prokop/thgtoa
1
0
Fork 0
mirror of https://github.com/Anon-Planet/thgtoa.git synced 2026-02-28 01:56:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

docs(sign): Sign recent changes

Browse Source 
Signed-off-by: nopeitsnothing <no@anonymousplanet.org>
This commit is contained in:
nopeitsnothing
2023-06-17 13:30:37 -04:00
parent 76ceebf1eb
commit 506c941261
181 changed files with 571 additions and 557 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
export/guide.html
View File

@@ -18,7 +18,7 @@
</header>
<h1 id="the-hitchhikers-guide-to-online-anonymity">The Hitchhikers Guide to Online Anonymity</h1>
<p>(Or “How I learned to start worrying and love <del>privacy</del> anonymity”)</p>
<p>Version 1.1.7, June 2023 by Anonymous Planet</p>
<p>Version v1.1.8-pre.1, July 2023 by Anonymous Planet</p>
<h4 id="important-recommendation-for-ukrainians.-важлива-рекомендація-для-українців"><strong>IMPORTANT RECOMMENDATION FOR UKRAINIANS. ВАЖЛИВА РЕКОМЕНДАЦІЯ ДЛЯ УКРАЇНЦІВ</strong></h4>
<p>Це послання до народу України. Ми настійно рекомендуємо вам використовувати Briar для спілкування. Ви можете знайти його тут: &lt;https://briarproject.org/ . За допомогою цієї програми ви можете спілкуватися, навіть коли немає Інтернету. Посібник тут: <a href="https://briarproject.org/manual/uk/" class="uri">https://briarproject.org/manual/uk/</a>, Швидкий початок: <a href="https://briarproject.org/quick-start/uk/" class="uri">https://briarproject.org/quick-start/uk/</a></p>
<hr />
@@ -325,7 +325,7 @@
</ul></li>
<li><a href="#appendix-b-windows-additional-privacy-settings">Appendix B: Windows Additional Privacy Settings</a></li>
<li><a href="#appendix-c-windows-installation-media-creation">Appendix C: Windows Installation Media Creation</a></li>
<li><a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive.">Appendix D: Using System Rescue to securely wipe an SSD drive.</a></li>
<li><a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive">Appendix D: Using System Rescue to securely wipe an SSD drive</a></li>
<li><a href="#appendix-e-clonezilla">Appendix E: Clonezilla</a></li>
<li><a href="#appendix-f-diskpart">Appendix F: Diskpart</a></li>
<li><a href="#appendix-g-safe-browser-on-the-host-os">Appendix G: Safe Browser on the Host OS</a>
@@ -1171,9 +1171,14 @@
<ul>
<li><p>Hashes:</p>
<ul>
<li><p>Prefer: SHA-3 or BLAKE2<a href="#fn273" class="footnote-ref" id="fnref273"><sup>273</sup></a></p></li>
<li><p>Still relatively ok to use: SHA-2 (such as the widely used SHA-256 or SHA-512)</p></li>
<li><p>Avoid: SHA-1, MD5 (unfortunately still widely used), CRC, MD6 (rarely used)</p></li>
<li><p>Prefer: SHA3-224, SHA-384 or BLAKE2<a href="#fn273" class="footnote-ref" id="fnref273"><sup>273</sup></a> (these are considered very Quantum Resistant based on an instance of the KECCAK algorithm), SHAKE128 and SHAKE256 (referred to as <a href="https://csrc.nist.gov/publications/detail/fips/202/final">extendable-output functions</a> (XOFs) via FIPS 202);</p>
<ul>
<li><p><strong>Most digital signature algorithms are quantum-broken</strong>;</p></li>
<li><p><strong>Highly suspicious RBGs such as MS_DRBG still exist in standards such as ISO 18031</strong>;</p></li>
<li><p><strong>The AES and SHA2 based DRBGs in current NIST standards are fine</strong></p></li>
</ul></li>
<li><p>Still relatively safe to use: SHA-2 (e.g., SHA-256 or SHA-512, which are still considered mostly quantum-safe)</p></li>
<li><p>Avoid: SHA-0, SHA-1, MD5 (unfortunately still widely used), CRC, MD6 (rarely used); i.e., anything with known collisions, and/or a history of extensive, not one-off, cryptographic failures</p></li>
</ul></li>
<li><p>File/Disk Encryption:</p>
<ul>
@@ -1191,15 +1196,15 @@
</ul></li>
<li><p>Password Storage:</p>
<ul>
<li>Prefer: Argon2, scrypt</li>
<li>If these arent options, use bcrypt, or if not possible at least PBKDF2 (only as a last resort)</li>
<li><p>Be skeptical of Argon2d, as its vulnerable to some forms of side-channels. Prefer Argon2i or Argon2id</p></li>
<li><p>Avoid: SHA-3, SHA-2, SHA-1, MD5</p></li>
<li>Prefer: Argon2</li>
<li>If these arent options, use bcrypt, then scrypt (in that order)</li>
<li><p>Be skeptical of Argon2d, as its vulnerable to some forms of side-channels. Prefer Argon2i or Argon2id.</p></li>
<li><p>Avoid: SHA-3, SHA-2, SHA-1, MD5; PBKDF2 due to <a href="https://tails.boum.org/security/argon2id/index.en.html">concerns regarding brute-force</a> <sup><a href="https://web.archive.org/web/20230613161809/https://tails.boum.org/security/argon2id/index.en.html">[Archive.org]</a></sup></p></li>
</ul></li>
<li><p>Browser Security (HTTPS):</p>
<ul>
<li><p>Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support) or at least TLS 1.2 (widely used)</p></li>
<li><p>Avoid: Anything Else (TLS =&lt;1.1, SSL =&lt;3)</p></li>
<li><p>Avoid: Anything Else (TLS &lt;=1.1, SSL &lt;=3)</p></li>
</ul></li>
<li><p>Signing messages/files with PGP/GPG:</p>
<ul>
@@ -1211,7 +1216,10 @@
</ul></li>
<li><p>SSH keys:</p>
<ul>
<li><p>ED25519 (preferred) or RSA 4096 Bits*</p></li>
<li><p>ED25519 (preferred) or RSA 4096 Bits*</p>
<ul>
<li>But refer to <a href="https://eprint.iacr.org/2017/1014.pdf">Attacking Deterministic Signature algorithms</a>, which details fault injections “(varying the voltage supply) - mainly a threat to tamper-proof hardware and hardware security modules” such as Rowhammer, or templating attacks, etc.</li>
</ul></li>
<li><p>Avoid: RSA 2048 bits</p></li>
</ul></li>
<li><p><strong>Warning: RSA and ED25519 are unfortunately not seen as “Quantum Resistant”</strong><a href="#fn279" class="footnote-ref" id="fnref279"><sup>279</sup></a> <strong>and while they have not been broken yet, they probably will be broken someday into the future. It is just a matter of when rather than if RSA will ever be broken. So, these are preferred in those contexts due to the lack of a better possibility.</strong></p></li>
@@ -8026,7 +8034,7 @@ PDF-Redact Tools (L)
<h4 id="systeminternal-ssd">System/Internal SSD:</h4>
<ul>
<li><p>Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (“ATA/NVMe Secure Erase” or “ATA/NVMe Sanitize”). Do not use wipe with passes on an SSD drive.</p></li>
<li><p>Option B: See <a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive.">Appendix D: Using System Rescue to securely wipe an SSD drive.</a></p></li>
<li><p>Option B: See <a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive">Appendix D: Using System Rescue to securely wipe an SSD drive</a></p></li>
<li><p>Option C: Wipe your disk and re-install Linux with new full disk encryption to overwrite all sectors with new encrypted data. <strong>This method will be terribly slow compared to Option A and B as it will slowly overwrite your whole SSD. Also, note that this might not be the default behavior when using LUKS. You might have to check the option to also encrypt the empty space for this effectively wipe the drive.</strong></p></li>
</ul>
<p><strong>Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.</strong></p>
@@ -8063,7 +8071,7 @@ PDF-Redact Tools (L)
<ul>
<li><p>Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (“ATA/NVMe Secure Erase” or “ATA/NVMe Sanitize”). Do not use wipe with passes on an SSD drive.</p></li>
<li><p>Option B: Check <a href="#appendix-j-manufacturer-tools-for-wiping-hdd-and-ssd-drives">Appendix J: Manufacturer tools for Wiping HDD and SSD drives.</a></p></li>
