From 1c30ca8cbc546b99a011b90a7ee37b0a134f80fc Mon Sep 17 00:00:00 2001 From: Triple T <78900789+I-I-IT@users.noreply.github.com> Date: Sun, 10 Nov 2024 08:32:10 +0000 Subject: [PATCH] update: Add criteria to VPN Services page and update other sections (#2788) Updates include: - Obfuscation info, ProtonVPN IPv6 and added missing download links - added a few criteria Testing: - Proton has IPv6 support on Linux but it didn't work for me - Requirements for FDE/ram servers make sense to prevent logging by malicious employees. - Mullvad/IVPN are ram-only while Proton has FDE. - Requirements for the jurisdiction is to prevent cases like RiseupVPN (https://riseup.net/en/about-us/press/canary-statement). Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com> Co-authored-by: fria <138676274+friadev@users.noreply.github.com> Signed-off-by: Daniel Gray --- docs/advanced/tor-overview.md | 4 ++-- docs/mobile-browsers.md | 16 ++++++++-------- docs/os/android-overview.md | 2 +- docs/real-time-communication.md | 5 ++--- docs/vpn.md | 33 ++++++++++++++++++++++----------- includes/abbreviations.en.txt | 2 ++ 6 files changed, 37 insertions(+), 25 deletions(-) diff --git a/docs/advanced/tor-overview.md b/docs/advanced/tor-overview.md index db4ba4feea..9fca7e0027 100644 --- a/docs/advanced/tor-overview.md +++ b/docs/advanced/tor-overview.md @@ -204,5 +204,5 @@ It is [possible](https://discuss.privacyguides.net/t/clarify-tors-weaknesses-wit ## Additional Resources - [Tor Browser User Manual](https://tb-manual.torproject.org) -- [How Tor Works - Computerphile](https://www.youtube.com/watch?v=QRYzre4bf7I) (YouTube) -- [Tor Onion Services - Computerphile](https://www.youtube.com/watch?v=lVcbq_a5N9I) (YouTube) +- [How Tor Works - Computerphile](https://youtube.com/watch?v=QRYzre4bf7I) (YouTube) +- [Tor Onion Services - Computerphile](https://youtube.com/watch?v=lVcbq_a5N9I) (YouTube) diff --git a/docs/mobile-browsers.md b/docs/mobile-browsers.md index 2cbec388b5..60d5a96f64 100644 --- a/docs/mobile-browsers.md +++ b/docs/mobile-browsers.md @@ -91,7 +91,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default === "Android"
- + - [x] Select **Aggressive** under *Block trackers & ads* - [x] Select **Auto-redirect AMP pages** - [x] Select **Auto-redirect tracking URLs** @@ -107,24 +107,24 @@ Shields' options can be downgraded on a per-site basis as needed, but by default Brave allows you to select additional content filters within the **Content Filtering** menu or the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. - + - [x] Select **Forget me when I close this site**
1. This option disables JavaScript, which will break a lot of sites. To unbreak them, you can set exceptions on a per-site basis by tapping on the Shield icon in the address bar and unchecking this setting under *Advanced controls*. - + === "iOS"
- + - [x] Select **Aggressive** under *Trackers & Ads Blocking* - [x] Select **Strict** under *Upgrade Connections to HTTPS* - [x] Select **Auto-Redirect AMP pages** - [x] Select **Auto-Redirect Tracking URLs** - [x] (Optional) Select **Block Scripts** (1) - [x] Select **Block Fingerprinting** - +
Use default filter lists @@ -135,7 +135,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default
1. This option disables JavaScript, which will break a lot of sites. To unbreak them, you can set exceptions on a per-site basis by tapping on the Shield icon in the address bar and unchecking this setting under *Advanced controls*. - + ##### Clear browsing data (Android only) - [x] Select **Clear data on exit** @@ -149,7 +149,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default === "Android"
- + - [x] Select **Disable non-proxied UDP** under [*WebRTC IP handling policy*](https://support.brave.com/hc/articles/360017989132-How-do-I-change-my-Privacy-Settings#webrtc) - [x] (Optional) Select **No protection** under *Safe Browsing* (1) - [ ] Uncheck **Allow sites to check if you have payment methods saved** @@ -166,7 +166,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default - [ ] Uncheck **Allow Privacy-Preserving Product Analytics (P3A)** - [ ] Uncheck **Automatically send daily usage ping to Brave** - + ### Leo These options can be found in :material-menu: → **Settings** → **Leo**. diff --git a/docs/os/android-overview.md b/docs/os/android-overview.md index 871216f484..199775e032 100644 --- a/docs/os/android-overview.md +++ b/docs/os/android-overview.md @@ -34,7 +34,7 @@ Many OEMs also have broken implementation of Verified Boot that you have to be a **Firmware updates** are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). -As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC, and they will provide a minimum of 5 years of support. With the introduction of the Pixel 8 series, Google increased that support window to 7 years. +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC, and they will provide a minimum of 5 years of support. With the introduction of the Pixel 8 series, Google increased that support window to 7 years. EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. diff --git a/docs/real-time-communication.md b/docs/real-time-communication.md index 216518153a..5198f451dc 100644 --- a/docs/real-time-communication.md +++ b/docs/real-time-communication.md @@ -98,9 +98,9 @@ Molly is updated every two weeks to include the latest features and bug fixes fr Note that you are trusting multiple parties by using Molly, as you now need to trust the Signal team *and* the Molly team to deliver safe and timely updates. -There is a version of Molly called **Molly-FOSS** which removes proprietary code like the Google services used by both Signal and Molly, at the expense of some features like battery-saving push notifications via Google Play Services. +There is a version of Molly called **Molly-FOSS** which removes proprietary code like the Google services used by both Signal and Molly, at the expense of some features like battery-saving push notifications via Google Play Services. -There is also a version called [**Molly-UP**](https://github.com/mollyim/mollyim-android#unifiedpush) which is based on Molly-FOSS and adds support for push notifications with [UnifiedPush](https://unifiedpush.org/), an open source alternative to the push notifications provided by Google Play Services, but it requires running a separate program called [Mollysocket](https://github.com/mollyim/mollysocket) to function. Mollysocket can either be self-hosted on a separate computer or server (VPS), or alternatively a public Mollysocket instance can be used ([step-by-step tutorial, in German](https://www.kuketz-blog.de/messenger-wechsel-von-signal-zu-molly-unifiedpush-mollysocket-ntfy/)). +There is also a version called [**Molly-UP**](https://github.com/mollyim/mollyim-android#unifiedpush) which is based on Molly-FOSS and adds support for push notifications with [UnifiedPush](https://unifiedpush.org/), an open source alternative to the push notifications provided by Google Play Services, but it requires running a separate program called [Mollysocket](https://github.com/mollyim/mollysocket) to function. Mollysocket can either be self-hosted on a separate computer or server (VPS), or alternatively a public Mollysocket instance can be used ([step-by-step tutorial, in German](https://kuketz-blog.de/messenger-wechsel-von-signal-zu-molly-unifiedpush-mollysocket-ntfy)). All three versions of Molly provide the same security improvements. @@ -141,7 +141,6 @@ You can find a full list of the privacy and security [features](https://github.c SimpleX Chat was independently audited in [July 2024](https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html#simplex-cryptographic-design-review-by-trail-of-bits) and in [October 2022](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website). - ### Briar
diff --git a/docs/vpn.md b/docs/vpn.md index d0b934a83e..fe978ca003 100644 --- a/docs/vpn.md +++ b/docs/vpn.md @@ -32,7 +32,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have | Provider | Countries | WireGuard | Port Forwarding | IPv6 | Anonymous Payments |---|---|---|---|---|--- -| [Proton](#proton-vpn) | 112+ | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Partial Support | :material-alert-outline:{ .pg-orange } | Cash +| [Proton](#proton-vpn) | 112+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } Partial Support | :material-information-outline:{ .pg-blue } Limited Support | Cash | [IVPN](#ivpn) | 37+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } | :material-information-outline:{ .pg-blue } Outgoing Only | Monero, Cash | [Mullvad](#mullvad) | 45+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero, Cash @@ -56,6 +56,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have - [:simple-appstore: App