is valuable, more than you know it. Cookies or data loaded into your browser that track you across websites are now pretty much ubiquitous. To protect ourselves online, here are some privacy and security related browser extensions for Chrome, Firefox, Safari and Opera. I'm focusing on extensions that require little/no attention from the user after the preliminary install, as many extensions will disable many websites functionality. These extensions should increase your security and privacy simply by running them in the background.

Extensions/Addons

Essentials

1. HTTPS Everywhere

HTTPS is the green padlock in the URL bar you'll see on Facebook, Youtube and most checkouts in online stores. It signifies that your connection to the web server is encrypted, and cannot be read by third parties (i.e. hacker, internet service provider, government surveillance). HTTPS Everywhere forces all webpages loaded to use HTTPS encryption whenever possible. This is extremely important on public wireless networks, where all web traffic (i.e. passwords, emails, instant messages etc) is sent over the network completely unencrypted, allowing anyone with free software to see exactly what your doing. I would describe this extension as common sense, as if encryption is available, there is no reason not to use it! Available for Safari, Chrome, Firefox, Firefox on Android & Opera.

2. Disconnect

Disconnect 'Private Browsing' is an open source, anti-cookie and anti-tracking extension that boasts a database of cookies/trackers. All of these cookies/trackers are categorised for easy blocking of all social media cookies for example, or all advertising cookies. You can unblock any type of tracker on the fly, and if the tracker is necessary for a website to work properly, you trust add entire websites to a white list. Usually though, this is a install and forget type of extension. Available on Firefox, Chrome, Safari and Opera.

3. uBlock Origin

A simple general purpose blocker of third party cookies, scripts etc that runs in the background with little/no setup or attention needed from the user. It's amazing to see the counter of blocked items, whilst sustaining website functionality. Available for Chrome, SafariFirefox and Opera.

4. AdNausium

Unlike your traditional ad blocker, AdNausium (a clever play on words) not only blocks ads, but clicks them as well. This gives content creators money from ad revenue, but comes with all the usual benefits of a traditional ad blocker. Your pages will load faster, you won't see tens of malevolent download button ads on download websites and you'll save a little on bandwidth too. From a privacy standpoint, advertisers won't be able to profile your interests, because you have clicked on literally everything. Available for Chrome, Firefox and Opera.

5. Privacy Badger

Privacy Badger blocks any cross website trackers. Once you leave a website and Privacy Badger notices trackers are still logging your movements long after you've left that website, the extension will disallow any connection to the trackers source. It also brags to protect against browser fingerprinting, a technology where advertisers use the uniqueness of your browser to identify and track you on the internet. This becomes especially important if you choose to use several extensions, as that makes your browser incredibly unique. Available on Chrome and Firefox.

6. TrackMeNot

TrackMeNot is a Chrome and Firefox extension that creates random search queries in the background, that obfuscates your genuine searches amongst it's fake searches. Much like Adnausium's approach to privacy (they are the same developer), search engines and advertisers cannot profile you accurately, as they cannot distinguish which searches are actually legitimate.

6. TrackMeNot

Good to Haves

7. Random Agent Spoofer

Random Agent Spoofer (Firefox) and Random (Hide) User-Agent (Chrome) changes the information that identifies your browser to a different, randomly selected browser. This web browser spoofing can be made to change on every website request and at random time intervals. This is particularly effective against browser fingerprinting as discussed earlier.

8. Terms of Service Didn't Read

Terms of Service Didn't Read summarises any alarming items in popular End User License Agreements (EULA). The extension gives every EULA a grade mark between A to F, and then states why. Although very different from the other extensions discussed, it does put into perspective how much privacy we are expected to give up to use certain services such as Google and YouTube. Available for Chrome, Safari, Firefox and Opera.

9. Lastpass

Lastpass is my favourite password manager. They have a great security and transparency record, have great browser extensions and phone apps, and are a great value. See my guide: Passphrases, Password Managers & Multi Factor Authentication for more details. Full disclosure, Lastpass are not a sponsor, and I have absolutely no affiliation with Lastpass. I just like and recommend their product.

Firefox Only

10. BetterPrivacy

Better Privacy automatically deletes Locally Shared Objects or LSOs. These so called "Super Cookies" are Adobe flash cookies that cannot be easily removed. They contain up to 100kb of data, as a pose to a normal cookies 4kb. Further, they work across all your browsers, as all browsers store flash cookies in the same directory. BetterPrivacy deletes them on browser exit, hence to avoid losses in website functionality.

12. Privacy Settings

Thanks to Firefox's customisable back frame in the form of about:config, users can alter specific privacy settings that simply cannot tweaked in Chrome based browsers. A list of these about:config configurations can be found here, but Privacy Settings (Firefox only Addon) allows 36 of these settings to be changed on the fly, by selecting from privacy and security presets. I personally like the "Privacy (compatible) and Security" preset. However, if you choose another more secure preset and it disables a website, you can, at the click of a button return to a more compatible preset.

12. Test Pilot

This is by no means a privacy or security extension, but it is definitely noteworthy, and I feel it deserves more attention that it has garnered over the past few months. Test Pilot is an official Mozilla addon for Firefox that allows users to install experimental features, not yet included in Firefox. Although Mozilla is pretty good in respecting users privacy, do read the privacy policies of each of the experimental features you will be installing. Some features have very few privacy implications such as Tab Centre and to an extent Activity Stream. However, Universal Search for example does contact third parties other than Mozilla with information such as your IP address.

Screenshot of Firefox Beta with Test Pilot Addon

Final Tip

  • If you are having trouble installing an addon, try disabling antivirus software.
  • Don't install Adblock. Having multiple adblockers is a waste of processing power. If you already have an adblocker, uninstall it and stick to Adnausium.

Conclusion

It somewhat baffles me why web browsers don't come with many of these extensions by default. In the meantime however, I encourage anyone seeking more privacy and security online to install these extensions. Additionally, give Firefox and Opera a try. Both are open source, meaning their code is open for public security auditing. Google does not exactly have a great reputation for protecting users privacy. For more, check out my guide, How to Live Without Google.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

How to Live Without Google?

Comment

How to Live Without Google?

Google has become so ubiquitous, something inspired me to write this guide. Someone saw me use a search engine they had ever seen before, and they seemed shocked! "Yes, I don't use Google," I said. It was at that moment that I became cognizant that Google knew more about me than my best friends. So, lets discuss why you may want to try alternatives to Google search and how to survive without Google services in general, all with the motivation of privacy.

Privacy Checkup

Google allows probably the most options to secure your private data then any large conglomerate. Under your Google Account, look for Privacy Checkup:

Google Accounts Homepage

Click get started and follow the prompts. Points 5 and 6 are most important.

Privacy Checkup Homepage

You'll see a bunch of expandable drop downs which you can switch off. Switching off anything will pause Google from collecting that respective information. For example, turning off Web & App Activity will disable Google from collecting your web/app data from this point forward. However, it does not mean your past web/app data is removed. To remove past web/app activity, press "Manage Activity."

Web & App Activity

You should see a window with all your web history. Click on the three dots on the top right to open additional options. Then, click "Delete Options:"

Delete Web & App Activity for All Time

Click "Advanced" and then from the drop down, select "All time." Press "Delete" to finish. Repeat this process for all other options under section 5 such as Location History,  Device Information etc.

Once you get to section 6, click "Manage Your Ad Settings."

Disable personalized ads

Disable personalized ads

Simply switch this setting off to turn off personalized ads. I like to turn this off, as it scans all Gmail messages etc, and I use Adblock anyway, so having this option on is not advantageous to me.

An option that Google does not include here, is your Google Now voice recordings. Delete your Google Now Recordings.

To summarize, you may not want to turn everything off and that's fine. For most people, leaving Youtube and Location history on is just fine. The one settings I recommend turning off is Web and App Activity, as we'll be looking for a Google Search substitute next.

DuckDuckGo

DuckDuckGo is a third party search engine that does not track you. Simply change your default search engine in your web browser to DuckDuckGo.

DuckDuckGo Homepage

Click on the top right and then click "Advanced Settings" to customize DuckDuckGo to your liking.

Startpage

One severe disadvantage of DuckDuckGo is that it omits Google search results, relying on Yahoo and Bing instead. Startpage is a search engine that includes Google results. It also boasts forward secrecy encryption, meaning all searches use a different encryption key. Put simply, an attacker couldn't just attain one key to decrypt all your searches, as each search has its own unique key. Although generally slower and lacking some of the bells and whistles of DuckDuckGo, Startpage still boasts security features like proxies and Google search results, and is definitely worth a try.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content.

Comment

Virtual Private Networks (VPNs), Proxies & DNS

Comment

Virtual Private Networks (VPNs), Proxies & DNS

To understand what a Virtual Private Network is, first, its best to explain what a Proxy is. In the content of networking, a Proxy server is a server that one can connect to, that acts as an intermediary connection to the internet.

Proxies

Connection Without Proxy to Internet:

User --> ISP --> Internet

Connection With Proxy to Internet:

User --> ISP --> Proxy --> Internet

Note: ISP - Internet Service Provider

When you connect, the proxy assigns you an IP address. Proxy that use "Shared IP Addresses" use a range of IP addresses to connect to the internet. All users connecting to the internet via a proxy have there real IP addresses masked behind the range of IP addresses the proxy uses to connect to the internet. Assuming the proxy does not keep logs, your connection to the internet is anonymized and with little to no trace of your internet activity.

Further, If the proxy server is physically located overseas, you connection to the internet appears to originate from the proxy server. Thus, if you connect to a proxy server in the United States from Australia, you can bypass geolocation restrictions imposed by Netflix (The US has 7 times more titles than Australia on Netflix due to copyright reasons). If you were in China, by connecting to a proxy in Taiwan, you could subvert China's great firewall, and bypass the censorship imposed on all connections originating from China.

VPNs

Finally, what exactly is a VPN? A VPN is a Proxy, but with the addition of End-to-End encryption. When you connect to a VPN server, a tunnel protocol is created, a secure conduit for your data is formed, between you and the server.

Although the internet may not be able to see your real IP address, the proxy/VPN server can see all your internet activity. So it is important to pick a VPN service that keeps no logs of your real IP address and web history. To compare, a VPN could be seen as a log-less Internet Service Provider (ISP). Unlike most VPN services, Internet Service Providers keep logs of your IP, search history and even the type of data you consume. In Australia under the new metadata retention laws, ISP's are now legally required to keep logs of your activity for a minimum of two years. ISP's use what is known as packet sniffing to examine your internet traffic. Using this technology, ISP's have been known to throttle users who connect to high bandwidth services like Netflix. If however you connect to a VPN server, your ISP cannot see what services you are using as all your internet traffic is encrypted, and therefore cannot throttle you.

The last big benefit of a VPN is guarantees you a secure connection to the internet, even when you are using a very insure public Wi-Fi network. Because your data is encrypted through the Wi-Fi router, through the ISP, all the way to the VPN server, hackers who also use packet sniffing techniques connected to the same unsecured Wi-Fi network cannot see anything your doing. Put simply, anyone who intercepts your packets of data, whether its a hacker, a router that allows for packet sniffing for analytical purposes or your ISP, will only see a giant cipher of encrypted text (see my article for an example of encrypted Ciphertext: What is Encryption). VPNs also protect against session hijacking attacks on unsecured wireless networks. Session hijacking works by stealing your login cookie (piece of information stored on your computer to indicate you are logged in). By stealing your login cookie, the user can press a button and then steal your login session, allowing the attacker full access to your account (albeit without your password). Believe it or not, that can be as easy as installing a browser extension.

