• Disclaimers • Personal usage, not necessarily business usage • Defensive measures only • Opinions are personal • No affiliations to any products and services mentioned • YMMV
• Who do I want to protect from? (Adversaries) • How likely do I need to protect? (Risk) • What happens if I fail? (Consequences) • How much trouble am I willing to go to prevent consequences? • There is no such thing as perfect Security • No silver bullets • You always end up having to trust something/someone • Human Factor • Evolving Landscape – what may be secure today may not be secure tomorrow
you know (passwords) • What you have (soft/hard token) • What you are (biometrics) • Soft / Hard tokens • SMS – basic, can be intercepted or may not always work. Phone can be stolen. • Google Authenticator / Authy – better, but vuln to malware / stolen. Backups? • Yubikey / Nitrokey – Great, less vuln to malware, less likely to be stolen. Backups? • Backup Codes – Keep them safe!
basket a.k.a. Account Segregation • Bad: One account for EVERYTHING • Good: One account for non-important stuff, one for important stuff (or more accounts, depending of importance granularity) • Best: One account per service • Hard to achieve, but isolates breaches from affecting other services • Email providers that provide DNS aliases help (e.g. Fastmail, ProtonMail) • Tune privacy settings • Limit sharing (location, activity, search, status) • Check them periodically, as software updates sometimes reset settings • Keep account recovery settings updated
access to filesystem and network resources • Prevents stealing of documents • Sandboxie (Windows) • Use a Virtual Machine (cross-platform) • Virtualbox
Linux > MacOS > Windows • Browser: Firefox, Chromium (i.e. Chrome degooglified), Brave? • Mobile: Firefox Focus, Firefox • Search Engines: StartPage, DuckDuckGo • VPN services: e.g. ProtonVPN, PIA, WireGuard, AlgoVPN • Additional encryption for data in transit • More privacy, but not necessarily anonymity • Increased Surveillance – lots of shady services out there • Roll your own VPN >>> using a service • Bonus: combine with PiHole • Tor: More anonymity, but not necessarily more secure • Additional encryption for data in transit • Increased Surveillance – potentially compromised endpoints
a way to separate accounts within the same browser session • More lightweight than separate profiles • Built in since v57 • DEMO • Separated • Cookies • localStorage • indexedDB • Cache • Shared • History • Bookmarks • Passwords • Searches • HSTS, OSCP, TLS exceptions • Permissions • Add-Ons
that harden Firefox’s profile even more, for example: – Disable WebRTC, Service Workers – Show punycode – Force HSTS, OSCP-Stapling – Disable weak ciphers • DEMO