<li><p>Option C: See <a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive.">Appendix D: Using System Rescue to securely wipe an SSD drive.</a></p></li>
<li><p>Option C: See <a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive">Appendix D: Using System Rescue to securely wipe an SSD drive</a></p></li>
<li><p>Option D: Wipe your disk and re-install Windows before performing new full disk encryption (using Veracrypt or Bitlocker) to overwrite all sectors with new encrypted data. <strong>This method will be slower compared to Option A and B as it will overwrite your whole SSD.</strong></p></li>
</ul>
<p><strong>Keep in mind all these options need to be applied on the entire physical drive and not on a specific partition/volume. If you do not, wear-leveling mechanisms might prevent this from working properly.</strong></p>
@@ -8093,7 +8101,7 @@ PDF-Redact Tools (L)
<h4 id="systeminternal-ssd-2">System/Internal SSD:</h4>
<p>Unfortunately, the macOS Recovery disk utility will not be able to perform a secure erase of your SSD drive as stated in Apple documentation <a href="https://support.apple.com/en-gb/guide/disk-utility/dskutl14079/mac" class="uri">https://support.apple.com/en-gb/guide/disk-utility/dskutl14079/mac</a> <sup><a href="https://web.archive.org/web/https://support.apple.com/en-gb/guide/disk-utility/dskutl14079/mac">[Archive.org]</a></sup>.</p>
<p>In most cases, if your disk was encrypted with Filevault and you just perform a normal erase, it should be “enough” according to them. It is not according to me, so you have no option besides re-installing macOS again and re-encrypt it with Filevault again after re-installing. This should perform a “crypto erase” by overwriting your earlier install and encryption. This method will be quite slow, unfortunately.</p>
<p>If you want to do a faster secure erase (or have no time to perform a re-install and re-encryption), you can try using the method described in <a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive.">Appendix D: Using System Rescue to securely wipe an SSD drive</a> <strong>(This will not work on M1 Macs)</strong>. <strong>Be careful tho as this will also erase your recovery partition which is needed to reinstall macOS.</strong></p>
<p>If you want to do a faster secure erase (or have no time to perform a re-install and re-encryption), you can try using the method described in <a href="#appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive">Appendix D: Using System Rescue to securely wipe an SSD drive</a> <strong>(This will not work on M1 Macs)</strong>. <strong>Be careful tho as this will also erase your recovery partition which is needed to reinstall macOS.</strong></p>
<h4 id="external-ssd-2">External SSD:</h4>
<p>First please see <a href="#appendix-k-considerations-for-using-external-ssd-drives">Appendix K: Considerations for using external SSD drives</a></p>
<p>If your USB controller and USB SSD disk support Trim and ATA secure erase, and if Trim is enabled on the disk by macOS, you can just wipe the whole disk normally and data should not be recoverable on recent disks.</p>
@@ -9149,7 +9157,7 @@ PDF-Redact Tools (L)
<ul>
<li>Go to https://www.microsoft.com/software-download/windows11 and download the ISO.</li>
</ul>
<h1 id="appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive.">Appendix D: Using System Rescue to securely wipe an SSD drive.</h1>
<h1 id="appendix-d-using-system-rescue-to-securely-wipe-an-ssd-drive">Appendix D: Using System Rescue to securely wipe an SSD drive</h1>
<p>These instructions are valid for all Operating Systems:</p>
<ul>
<li><p>System Rescue:</p>