Although VPN services probably sound like the greatest thing ever at this point, there are some trade offs you make when connecting via a VPN. Apart from the fact the VPN provider can see what your doing, VPN services cost money and due to the encryption that happens between you and the server, your connection will be slowed down. How much so depends on your distance from the server your connecting to, the strength of encryption you select, your device hardware and how good the VPN service providers server is. However, due to ISP's throttling users, many observe higher speeds to popular websites like Netflix and YouTube when connecting via a VPN. Some websites simply do not work over a VPN. This came as a shock to me when I realized the reason I couldn't access Carsales.com is because it doesn't support connections from VPNs. In these rare cases, simply switch the VPN off. This is a regular occurrence for me, as I use Philips Hue LED RGB Wi-Fi light bulbs, which I control with my phone. Sadly, I can't control the lights when connected to my VPN. Further, VPN users have been found to be put under more scrupulous surveillance by government organizations like the NSA. The NSA and it's subsidiaries have been known to store encrypted VPN traffic to be decrypted by supercomputers if the user were to fall under suspicion. This is as a pose to unencrypted traffic, which is stored and then discarded off, as the ISP and government surveillance agency can see the contents of the unencrypted web data without the need of decryption. Finally, in buildings with lackluster wiring, packet loss or loss of information during transit across the internet can look like a connection is compromised, resulting in the VPN server disconnecting to prevent any risk of exposing the users web traffic.

Benefits of a VPN

  • Bypass geolocation restrictions
  • Bypass censorship restrictions
  • Anonymize your connection to the internet and your ISP
  • Secure yourself against many public Wi-Fi risks

Downsides to VPNs

  • Will slow your connection speeds
  • Costs money
  • VPN provider can inherently see your web activity
  • To Hackers and ISPs sniffing your internet traffic, it is obvious you are connecting to a VPN
  • Government agencies like NSA and GCHQ reported to spy on VPN traffic

VPN vs Proxy vs Smart DNS

If your looking purely to get to US Netflix or a blocked website due to geo-restrictions, a Smart DNS service will suffice for the lowest possible cost. Proxies have slightly more anonymity over smart DNS, but most people choose a VPN over a proxy. The great benefits over proxies for the small price penalty is usually considered worthwhile. I personally recommend a VPN service for most people or possibly a Smart DNS service. Proxies are generally more difficult to setup as well.

What VPN Should I Choose?

If you so decide to try a VPN, your in luck. VPN's are cheap and most offer a trail period or a money back guarantee. There are a number of things you should consider when choosing a trailing VPN services.

Logs/Privacy Policy and Locality

An important part of what VPN you choose is their attitudes towards logging and privacy. This is usually advertised by most VPN providers, as most users seeking a VPN do so for the increased privacy and anonymity. Many VPN providers state they do not keep logs of any kind, which is a blatant lie.

Other VPN services may be very anti-piracy, blocking all P2P Torrent traffic altogether through their VPN. As many use a VPN purely to avoid their IP address being easily found while illegally downloading, take this into consideration if this matters to you. Although policies like no torrenting may be hidden on a VPN providers website, be sure to read reviews to find information like this. I personally need a VPN that supports P2P, as I use BitTorrent Sync (a Dropbox competitor). The difference between traditional cloud based options like Dropbox and P2P services like BitTorrent Sync is Sync takes the server out of the equation. Using Sync, files are directly transferred to your devices, rather than first uploading it to Dropbox's server, and then downloading across your other devices. As Sync uses P2P (torrenting) technology to transfer data, it is vital to me to choose a VPN that allows for torrent traffic.

Pricing - Free vs. Paid VPN

You might ask, why not just use a free VPN service? Free VPN services always have to make money in order to be sustainable. This usually means no or very little customer support, inferior encryption, slower speeds and unstable connections. Further, some VPNs make you sit through some advertising before you connect. Others restrict the amount of servers you can actually connect to. Free VPNs almost always have low data limits and may sell your bandwidth and information to third parties for advertising purposes. Put simply, if your using a free VPN, your the product! Besides, VPNs are cheap, especially when bought in longer subscriptions. As an example, I use Private Internet Access (PIA). PIA offers a 7 day money back guarantee, and is priced at $6.95 for 1 a month subscription, $35.95 for a 6 months subscription or $39.95 for a annual subscription (US Dollars).

Data Limits

Definitely note if the VPN service your looking at has data limits and if so, how much data you are entitled to. Most paid VPNs allow for unlimited data. Note that if your VPN provider states they keep zero logs but have data limits, scrutinize their logging policy, as it is impossible to implement data limits without logging a users total consumed data.

Does the VPN Service Connect Using Their Own Servers?

Although uncommon, some VPN providers such as Vypr VPN from GoldenFrog only connect to their own servers. Most VPN services rent other servers and don't have direct control over them. Owner operated servers are definitely a plus.

Number of Connected Users

One of the most important things to look for in a VPN service, is the number of simultaneous connections to the VPN server the service allows for. As discussed, VPN services do keep SOME logs. For example, a VPN must keep logs on how many devices you are connecting to the VPN at once. Otherwise, you may be giving your whole family and friend base access to the VPN service via your one subscription. Keep in mind the number of devices you intend to connect at once. For instance, if you have a phone and computer, you will need a minimum of 2 simultaneous connected devices to the VPN.

VPN Protocol - OpenVPN

When looking for a VPN service, make sure it uses OpenVPN as its protocol for connecting to the VPN server. OpenVPN is the standard, and is pretty much ubiquitous. For more information on this topic, see BestVPN.com's article: PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2. For most though, just make sure your VPN uses the OpenVPN protocol.

DNS Servers

A good VPN will have its own DNS servers. DNS in case you weren't familiar is a phone book of website URLs and IP addresses. When you type in a URL in your browser, a DNS request is issued to a DNS server, that tells your web browser what IP address to connect to. Your web browser cannot connect to a website without knowing the URLs corresponding IP address. By default, your DNS server (usually set on your router in a home environment) is your ISP's DNS servers. To fully hide your traffic from your ISP, you should change DNS servers to a log-less DNS server run by your VPN service. The easiest way to do this is to find out if your VPN provider has their own DNS server and if so, what is the server address. Once you have their DNS servers IP addresses, input your DNS server(s) into your routers settings page (usually located under WAN). This will result in your devices using the DNS services specified when connecting to the wireless router. Alternatively, you can set the DNS server for each individual device to connect to. I often do this for networks I usually connect to such as my university campus wireless network. Many VPNs have guides on how to do this. Note that you can only change a DNS server on a device by device basis per connection. So if you switch to another wireless network (other than your home network), you'll have to set the DNS server again manually.

Some VPN servers only allow DNS requests from connections from their VPN service. So if you disconnect to say browse a website that is blocked on VPN connections, your DNS servers won't work, thus you won't be able to browse that site. So look for a VPN with its own log-less DNS servers that work even when not being accessed using the VPN. Alternatively, you can connect to a third party DNS server like OpenDNS, if your VPN provider doesn't offer its own DNS servers.

Finally, many VPNs allow you to specify an option to prevent DNS leaks. A DNS leak is when a DNS request is sent outside the VPN tunnel, unencrypted and possibly to an ISP's DNS servers if you have not configured your custom DNS servers. This would allow an ISP to see and log what websites you have visited.

Using Private Internet Access VPN, I have my DNS servers set on my router, and avoid DNS leaks set to "on," on my devices. PIA allows for an unlimited number devices using their DNS server, even when you aren't using PIA VPN for that particular device. This is vital, as setting their DNS servers on the router makes ALL devices connecting to that wireless router use those particular DNS servers. Additionally, PIA allows for a maximum of 5 devices using the VPN per subscription, so it is likely that not all your devices will be connected to the VPN at any one time (note above discussion on DNS server needing to be useful even when not connected to VPN). Sadly, the downside I have observed with PIA is it does not allow for OpenDNS and its proprietary technology "DNSCrypt" - a technology that encrypts all DNS traffic, even when a VPN is not used. If your using a VPN however, this really shouldn't matter too much, as DNS traffic is usually tunneled through the VPN (assuming avoid DNS leaks is set to "on").

Router Support

Instead of connecting all your devices to the VPN (note maximum number of simultaneous VPN connections possible for your VPN service), you can connect your router to the VPN. In this configuration, all devices connected to the router will be connected to the VPN by default, despite the VPN provider only logging this as one connection to the VPN. Further, devices like AppleTV's that can't usually connect to a VPN, can be when connecting to a VPN enabled router. Sadly, most routers have comparatively horrid processing hardware (it takes a decent computing processor to be able to encrypt your data at a fast enough rate to keep up with your bandwidth without bottlenecking). Thus, your router will usually bottleneck your internet speeds. Even if you have a top of the line 802.11AC router, I noted a ten times reduction in speeds when connecting to the VPN via the router, instead of connecting from my laptop. Further, you probably won't want to connect your gaming console to a VPN anyway, as it will reduce speeds and introduce lag. Setup is also usually more difficult. PIA offers very little and at times misleading support for setting up their VPN on routers. Many tell you to install a third party router firmware like DDWRT or Tomato, which is often not necessary. ExpressVPN offers far more comprehensive guides with far more flexibility regarding types of encryption etc when connecting via a router. In any case, I cannot recommend connecting to a VPN using a router, due to the reduced speeds. Further, some VPN services don't offer support for connections from routers using the OpenVPN protocol, instead opting for the less secure L2TP protocol (PIA cough cough). If you connect via your computer or mobile device, it almost certainly is using OpenVPN.

Anonymous Payment Method - Bitcoin

Bitcoin as a digital decentralized currency. A decentralized currency works something like this:

Bitcoin: Buyer --> Seller

Mastercard/Visa/Paypal: Buyer --> Mastercard/Visa/Paypal --> Seller

Note: Mastercard/Visa/Paypal etc will keep logs of your purchase.

If you want there to be no log of your purchase of your VPN, consider using Bitcoin and finding a VPN service that accepts payment in Bitcoin. For a full guide on how to pay using Bitcoin anonymously, read Buying Bitcoins to pay for VPN anonymously, a step by step guide Part 1. You'll want to do this if you are worried about government surveillance, or if VPNs are illegal where you are (i.e. China).

Kill Switch

Even the best VPNs will experience disconnections from time to time. If this happens say during public Wi-Fi use, you may suddenly reveal your identity to potential threats. Make sure your VPN has a VPN kill switch, which is more like an internet kill switch, that automatically kills your connection to the internet if the VPN connection is not active.

Further, you may want to implement into your computers Firewall not to let any applications connect to the internet without the VPN service active. The security benefit to this is as your computer starts up, it may begin fetching emails etc before the VPN connection becomes active, allowing your passwords to be seen if you were on an insecure Wi-Fi network. A guide on how to implement this here (recommended for advanced users only): Using Little Snitch to prevent internet access without VPN. Littlesnitch also comes with a free trail.

