This is a quick guide to staying secure on the internet.
Hashes and Signatures
Hashes and signatures are your primary tool for verifying data and detecting any form of tampering. You need to understand how hashes work and why they are important. Know how to generate hashes and checksums:
$ echo Hello1 > test.txt $ cat test.txt Hello1 $ sha256sum test.txt e616a6e0657eb277d4acad697f19d066aaa62cdde2862d0be591f3de8357de4b test.txt $ echo Hello2 > test.txt $ cat test.txt Hello2 $ sha256sum test.txt f660df71283ecaf2c469cde588dd19e498c61eb1b5f1bcc664b8d9f338c67331 test.txt
Changing the file by a single character created a completely different hash. Hashes are like fingerprints; they are unique to a particular file, and cannot be spoofed.
Know how to verify hashes:
$ cat test.txt Hello2 $ sha256sum test.txt > hashes.sha256sum $ cat hashes.sha256sum f660df71283ecaf2c469cde588dd19e498c61eb1b5f1bcc664b8d9f338c67331 test.txt $ sha256sum -c hashes.sha256sum test.txt: OK $ echo Hello1 > test.txt $ sha256sum -c hashes.sha256sum test.txt: FAILED sha256sum: WARNING: 1 computed checksum did NOT match
Become familiar with GPG. Know how to verify signatures:
$ ls test.txt test.txt.sig $ cat test.txt Hello1 $ gpg --verify test.txt.sig gpg: assuming signed data in `test.txt' gpg: Signature made Sun 29 Mar 2015 11:56:47 AM EDT using RSA key ID C37AF029 gpg: Good signature from "Joseph Ruether <firstname.lastname@example.org>" $ echo Hello2 > test.txt $ gpg --verify test.txt.sig gpg: assuming signed data in `test.txt' gpg: Signature made Sun 29 Mar 2015 11:56:47 AM EDT using RSA key ID C37AF029 gpg: BAD signature from "Joseph Ruether <email@example.com>"
Passwords and Encryption
With passwords, the longer the better. Complexity does not beat length.
Use Diceware to generate a 4 or 5 word passphrase and memorize it.
You can also generate random data from the command line:
dd if=/dev/urandom bs=1 count=64 | sha256sum
Use the mnemonic.py script from this post to generate a string of words from the hex.
Get a Yubikey Neo.
Use it’s static password mode to store your passphrase.
Follow these instructions to load your GPG encryption and signing keys.
Use its NFC capabilities with the YubiClip and OpenKeychain Android apps to access your static password and GPG keys from the Yubikey on your smartphone.
Use a password manager like KeepassX. It is open souce and cross platform.
Use a keyfile along with your master password.
Use KeepassX to generate long random passwords for all other needs.
Use Truecrypt. It is open source and cross platform.
Use a keyfile along with a strong password generated by KeepassX.
Treat the keyfiles as access tokens.
Do not let them touch the network. Do not upload them to any online service.
Instead, manually load them onto your various devices using USB.
Back them up by printing them to paper in Base64 format, and keep the backups in a safe place.
dd if=/dev/urandom bs=1 count=64 | base64 > keyfile.base64
By keeping a strong password on a hardware token you posess, coupled with a software token that only exists on the devices of your choosing, you have achieved two factor authentication without any third party.
Both pieces are needed to unlock either your password database or your truecrypt container.
This means you can use a 3rd party synchronization service without being required to trust them; they couldn’t access your passwords or data even if they wanted to.
Bittorrent Sync or Dropbox both work well to keep your passwords and data synced between your devices.
Always use HTTPS, and be aware of the certificate being used.
Learn how to check the certificate fingerprints:
- Chrome: Lock icon –> Connection tab –> Certificate information
- Firefox: Lock icon –> More information –> View Certificate
The truely paranoid will want to verify these fingerprints against another channel.
This site is a great way to verify the fingerprints.
GRC’s fingerprint is 01:56:D3:AC:CF:5A:3F:B8:8F:0F:B4:30:88:2D:F6:72:4E:8C:F2:E0, write it down somewhere.
Use Duck Duck Go instead of Google.
Use Firefox instead of Chrome.
Consider the following extensions:
- Adblock Plus
- HTTP Nowhere
- HTTPS Everywhere
- Privacy Badger
For your smartphone, use Android and CyanogenMod if possible.
Android also supports full disk encryption with LUKS.
Debian can also be installed to a USB drive and act as a “cold boot” system.
Cold boot means that it is never allowed to touch the network; all data transfer to the cold boot system is done with a second USB drive.
This practice is good for storing GPG private keys and Bitcoin wallets securely.
I highly recommend you read the following pages for more information: