- Web Browsing
- Use the https everywhere browser extension.Thanks to this the content of your web traffic to a particular website is encrypted. someone reading your traffic only learns what sites you are browsing.
- when needed, use Tor. This makes practically impossible for someone looking at your traffic to know where it is being sent and its content, and someone looking at the other end of the traffic doesn't know it comes from you. (And if you're using httpS over Tor, only the exact last recipient knows the content.)
- Don't use big US services with real accounts, identifiable data and without Tor for anything sensitive. Not even google searches.
- Anytime you see a certificate alert where there shouldn't be one,
assume you're talking to a fake server impersonating the website and/or
intercepting login forms and content.
- Check out Riseup
- Avoid Google/Hotmail/etc for sensitive stuff. Riseup is better, something running on an encrypted server you or a friend own is best. The closer you are to control the mail server, the better.
- Use PGP to sign e-mails you absolutely and want to prove are coming from you.
- Don't use PGP to sign e-mails you might want to deny at some point in the future. Signing is irreversible. Nevertheless e-mails leave tracks, so not signing is not enough. It's just a start.
- Encrypt with PGP any e-mail you don't want content providers and bad people to read. Never forget this encryption is only as strong as how the recipient handles his PGP keys. Lose the key and the mail can never be read again. Get it stolen and all mails encrypted for you are in the wild.
- Use spam filters and don't trust links. Always copy/paste urls inside any link from any mail, and check if the url looks legit or not. http://paypal.com is legit. http://paypal.com.bananarepublic.cia.gov is not.
- The "from" field of any e-mail can be forged as easily as clicking it and editing it before sending. Always consider the "from" field a lie unless the mail has been signed with PGP. Seriously, the from field doen't mean shit.
- Never forget the mail you sent from a trusted server to your girlfriend's/lawyer's/brother in the military's Gmail will be read at the receiving end (Gmail) if it can't be at your end. You're as secure as the weakest link, and your correspondent is part of the chain.
- Sending an e-mail can disclose your IP address. Use Tor to avoid that.
- Encrypt your private keys. No excuses.
- Encrypt those damn private keys. You are putting your correspondents' security in danger by being lazy.
- RSA1024b can be broken in weeks by a strong adversary or someone with enough money/patience. RSA2048 and above is absolutely fine.
- DSA1024 should be enough key-strength-wise, but DSA is
frightening. If your computer doesn't come up with good random numbers,
every single time, any signature/encryption you ever do can reveal your
private key entirely. If you don't trust your system's Random Number
Generator, avoid DSA. This is very true for embedded systems, phones,
anything that doesn't play porn 24/7.
- Get your key signed by others, it's the only way to link an identity with a key. You will never have enough signatures.
- Never sign a key you didn't check the fingerprint AND the identity of the holder IN PERSON. Not once. Never. No excuses. Without this your key and signatures don't mean anything. If you see someone behaving like this, revoke your signature and report the incident publicly.
- Use a PGP key management software you understand. Seahorse is fine for Linux. Don't use anything closed-source.
- IRC/JABBER/GTALK/SKYPE/FB CHAT/Instant Messaging
- Don't trust those servers. They might listen, they might lie, they will record.
- use SSL/TLS when available. This will encrypt messages between you and the server you don't trust.
- use OTR when you want to have a conversation the server can't see or fake.
- If you want to be anonymous, use Tor, a fake account/username, change your vocabulary, software, punctuation, language patterns and timing. Don't follow a pattern when choosing random nicknames. Having multiple personnality disorder helps a lot.
- Pidgin and Jitsi are multi-platform and include OTR either by default or as a plugin. Check them out. Irssi, Xchat and weechat have OTR plugins for IRC.
- Never forget you cannot get around trusting the person you are talking to and his computer. When in doubt, shut up.
- Check fingerprints before you assume someone is who he looks like.
- fingerprints should be checked by phone or in person. Your client will tell you if they don't match on future conversations, you don't need to check them all the time.
- Always terminate an OTR session properly. That's when encryption keys are flushed and your conversation gets perfect forward secrecy. Until then, assume you can still be caught with your pants down if someone finds the encryption keys in your RAM memory.
- OTR doesn't protect you against a liar, or a friend wanting to screw you up.
- Skype is toxic. Use once, die once.
- Skype will get you and everybody you talk to killed.
- If you have nothing to hide, Skype will only get you tortured. Then probably killed.
- Mumble with SSL/TLS should be fine.
- VOIP clients with SRTP basically work like chat clients with OTR, more or less.
- Do not use VOIP with Tor. Tor only works for TCP, VOIP always uses UDP.