Basics of security on the Internet
Par Cubytus le mercredi 28 août 2013, 23:37 - Lien permanent
This closely relates to the former post about privacy, hence my using of the same keywords. According to the Webster dictionary, security is a state where one is free from danger or threat, and has to be considered from a technical standpoint. Another great and lengthy definition was written down long ago on the highly reputable w3.org. This post will try to balance ease-of-use with security habits to keep and act upon, not some crypto-nerd phantasm. It will further assume that you set up a reasonably difficult password on your local computer when you installed it, and that you are starting fresh.
By definition, Web browsing offers no security features. Everything can easily be eavesdropped, which is not big deal when you are reading a Wikipedia page on a non-controversial topic, for example. But if you want to access highly controversial or sought-after information, Wikileaks, for example, then you want to make sure you are actually dealing with the real server. Simplifying things here, this takes place over an encrypted connection, such as SSL, itself guaranteed to be authentic through the use of public key certificates.
Securing the computer
Turn on the Firewall as shown. It is a no-brainer, and any application requiring network access will explicitly ask you to allow it. As you can see, I haven't enabled stealth mode, because some software rely on it for proper operation.
We never stop repeating to "do your backups". In fact I think to make a new meme to launch in the wild, DYFB whenever one complains about an imminent HDD failure.
So let's keep that short:
- Enable Time Machine
- Subscribe to a privacy-abiding online backup provider. You don't want to lose both your backup disk and computer in a worst-case scenario, right? Usually I would have recommended SpiderOak, but with their ongoing performance issues, I currently cannot recommend any good service. And no, Dropbox is NOT a proper, remote backup.
- OPTIONAL: have a bootable clone of your machine. I historically preferred Carbon Copy Cloner because it was previously free, but even now, in its current, paid-for edition, it is definitely a worthwhile purchase from a small developer.
Choosing the right web browser
Much as a car, security start from the web browser one chooses. The good news is that modern web browsers are much more secure, and whatever your choice is between Firefox, Chrome or Safari, you're pretty much safe as long as you keep it up to date. We all should know that "zero risk" doesn't exist, but those are the basics for safe browsing.
What can compromise a browser though are the multiple add-ons you can install, and we know there are tons of them available on Firefox! Discernment must be exercised when making a choice. Stay clear of Adobe Flash Player as much as you can. I can personally confirm that a computer without Flash can be perfectly liveable. Of course you will lose video playing ability on many websites, but most of them are so low in technical and intrinsic quality, ask yourself, will it change the way you browse the internet? Maybe for the better. If you don't wish to compromise on video playing ability, then at least make sure you install ClickToPlugin so as tu manually approve loading of Flash content. You're still on your own to judge whether or not to allow a given content to load. Beware though, as malicious software sometimes hides as a legitimate-looking Flash player update. Only update using the small application from Adobe, in your Applications folder.
Adobe Acrobat Reader is completely unnecessary on Mac OS X as well as many GNU/Linux distributions, as they feature a built-in PDF reader.
In a Web browser
This method is called HTTPS, for HTTP over SSL/TLS. The website will show your browser a certificate signed by an external entity, attesting the website is actually who it claims to be, and many times without requiring any user intervention. Many websites do issue a self-signed certificate, meaning, the actual, authentic server signs for itself, most often requiring explicit user acceptance of the certificate. It doesn't necessarily mean they're less secure, and in fact, if you got here, then you probably accepted my hosting provider's shared certificate for all websites residing on the same machine.
As a rule of thumb, you should never trust any transactional website that doesn't provide you with an HTTPS connection. Of course exceptions do apply, as some websites feature a plain HTTP connection while the forms you may fill will be sent through HTTPS, so you will have to use your judgement to evaluate if you should trust a certificate or an HTTPS connection.
To make it easier to keep good browsing habits, you can actually install a Firefox extension to automatically look for the secure version of servers you're connecting to. As far as I know, this doesn't exist yet in Safari.
Through the command line
SSL connection is also featured at the command line level. If you want to access a server through SSH (Secure SHell), the first connection will as if you want to accept the «fingerprint» returned by the distant server, used much the same way as certificates are used during web browsing. If a fingerprint doesn't match the saved fingerprint for a given server, connection will fail. The workaround is to delete the saved fingerprint and retry connection, but only if you are really sure of the identity of the remote computer you want to access. Such legitimate situation include when you changed your router's firmware for a different version, for example. You can actually verify the authenticity of a given fingerprint following this method; although written fro Ubuntu, it will work in Mac OS X.
Web-based emails are almost a non-issue nowadays as most of them will provide you with an HTTPS interface to connect. However, email clients are a different beast, and by default, you will have to specify the secured server address (can be different from the regular address), or tell it to use an SSL/TLS connection. In case of a self-signed certificate being issued, it will ask you to explicitly allow it.
Maybe you noticed that I haven't covered viruses, the reason being, at the date of this post, there are virtually no viruses in the wild attacking Mac OS X, even less GNU/Linux.
Repeating pays! I still wonder how so many people can fall victim to phishing attempts and malware transported through emails. How hard is it NOT to open any unrequested attached file from unknown senders? Phishing attempts may be a bit more difficult to spot, as scammers became masters at imitation, and only a close look will reveal a non-authentic email. In doubt, DON'T ACT.
Your computer itself
Somewhere between passive and active ways to stay secure on the Internet, you should remember to never, ever trust your computer. Understand first that no computer is immune to being compromised, and the least you can do is not trusting the machine with any kind of personal information, striking a balance between performance and security. Forget about your machine being immune to NSA, they have ways to make you talk anyway or enough horsepower to brute-force data.
When you first install or turn on a brand new Mac (and other OSes as well), you will see a window similar to this one:
Next, if you followed the previous post about privacy, what pops into your head right away would be "do I need to provide all this information to be using the computer?"
Some people may argue that it is helpful for example when you want to retrieve the computer should it be stolen. It is not. Apple currently has a non-interventionist policy when dealing, say, at the Genius Bar with a machine that they can still see was stolen. And we already know police doesn't do anything against petty crime. In any case, not registering doesn't prevent you from using, for example, Find My iPhone (despite its name, it also includes your Lion and more recent versions of OS X, if you're not too concerned about a US company holding your data), or writing down your machine's serial number.
So short answer is no, your machine doesn't need to know that information, and even if Mac OS X insists on trying to know, you can perfectly bypass this assistant.
Files are a different beast, and while you should never trust your machine with personal information, one can't reasonably be expected to deal with private information solely on paper. So as soon as you are over working on, say, an immigration or financial form, it is good practice to place it in a secured container. I chose TrueCrypt as it works on multiple platforms, then you can't be stuck if your OS goes south, as long as one can retrieve the container. While it is technically possible to compromise TC in a variety of ways (off the top of my head, liquid-nitrogen cooling of RAM chips, gaining access to the machine having an opened encrypted container, infection by a trojan installing a keylogger, you name it), with good habits you can reduce the likelihood of a "casual" hacker to gain access to your personal data.
You could also enable FileVault, but in my experience encrypting the whole disk takes a considerable toll on overall performance and, by extension, battery life. Is is a bit less secure in absolute terms than TC, but has the major advantage of being completely transparent.
Of course, keep your OS and software as up-to-date as possible!
Of course this post is not intended for the chronically paranoid as I haven't addressed the problem of unencrypted Time Machine backups, for example. Wait… If you followed here, having your really sensitive data hosted in TrueCrypt containers won't reveal any valuable information should the machine or its external backup be stolen. But overall, it seems impossible to have a truly locked-down computer that would remain truly flexible and powerful.