Store](https://apps.apple.com/app/id1437005085) - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) - [:fontawesome-brands-windows: Windows](https://protonvpn.com/download-windows) +- [:simple-apple: macOS](https://protonvpn.com/download-macos) - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup) @@ -89,9 +90,9 @@ Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://wiregua Proton VPN [recommends](https://protonvpn.com/blog/wireguard) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols) for the protocol is not present in their Linux app. -#### :material-alert-outline:{ .pg-orange } No IPv6 Support +#### :material-alert-outline:{ .pg-orange } Limited IPv6 Support -Proton VPN's servers are only compatible with IPv4. The Proton VPN applications will block all outgoing IPv6 traffic, so you don't have to worry about your IPv6 address being leaked, but you will not be able to connect to any IPv6-only sites, and you will not be able to connect to Proton VPN from an IPv6-only network. +Proton [now supports IPv6](https://protonvpn.com/support/prevent-ipv6-vpn-leaks) in their browser extension but only 80% of their servers are IPv6-compatible. On other platforms, the Proton VPN client will block all outgoing IPv6 traffic, so you don't have to worry about your IPv6 address being leaked, but you will not be able to connect to any IPv6-only sites, nor will you be able to connect to Proton VPN from an IPv6-only network. #### :material-information-outline:{ .pg-info } Remote Port Forwarding @@ -179,7 +180,7 @@ IVPN previously supported port forwarding, but removed the option in [June 2023] #### :material-check:{ .pg-green } Anti-Censorship -IVPN has obfuscation modes using the [v2ray](https://v2ray.com/en/index.html) project which helps in situations where VPN protocols like OpenVPN or Wireguard are blocked. Currently this feature is only available on Desktop and [iOS](https://ivpn.net/knowledgebase/ios/v2ray). It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess.html) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic. +IVPN has obfuscation modes using [v2ray](https://v2ray.com/en/index.html) which helps in situations where VPN protocols like OpenVPN or Wireguard are blocked. Currently this feature is only available on Desktop and [iOS](https://ivpn.net/knowledgebase/ios/v2ray). It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess.html) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic. #### :material-check:{ .pg-green } Mobile Clients @@ -195,7 +196,7 @@ IVPN clients support two factor authentication. IVPN also provides "[AntiTracker ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } -**Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and does not offer a free trial. +**Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and offers a 30-day money-back guarantee for payment methods that allow it. [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } @@ -244,7 +245,7 @@ Mullvad provides the source code for their desktop and mobile clients in their [ #### :material-check:{ .pg-green } Accepts Cash and Monero -Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. Prepaid cards with redeem codes are also available. Mullvad also accepts Swish and bank wire transfers. +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. Prepaid cards with redeem codes are also available. Mullvad also accepts Swish and bank wire transfers, as well as a few European payment systems. #### :material-check:{ .pg-green } WireGuard Support @@ -262,7 +263,12 @@ Mullvad previously supported port forwarding, but removed the option in [May 202 #### :material-check:{ .pg-green } Anti-Censorship -Mullvad has obfuscation an mode using [Shadowsocks with v2ray](https://mullvad.net/en/help/shadowsocks-with-v2ray) which may be useful in situations where VPN protocols like OpenVPN or Wireguard are blocked. +Mullvad offers several features to help bypass censorship and access the internet freely: + +- **Obfuscation modes**: Mullvad has two built-in obfuscation modes: "UDP-over-TCP" and ["Wireguard over Shadowsocks"](https://mullvad.net/en/blog/introducing-shadowsocks-obfuscation-for-wireguard). These modes disguise your VPN traffic as regular web traffic, making it harder for censors to detect and block. Supposedly, China has to use a [new method to disrupt Shadowsocks-routed traffic](https://gfw.report/publications/usenixsecurity23/en). +- **Advanced