banner
Wind_Mask

Wind_Mask

Wind_Mask,technically me.
github
email

Reflections on Secret (4): Technology (Serial)

The previous section discussed some abstract strategies, and indeed there are some issues that have not been discussed. But I want to put the system issues aside for now and take a look at commonly used tools and technologies.


Various web services, synchronization, privacy#

It is difficult to imagine how much data mainstream products in the Internet age collect without careful examination (of course, we also contribute to this). For example, if you have Google services on your phone, use Chrome and Google search on your computer, not to mention Gmail, your Google account will contain a large amount of data, from search history and browsing history to app launches and location tracking, which can be stored for years. (Although I don't really mind, in fact, I intentionally do it to some extent).

I recently saw photos from years ago on my Microsoft account, even though I didn't know what OneDrive was at the time, it didn't prevent the data from being uploaded.

I don't want to discuss the cloud services that come with domestic devices here.

Although the practical significance is questionable, at least each service provides considerable settings. It is crucial to thoroughly check the privacy settings of each web service and try to avoid leaving traces of other services, because I don't want some web services to have public associations with others. If you don't want any associations between them, then you should objectively prevent this possibility instead of just setting privacy.

As for synchronization, the experience of OneDrive on Windows is good enough (it naturally achieves local + cloud storage). When combined with VeraCrypt1, you can save VeraCrypt encrypted files in OneDrive (as far as I know, OneDrive fully supports incremental synchronization), which can be considered a reliable secret backup solution, and the capacity issue depends on you (it doesn't really matter for storing passwords and keys).

Speaking of various web services, the issue of password managers naturally arises (except for major services like Google, Microsoft, and payment services, I try to use random passwords as much as possible, so I can only use a password manager).


Password Manager#

The discussion here does not represent any commitment, it is just a personal solution, and the specific usability and security depend on your needs and threat model.

At first, I used the password manager in the browser, which was convenient enough, but it was always suspicious in terms of security and heavily relied on specific third-party web services. At most, I could only export a CSV file backup. In my opinion, other third-party password managers only change the trust issue from one third party to another (perhaps password managers are more trustworthy than Google). Therefore, I deliberately adopted a decoupled password management approach, which means that the password manager itself does not need to have cloud synchronization capabilities, but it is achieved through other methods. This provides more usability and freedom at the cost of complexity.

I use KeePassXC2. It is just a software for managing password databases and does not provide any network functionality (which is what certain security requirements need). It is implemented through browser extensions and mobile apps (yes, there is no official mobile app, but there are several implementations), and the database file is synchronized with other cloud services (the database itself is encrypted), thus achieving synchronized password management.

The current conclusion is that the security of KeePassXC is higher than that of the browser's built-in synchronization. The cost is that you have to synchronize the database yourself and manually unlock the database when autofilling. However, it no longer relies on a specific web service, thus breaking free from dependencies.

In fact, KeePassXC has some other features, such as storing two-factor authentication in the database (but if you want it to be effective, you need to maintain a separate 2FA database, otherwise it is equivalent to not having two-factor authentication, so it is not recommended), it can integrate with SSH agents for managing SSH keys (this feature can be considered, I use gpg-agent to combine SSH keys and PGP), and it can unlock the database with a Yubikey.


PGP Security#

Please refer to the next article in this series: PGP Security.


Browsers#

The experience of using Chrome in the Google ecosystem is indeed good. Now, let's put aside the issues with the ecosystem of each browser and focus only on the browser itself.

The issue of browsing history, search history, and bookmarks should be configured together with the browser's built-in synchronization feature.

"Browser fingerprinting" is a method of tracking web browsers by using visible configurations and settings information of the browser on websites. Browser fingerprints, like our fingerprints, have individual identification, but at this stage, browser fingerprinting identifies browsers.

There are many parameters for browser fingerprinting, including browser headers, resolution, accepted languages, browser extensions, time zone, and so on. For specific prevention methods, please refer to future articles in this series (to be continued).


Footnotes#

  1. VeraCrypt

  2. KeePassXC

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.