Support

VPN setup can be complex when not using the default software provided by the VPN. In some cases, you may want to take your VPN service to the next level. Whether its by trying your VPN on your router, or using a different VPN client, or setting up DNS, great support staff is vital. Most VPN's I have tried reply within minutes. Comprehensive guides are also great. ExpressVPN has the best guides I have seen, to the point I never needed to use their support. PIA on the other hand, had to help me on various occasions for seemingly trivial reasons. Seemingly arbitrary things like the VPN software not connecting to the server because my IP assigned to my device from my router was not between a specific range etc. Luckily, I have a basic knowledge of networking, DHCP and IPv4. The support staff basically said they couldn't be bothered to teach me, thinking I had no idea how to change the DHCP range on my router. Although I managed to fix the problem once they pointed out the issue, if you aren't so savvy with networking, make sure the VPN functions without issue before forking out your money at the end of a trail.

Speeds

Obviously, a VPN that yields faster speeds than another is preferable. I recommend also testing on your mobile devices. My phone always gets slower speeds than my laptop when connecting to a VPN. This may be due to my laptops superior processing power. However, altering the encryption settings to require less processing power (and weaker encryption) did not help. Strangely, connecting to other VPN services using the same encryption standards resulted in faster speeds on my phone, but slower speeds on my laptop. So, just be aware that VPN speeds vary across devices and should be taken into consideration. Additionally, as speed is influenced by server location, test on all the servers you might regularly use. For instance, if you plan to be using Netflix, test a VPN server based in the US. You'll notice most likely the speed will be considerably lower than connecting to a local VPN server. If they are too low to stream high definition video on Netflix, try shopping around. On the other hand, your internet connection may be too slow to stream HD video even without a VPN, in which case, you will just have to watch in low resolution if you are to connect to US Netflix via a VPN.

Note, pricing and speed are not linked. I get the fastest speeds (on my computer and not my phone anyway) with Private Internet Access, one of the cheapest VPN services available. I've tried Astrill, Vypr, ExpressVPN and more. All of these services were 50-300% more expensive and were slower, despite similar encryption used and server locations. Not to give PIA too much credit, as there support staff I'd consider very average, but the saying "you get what you pay for" is true, but not for speed (unless you are on a free VPN).

To measure your internet speeds, visit Speedtest.net. On the bottom right is your IP address as detected by Speedtest.net. If you are not using a VPN, this is your real, ISP provided IP. If your connected using a VPN, it should show the IP address of the VPN server. Just be sure that when you connect to a VPN, that your IP address changes to one other than your ISP provided IP. Do note that your ISP does change your IP address periodically. You should also be able to see your location on a map. Once again, this will show your location unless you connect to a VPN server. If that is the case, your VPN servers location should be displayed instead. Press begin test to find your internet speeds. Ping is the latency, or speed at which a connection can be sent to the server. This is important when gaming, as gaming requires a faster connection, but doesn't necessarily require a lot of data. Upload and download bandwidth is the total amount of data per second you can upload or download. Obviously, higher numbers here are better. Download is what you'll care about when streaming Netflix or YouTube.

Censorship & Geolocation Subversion

If your connecting to a VPN in another country to subvert geolocation or censorship restrictions, not all VPNs will work. In China, VPNs are blocked by default. However, many VPNs still seem to work undetected. For example, Vypr VPN has a proprietary encryption technology called Chameleon that avoids VPN blocking. Sadly, when using Vypr VPNs Chameleon, the internet can see your real IP address and location.

For the Netflix users outside of the US out there, Netflix blocks most VPN and proxies when connecting to its services. However, some VPNs still seem to be unblocked. Research reviews and ask your VPN provider about this issue. Private Internet Access is an example of a VPN that is blacklisted by Netflix. Netflix simply blocks all connections coming from IPs originating from PIA. ExpressVPN at the time of publication does support Netflix. However, it doesn't when using the Netflix mobile app on iPhone (I have not tested on Android). The same is true for PIA. However, when using PIA from a laptop, I was able to connect to US Netflix until an hour later, where Netflix finally detected I was using a VPN/proxy. So make sure you try your VPN on Netflix on all your operating systems you use and for extended periods of time before buying. Additionally, look for reviews and do some searching or even contact the VPN provider directly.

Features & Encryption Types

Many VPN providers will offer many different features to differentiate themselves. Make sure to take these into consideration when choosing between providers. As aforementioned, Vypr has its Chameleon technology and NAT Firewall. Astrill VPN offers Nat Firewall as an extra add-on, as well as additional encryption, authentication and handshake options other than AES, SHA, and RSA respectively. AES, SHA and RSA are all National Institute of Standards and Technology (NIST) standards. If your worried about government surveillance, know that the NSA has a history of introducing backdoors into services like Skype etc and weakening encryption algorithms. Further, the NSA has worked closely with NIST for a number of years, and there has been reason to believe that AES and RSA can be subverted by the NSA as well. For more information regarding the NSA and encryption, visit the following article: Silent Circle moves away from NIST encryption standards. Astrill through their Crypto+ add-on (adds cost) allows Twofish, Threefish, CAST and Carmella encryption standards (all non-NIST). These encryption standards are believed to not be compromised by governments, although we can never be sure, and are extremingly strong. For most people, I recommend AES, SHA and RSA, as it protects well against hackers unlike for example the Blowfish encryption algorithm, that has known security flaws. For more, read the following article: VPN encryption terms explained (AES vs RSA vs SHA etc.). Some providers allow you some options regarding what encryption settings you would like to use, others have a default that cannot be changed. be sure to check with your VPN provider whatstandards they offer regarding encryption, authentication and handshake (and protocol - hopefully OpenVPN as discussed earlier). A final note on Astrill, ask them if you can trail their Crypto+ add-on via their support staff, as it is not enabled by default during the trail. They will hopefully give this add-on to you for free for the trail period, as they did for me.

Conclusion

VPNs are one of the best tools to anonymize your internet activity. Although the basics of VPNs are quite simple, shopping around can be quite a tedious process. The VPN landscape is always progressing, so be sure to comment if I have left anything out, or have any further questions.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

Passphrases, Password Managers & Multi Factor Authentication

Comment

Passphrases, Password Managers & Multi Factor Authentication

We are all aware that 1234, 0000, "iloveyou" and "password" are horrible passwords. Yet, many of us still are either ignorant or can't be bothered to put proper password security practices in place.

