
Apple-centric guide to improve privacy and security - gacallea
https://gacallea.github.io/posts/a-better-online-experience/
======
DavideNL
Note that your ISP can see/log your internet history _regardless_ of which Dns
server you use (unless of course you use a Vpn/Tor.)

So be aware that using a Dns server other than your isp-provided-one, will
result in giving your dns lookups to yet another third party (the public dns
provider) without gaining an advantage. It might actually _decrease_ privacy.

Therefor, in my opinion, it only makes sense to do this if for whatever reason
you distrust your ISP to mess with your dns lookups (censoring etc.)

~~~
Fnoord
> Note that your ISP can see/log your internet history regardless of which Dns
> server you use (unless of course you use a Vpn/Tor.)

Not if you use DNSCrypt which is mentioned in TFA, and quite easy to install.
It can't also be MITMed.

If you're using a VPN you can also fail to use DNS over VPN.

The article is furthermore rather specific about using a load of extensions
(which is profilable), it suggests 1Password which is expensive (open source
alternatives available, also cheaper alternatives available), it suggests WiFi
Spoofing which is 20 USD on the App Store (free tools available in Homebrew
and /sbin/ifconfig), it suggests some unknown VPN called Mullvad VPN which
'claims' it doesn't log (you never know that for sure). In short, reads like
an advertisement without going into specifics about the competition. I, for
one, would recommend ProtonVPN because of Secure Core and a wide array of VPN
endpoints throughout the world. But I would not say I am an expert about
knowing ProtonVPN's competition. Then it goes on: "By the way, should you be
doing torrents, use qBittorrent." Why? Why not Transmission? Why not
WebTorrent? Why not rtorrent? Etc. Why not use Usenet/NZBs? If you're cool
shelling out 20 USD for a MAC spoofer and pay for 1Password why not consider
also to pay for a Usenet provider?

~~~
DavideNL
> Not if you use DNSCrypt

That's not correct; Dnscrypt prevents against man-in-the-middle attacks,
meaning your dns requests can not be _manipulated_. However, it does not
provide end-to-end encryption.

~~~
Fnoord
DNSCrypt is an implementation of DNSCurve.

DNSCurve.org mentions:

"DNSCurve uses high-speed high-security elliptic-curve cryptography to
drastically improve every dimension of DNS security:

Confidentiality: DNS requests and responses today are completely unencrypted
and are broadcast to any attacker who cares to look. DNSCurve encrypts all DNS
packets.

Integrity: DNS today uses "UDP source-port randomization" and "TXID
randomization" to create some speed bumps for blind attackers, but patient
attackers and sniffing attackers can easily forge DNS records. DNSCurve
cryptographically authenticates all DNS responses, eliminating forged DNS
packets.

Availability: DNS today has no protection against denial of service. A
sniffing attacker can disable all of your DNS lookups by sending just a few
forged packets per second. DNSCurve very quickly recognizes and discards
forged packets, so attackers have much more trouble preventing DNS data from
getting through. Protection is also needed for SMTP, HTTP, HTTPS, etc., but
protecting DNS is the first step."

Your ISP will see encrypted traffic on say port 443 TCP or UDP, and that's it.

~~~
DavideNL
I see.. interesting. I read this from the author:

"While not providing end-to-end security, it protects the local network, which
is often the weakest point of the chain, against man-in-the-middle attacks."
[https://github.com/jedisct1/dnscrypt-
proxy/blob/master/READM...](https://github.com/jedisct1/dnscrypt-
proxy/blob/master/README.markdown)

So my guess is that for example your dns requests could be intercepted/re-
routed to say another dns server of an attacker and Dnscrypt would not
notice/protect you against this.

However, indeed your ISP would not be able to see your requests :)

~~~
Fnoord
I'm not sure whether it does certificate pinning or not. You don't know the
security of the recursor either, and there is no E2EE between the nameserver
of their domain and you. A hostile recursor could still cause DNS poisoning.

An easy way to remember is that DNSCurve protects you between client and
recursor whilst DNSSEC protects from (cc)TLD till name server (while also
adding gigantic bloat to DNS requests).

Trust issues often occur at the first hop: LTE (SS7 for example, lol),
(public) WiFi (example: hotel, train station), or plain hostile ISPs who
hijack DNS requests (like Comcast has done), inject ads, or government
interventions (such as during Arabic revolution). DNSCurve/DNSCrypt can
protect against these attacks.

------
gacallea
I know that the link isn't inviting at all, so here's a brief description:

In this Apple-user-orientend and safari-and-mail-centric guide to improve
privacy, security, and speed for the Average Joe online experience, I suggest
some small tricks, extensions, applications and components for both macOS an
iOS. Based on this preamble, I don’t pretend to be writing the perfect guide.
I just want to share what I find useful from this perspective and hope that it
can be helpful to someone else. If you have better options and they are
compatible with my premise I’d like to hear about them, if you please sharing
them.

~~~
wadkar
Thanks, I skimmed through it all (took me 5mins) and nice work! Some of the
links and guides you’re referring to are indeed very helpful.

The thing that surprised me the most, however, was your recommendation for
antivirus bitdefender. I think that’s not going to really help the average Joe
but only give a false sense of security. Moreover, if I am concerned about
privacy I wouldn’t want to install an all seeing software that is closed
source and provides no control over what is shared with the parent company
(which is russian?)

I can’t seem to find more links to the antivirus related argument (on mobile
here) but in general folks on HN tend to strongly advise _against_ using one.

~~~
bradknowles
In my experience, most anti-virus software is very poorly written. They don’t
practice safe coding methods themselves.

Moreover, even if it was well-written, because of the nature of what you’re
asking the software to do, it will have full and complete access to everything
on your system, and usually with significant privileges. So, that would make
it a very juicy target for malware writers, if nothing else.

For non-savvy computer users, Bitdefender is the only anti-virus software I
would trust, but for more savvy computer users, even Bitdefender might be more
of a risk than it is worth.

So, are you computer savvy enough that you know the risks presented by even
the best anti-virus software, and would be better off without it? If you are,
then maybe you’re not part of the target audience for this page.

------
FabHK
Cookie 5 and WifiSpoof look interesting, but USD 20 each is steep.

To spoof your MAC address from the terminal, this used to work (until next
reboot), but haven't tried it in High Sierra (use the correct interface (en0,
en1, en2)):

sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff

------
herodotus
This is a really good article. Thank you gacallea. I have read many guides of
this sort, and most of them are trivial or full of general common sense stuff
I already knew. This is the first guide of its type that had information that
was both new and useful to me.

------
linopolus
TLDR:

* use like a dozen Adblockers likely all using the same filter lists slowing the browser down

* use some Antivirus from Russia to grant access to your whole system

* use a third party vpn client for the one built into iOS

* use secure passwords

------
francis-io
Has anyone written up something like this for a Linux and Android setup?