obfuscation with Shadowsocks and v2ray**: For more advanced users, Mullvad provides a guide on how to use the [Shadowsocks with v2ray](https://mullvad.net/en/help/shadowsocks-with-v2ray) plugin with Mullvad clients. This setup provides an additional layer of obfuscation and encryption. +- **Custom server IPs**: To counter IP-blocking, you can request custom server IPs from Mullvad's support team. Once you receive the custom IPs, you can input the text file in the "Server IP override" settings, which will override the chosen server IP addresses with ones that aren't known to the censor. +- **Bridges and proxies**: Mullvad also allows you to use bridges or proxies to reach their API (needed for authentication), which can help bypass censorship attempts that block access to the API itself. #### :material-check:{ .pg-green } Mobile Clients @@ -270,7 +276,7 @@ Mullvad has published [App Store](https://apps.apple.com/app/id1488466513) and [ #### :material-information-outline:{ .pg-blue } Additional Notes -Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They use [ShadowSocks](https://shadowsocks.org) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They also provide the option to enable Defense Against AI-guided Traffic Analysis ([DAITA](https://mullvad.net/en/blog/daita-defense-against-ai-guided-traffic-analysis)) in their apps. DAITA protects against the threat of advanced traffic analysis which can be used to connect patterns in VPN traffic with specific websites. ## Criteria @@ -293,14 +299,15 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi - Killswitch built in to clients. - Multihop support. Multihopping is important to keep data private in case of a single node compromise. - If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. +- Censorship resistance features designed to bypass firewalls without DPI. **Best Case:** - Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) - Easy-to-use VPN clients -- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- [IPv6](https://en.wikipedia.org/wiki/IPv6) support. We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. - Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). -- Obfuscation technology which pads data packets with random data to circumvent internet censorship. +- Obfuscation technology which camouflages the true nature of internet traffic, designed to circumvent advanced internet censorship methods like DPI. ### Privacy @@ -325,13 +332,16 @@ A VPN is pointless if it can't even provide adequate security. We require all ou - Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. - Forward Secrecy. - Published security audits from a reputable third-party firm. +- VPN servers that use full-disk encryption or are RAM-only. **Best Case:** - Strongest Encryption: RSA-4096. +- Optional quantum-resistant encryption. - Forward Secrecy. - Comprehensive published security audits from a reputable third-party firm. - Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- RAM-only VPN servers. ### Trust @@ -340,6 +350,7 @@ You wouldn't trust your finances to someone with a fake identity, so why trust t **Minimum to Qualify:** - Public-facing leadership or ownership. +- Company based in a jurisdiction where it cannot be forced to do secret logging. **Best Case:** @@ -371,4 +382,4 @@ Responsible marketing that is both educational and useful to the consumer could ### Additional Functionality -While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include content blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include content blocking functionality, warrant canaries, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/includes/abbreviations.en.txt b/includes/abbreviations.en.txt index 93195bd33f..03c478c7a7 100644 --- a/includes/abbreviations.en.txt +++ b/includes/abbreviations.en.txt @@ -16,6 +16,7 @@ *[DoQ]: DNS over QUIC *[DoH3]: DNS over HTTP/3 *[DoT]: DNS over TLS +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads *[E2EE]: End-to-End Encryption/Encrypted *[ECS]: EDNS Client Subnet *[EEA]: European Economic Area @@ -71,6 +72,7 @@ *[PGP]: Pretty Good Privacy (see OpenPGP) *[PII]: Personally Identifiable Information *[QNAME]: Qualified Name +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. *[rolling release]: Updates which are released frequently rather than set intervals *[RSS]: Really Simple Syndication *[SELinux]: Security-Enhanced Linux