Why Are Passwords Important?

Without fear mongering for too long, the consequences of having one of your accounts compromised can be tremendous. A list of possible consequences include but are not limited to:

  • Identity theft
  • Monetary theft
  • Loosing your job
  • Impacted relationships
  • Publication of personal data
  • Having all your accounts deleted, and your mobile devices remotely wiped

Now that we understand why account protection is important, lets discuss what we can do to protect our accounts and devices from unauthorized access.

Tips on Creating a Secure Passphrase

The best way to understand how to make a secure password, is knowing the ways a computer may break a password. There are two primary ways a computer can break a password:

  • Brute Force Attack
  • Dictionary Attack

Brute Force Attacks

A Brute Force Attack (herein refereed to as BFA) simply goes through every single possibility until it finds the password that unlocks the device. This is the reason why pin's are so insecure, as the computer only needs to guess 10 numbers per additional character in the pin, as opposed to the entire key space of upper and lowercase letters, numbers and symbols. This method of attack is considered effective primarily on random, short passwords such as h5%93"; (3 minutes to crack). Ironically, not only are short, complex passwords easily defeated, but they are difficult for humans to remember.

The best way to defend yourself against an attack of this nature is to create long passwords, herein known as passphrases. Passphrases are long passwords, made of multiple words. By adding upper and lower case letters and special symbols, you increase the amount of possibilities the computer must check. By checking the HowSecureisMyPassword.net, we see that the passphrase: "i eat chinese food" would take 454 billion years to crack. Not only is this easier to remember, but its almost 80 quadrillion times harder for a computer to guess! Further, if we add a uppercase letter to "food," it would take a computer 2 quadrillion years to break the code, 4400 times harder to guess than without the capital letter. Add a ":)" to the end of the code, and it would take 388 quintillion years to break the code; 194 thousand times longer than not having the smiley face at all. So to summaries, use a long passphrase that works for you and is easy to remember. Use numbers, upper and lowercase letters and symbols. However, I will caution replacing an S with a $ or a e with a 3, as password cracking software

It should be noted that the website provided is to be used as a guide only, and computational power is always advancing. For instance, government supercomputers can be over 10 thousand times faster at password cracking than standard consumer desktops. Further, quantum computers can be even more powerful. Although, chances are if a government has enough resources to brute force you with a super/quantum computer, they'll be able to hack you through other means. Don't be satisfied until you reach a password that would take millions of years for an average desktop computer to crack. Furthermore, don't let websites give you a false sense of security when it says your password you have entered is strong because you have more than 8 characters, a capital and a number. These are guidelines only, and websites like howsecureismypassword.net are far more reliable. To put it in metaphorical terms, a weak password is a weak lock to your online identity. A kick to the door is all it takes to break a weak password.

Dictionary Attacks

A dictionary attack further complicates things a bit. Dictionary attacks try to replicate human thinking, by trying to guess passwords that are common in password dictionaries or contain information like your name or birth date etc. For instance, A horrible password for me would be Daniel van Driel (insert birth date here). Sure, it would take 768 sextillion years to brute force, but it can be easily guessed if the attacker knows anything even remotely identifying. Using the door lock analogy again, you wouldn't install a lock to your door, if literally anyone who knows your name and birth date can unlock it. Unfortunately, it seems all to common that people do this.

Usually, password cracking software will first try a dictionary attack. Usually, this entails first running through a database of common passwords. Then, it may attempt to try many commonly used words in conjunction with each other (i.e. "never say never," or "chicken ice crackers"). A more sophisticated password attack would allow the hacker to input user identifying words such as their name and birth date to be used in the dictionary attack. If the dictionary attack fails, the program will proceed to brute force methods.

Remember, you can use the best encryption in the world, but if the key used to decrypt the data can be unlocked by a weak password, you are effectively defeating the purpose of encryption, increasing your data security. Strong encryption and passphrases are essential in order to properly keep your data safe.

Things Not to Do with Your Passwords

  • Do not store your passwords on your computer unless encrypted in a password manager
  • Do not send your passwords to others. If you must, use a secure app such as "Signal", a VPN and voice call instead of sending in plain text.
  • Do not write down your passwords in your home after you memorize them. Store your passwords in an encrypted USB drive. Although, you will still need a strong passphrase to encrypt the drive with that you must remember.
  • Do not use an easy keyboard combination like qwerty, abcd, wasd, qaz. These are well known and are commonly used in dictionary attacks on passwords.
  • Do not use self identifying information like birthdays or names etc in your password.
  • Never reuse passwords.
  • Create passwords without scanning for spyware beforehand and on a secure Wi-Fi network.
  • Be careful with answers security questions. If you loose your phone, you'll need the answers to login. However, don't make it easy for anyone who knows anything about you to guess the answers.

Tips on Password Management

The majority of people have one password and one only. A single keylogging piece of malevolent software (malware) is all it takes for your password to be sent to an attacker and used to unlock all your accounts and devices. Therefore, no matter how secure your password is, one password on all accounts can never be considered safe.

There are two ways to secure yourself against keylogging malware.

Two Factor Authentication

The first, is Multi Factor Authentication (MFA) or Two Step Authentication (2FA). MFA is a form of authentication that requires 2 "factors" that you must provide to the service in order to unlock the account. Here is a list of examples of "factors" that services might accept:

  • Passphrase
  • Facial Recognition
  • Fingerprint
  • Code sent to your email/phone
  • Code generated in MFA apps on your phone such as Google Authenticator/Authy
  • Physical USB "Key"
  • Physical credit/debit card

The most common form of 2FA is a passphrase combined with a pin randomly generated on (or sent to) your phone. The logic being, your phone is assumed to always be on you. Though, any two of these factors can be used in conjunction given if the service allows for it.

The way MFA/2FA protects you against keyloggers and/or brute force passphrase attacks is even if an attacker has acquired your password, they will still need your phone to unlock the account. Go to TwoFactorAuth.org and check which services you use offer two factor authentication and implement 2FA on whatever accounts you feel could be damaging if compromised.

2FA can be set to only require the second factor of authentication on new devices. Therefore, still protecting from external attackers whilst being more convenient. The one place this falls down is when malware tries to brute force attack your passcode from your own device. Since this is rare (although feasible through malware), many turn this setting on. As with everything security, it's a trade off between convenience and protection, and 2FA with "remember this device" setting turned on is still infinitely better than no 2FA at all.

One final tip on 2FA, if your second factor is to receive a code in the form of a message, disable the option to see message contents on your lock screen! Otherwise, an attacker won't even need to unlock your phone to have access to the code to access your online account.

Password Managers

The second way to protect yourself against keyloggers and possibly brute force attacks is by using a password manager. Password managers work by creating a database housing all your passwords. Most password managers create random passwords for you, like "6Sa!90032y8wryv" (created at StrongPasswordGenerator.com). Passwords like this are incredibly difficult to be broken by computers and luckily for us, do not need to be remembered. The password manager locks our passwords away behind a single master password, and usually auto fills in the randomly generated usernames and passwords for specific apps/websites. For this reason, the master password must be extremely strong and 2FA is an absolute must. This leaves us with two passwords to remember, a password to your device, and a password to your online websites and apps (managed by the password manager). Using passphrases that work for you, and combined with the fact many phones allow for fingerprint unlock now, this shouldn't be painful to remember nor difficult in everyday practical use. Now that we have different, strong passphrases for all accounts and 2FA enabled, it should be almost impossible to have your accounts compromised.

You might be asking, why don't I just use my browsers remember password function? Firstly, many of these passwords are not encrypted unless you encrypt your entire disk. Additionally,  an attacker may be able to brute force your login password to your device and have access to everything, without needing to subvert a second passphrase and 2FA. Password managers are more convenient, offering finger print ad face unlock amongst other options. If you have ever tried to copy and paste a password out of a browser, you'll know how tedious it is. Android also allows for screen overlays, which automatically appear when the password manager detects a app or webpage with a recognized password field. Simply tap which password from the already narrowed down list to autofill.

Password managers come in two flavors, cloud and offline. This matter is based on convenience. Cloud based password managers sync passwords between all your devices. However, as they are stored and encrypted on external servers, it does add another point of failure to the system. I personally use and recommend Lastpass. Lastpass is a cloud based solution that allows for finger print unlock, 2FA, syncing across devices and has a great record on transparency and security. Plus, they are cheap, and offer Yubikey as a second factor of authentication. A Yubikey is a physical USB key that you plug into your device or hold to your phone's NFC sensor (if your phone supports NFC). Another service I use is Truekey by Intel. Truekey expands on 2FA options. For instance, I use it to combine face and finger print unlock, making authentication arguably easier than a single factor authentication method such as a traditional password! Sadly, Truekey does not offer Yubikey, traditional text messages to your phone or a regenerating code (like as is used in Google Authenticator/Authy) as a means of a second factor, which is why I prefer Lastpass. Instead, Truekey uses another device on you to verify it is you that is logging in. Or, a verification code sent through email. Further, at the time of publication, Truekey doesn't play nicely with multi person teams, as only one face can be assigned to a Truekey account at a time. Based on your device and factor preferences though, take your pick. Any password manager that has a good safety and transparency record whilst having the features you want is definitely worthwhile. Other password managers include (but are not limited to):

Cloud Based

  • Dashlane
  • 1Password

Offline

  • Keepass
  • RoboForm
  • Password Safe

 

Conclusion

Passwords are flawed, and by themselves cannot be considered secure. Multi Factor Authentication is one of the best ways to secure your online accounts. Password managers also help implement good password practices whilst being extremely easy to use. These layers of security are well worth the preliminary setup. As, after setup, 2FA and password managers require very little attention and in some cases, can actually speed up your login process. I hope this was informative and if you have any questions, be sure to ask them in the comments section bellow.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

The Dangers of "The Cloud" - BitTorrent Sync vs Dropbox vs Spideroak

Comment

The Dangers of "The Cloud" - BitTorrent Sync vs Dropbox vs Spideroak

Sadly, once you upload a file to a cloud storage service, your rights to the data are significantly diminished. Governments can access any data in cloud storage with no oversight or so much as a reason. Further, neither the data in transit, nor the data stored in a cloud storage server is encrypted.

As good as Dropbox, Google Drive, iCloud and OneDrive are as services, they are unfortunately security compromised services. If we are to actually have full ownership over our data, we have to use services that operate under what is known as a Zero Knowledge System. That is, a service that does not have access to our data. Therefore, if a government were to want to access the data, they'd actually have to go to a judge to attain the encryption key from you, rather than just accessing the data directly.

SpiderOak

SpiderOak is a Dropbox competitor, that focuses on data security on privacy. The SypiderOak client is compatible for all major platforms and is similarly priced to Dropbox, with one key advantage: encryption. The SpiderOak client encrypts all data before uploading it to SypiderOak's servers. All encryption keys are handled on our devices, and SpiderOak therefore cannot access your files hosted on their servers.

BitTorrent Sync

BitTorrent Sync is a decentralized file synchronization system. Essentially serving the exact same purpose as SpiderOak, Sync removes the central server from the equation. Instead of uploading a file to the cloud and then downloading the file to all devices, BitTorrent Sync sends the files to the devices directly.

BitTorrent Sync uses peer to peer torrenting technology. This allows Sync to update certain parts of a file, without having to redistribute the entire updated file to all nodes on the network. Additionally, files are encrypted in transit using AES 128, whether it's across a local network, or over the internet. The client allows you to select which folders you'd like to synchronize and to what devices, and whether the device can read only or read and write to the folder.

One disadvantage to Sync is you'll have access to your data as long as one node on the network is online and has the files locally stored. For instance, you can run your own Western Digital or Synology NAS server running BitTorrent Sync and leave all your files on it. Whenever you need your data, find and open the respective file on your computer or mobile device. The file will be transferred from the NAS server to your device using P2P. Another hypothetical would be to be running BitTorrent Sync on a laptop and a phone. If the files were to be locally stored on the phone (i.e. camera backup), the laptop can only access the folders stored locally on the phone if the phone is online.

As with other traditional cloud based services, you can selectively sync that you need to save space on mobile devices, accessing them only when needed, under the proviso that a node containing the files are online.

The important difference between BitTorrent Sync and traditional cloud services, is if you are to actually have a backup of your file, you must have the file locally stored between two or more devices. Setting up an offsite backup may also be difficult comparative to traditional cloud services.

Encrypting Your Devices

It should be noted that although your data may be encrypted on SpiderOak's servers or in transit using BitTorrent Sync, that doesn't mean they are encrypted on your devices! For this system of file synchronization to be truly secure, you absolutely should encrypt all your devices that will have access to your data. Otherwise, a person who seizes your laptop will be able to access all your files without even needing a passcode.

Can I use Dropbox, Google Drive, iCloud and OneDrive Securely?

Yes. You can use a program like Truecrypt to encrypt your files manually before uploading them to Dropbox. However, file sharing cannot be done without your intended recipient having the password to decrypt the data. Additionally, they will need Truecrypt (not to mention a basic knowledge encryption) to be able to make the whole thing work. Put simply, I recommend against this practice, as SpiderOak and BitTorrent Sync will likely be far more adaptable.

Conclusion

SpiderOak is by far the simpler and more traditional file synchronization solution that I recommend to most people. BitTorrent Sync is a revolutionary idea that requires more setup, technical knowledge and upfront cost. However, once you have a network in place, BitTorrent Sync has no monthly fees and no file size limits. Furthre, BitTorrent Sync boasts far quicker speeds when used between devices on the same network, as the file can be transferred over the local network instead of over the internet. I personally use both, the free 2GB that SpiderOak offers and a NAS server configuration with BitTorrent Sync, which is my main file synchronization service. Dropbox, iCloud, Google Drive, OneDrive and others are great services and should not be dismissed if you aren't hosting sensitive information on them. However, just know what privacy and security you give up for using these services.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment

How to Securely Erase/Format Your Hard Drive - Mac OS X El Capitan

Comment

How to Securely Erase/Format Your Hard Drive - Mac OS X El Capitan

Apple has made a number of changes to disk utility in OS X El Capitan. One of these changes is you can no longer securely erase your disk. I ran into this problem recently when I was selling my Macbook Pro Retina. Happily, you can still securely erase your hard disk using Terminal commands. This is a guide as to how to sell your Mac and securely erase your hard disk so you know the next owner cannot access your data.

Pro Tip - FireFault

If you would like to make your data harder to recover, I'd enable Firefault under system preferences. This encrypts the data before you'll be erasing, making your data more difficult to recover.

Booting into Recovery

To start, boot your Mac into recovery. To do this, hold the Command + R + Power keys. Next, Press Utilities in the upper toolbar and then click Terminal.

Why Secure Erase?

There is one option you need to know when securely wiping your drive, and that is how many times for the computer to write over the disk with data. When you erase your drive but don't do it securely (for instance by using Disk Utility), you are essentially tearing the table of contents out of a book. All the information is still there, but it cannot easily be found. Any knowledgeable person can recover the data using specialised software, that simply looks at the entire drive for data and bypasses the table of contents. We can fix this by writing over the data, hence the existing data no longer exists and cannot be recovered. This is particularly useful when selling your Mac, as you don't want the next owner of your computer to be able to access your data! Here are the terminal commands you need to know and what they do:

Terminal Code Commands & Explanations

Overwrite disk with 0's:

diskutil secureErase 1 /dev/disk0

Overwrite disk with random 0's and 1's:

diskutil secureErase 2 /dev/disk0

Overwrite disk with random 0's and 1's 7 times:

diskutil secureErase 3 /dev/disk0

Overwrite disk with random 0's and 1's 35 times:

diskutil secureErase 4 /dev/disk0

Overwrite disk with random 0's and 1's 35 times using a different algorithm:

diskutil secureErase 5 /dev/disk0

 

disk0 refers to the disk you are formatting. Most of the time this will be disk0. If you run into issues however, you can go to disk utility from recovery, select your main hard disk and press info. Here, you can find your drives designation (disk#). Note erasing the drive will not erase the recovery partition you are currently accessing. The reason why it overwrites the disk with either zeros or ones is computers operate using binary code (zeros or ones).

The thing that makes these commands different is the numbers listed after "secureErase" (yes, Terminal is case sensitive). The number determines the level of overwriting (the more overwrites, the harder to recover, and the longer it takes to erase). I generally would do 1 or 2, a whole disk overwrite with either random numbers or just zeros. Keep in mind if your Mac has an SSD, writing huge amounts of data to the disk may decrease its lifespan.

Once done, your disk will be "uninitialised." Erase the drive in disk utility, and that will partition the drive to install OS X onto.

Hope this helps you sell your Mac! Don't forget the FireFault encryption tip!

Update: Apple also has taken RAID functionality out of Disk Utility as of OS X El Capitan. Additionally, you can't side load the old, superior version of disk utility from a previous version of OS X. 

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment