
Security Checklist - twapi
https://securitycheckli.st/
======
tptacek
I do not think signing up for a commercial VPN service is a good plan for
improving your security _or_ privacy, nor do I think using Tor Browser is
particularly smart. This seems like a security checklist compiled by someone
who has read a lot of popular writing about security, but hasn't consulted
very much with security people.

By comparison, the Tech Solidarity checklist is the result of a survey of a
bunch of different security people and is both generally more sophisticated
and sound than this checklist and also manages to be a little shorter (in word
count):

[https://techsolidarity.org/resources/basic_security.htm](https://techsolidarity.org/resources/basic_security.htm)

~~~
justadudeama
I feel like this has some conflicting advice. Use Gmail but don't put
sensitive information on Google Drive, but do use Chrome?

> Do as much of your work as possible on an iPhone or iPad rather than on a
> laptop. Use a bluetooth keyboard for easier typing.

Is that serious? I mean sure, iPhones and iPads are generally less prone to
viruses and such, but I feel like it is generally safe to use computers, and
if you do other things on this list you won't end up with an infected
computer. In addition, if you are doing most your work on these, it is almost
guaranteed that all the information is going to be sent to iCloud / another
apps 'cloud'.

~~~
tptacek
Yes:

* Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer, and a gigantic security team. Note too: this guide also suggests _avoiding email as much as possible_.

* If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), _all_ the cloud drive services (not just Google Drive) are a bad idea.

* Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.

* iOS devices are, for most people, _far_ more secure than computers, which aren't locked down at all and for which _any_ kind of local code execution is almost invariably game-over all the way through the kernel, and _at least_ game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.

~~~
justadudeama
I feel like there is conflicting information still.

> Google Mail is, for most people, the safest email service, with the most
> mature and comprehensive 2FA, direct connectivity to GDocs to make viewing
> attachments safer

> If you work with sensitive documents (this checklist was originally devised
> for journalists and the airport lawyers), all the cloud drive services (not
> just Google Drive) are a bad idea.

So is Google Drive a good idea or a bad idea? Maybe for normal people Gmail is
good, but in the next point you say this list is for journalists and airport
lawyers, wouldn't you advice them to use something more secure like
fastmail/proton mail, or if you are serious, your own mail server or
something? Why does this list not talk about TOR / PGP, the most fundamental
tools for security for journalists?

> Chrome is the safest browser with the most mature and reliable anti-
> exploitation hardening and the most responsive security team.

I don't think this is true at all. What is wrong with Chromium or Firefox open
source alternatives? Why doesn't it mention things like no-script and ublock
origin?

> iOS devices are, for most people, far more secure than computers, which
> aren't locked down at all and for which any kind of local code execution is
> almost invariably game-over all the way through the kernel, and at least
> game over for all of the user's data. Most computer users are never more
> than an errant couple of clicks away from losing their whole machine to an
> attacker, which is not the case for someone reading their mail on an iPad.

My fundamental problem with this is that if you are going to be doing things
on an iPad you are almost certainly going to be using cloud services. Weather
it is Google Docs or Pages or Word or anything, it is very difficult to keep
things 'local' to your hard drive on a iPad, where on a computer with dropbox
it is much more clear that files in there are going to leave your computer.

~~~
tptacek
First, no, I would never advise that anyone use ProtonMail, and if your
primary objective is to gain _security_ , I wouldn't recommend FastMail. The
comment you're replying to provides the reasoning for that.

For most people, including technically inclined people, running your own mail
server will almost certainly _lose_ you significant amounts of security.

If you deal with sensitive documents like legal artifacts in immigration
cases, you want to have control over which of your documents wind up in the
cloud and which you retain custody over. So while viewing _attachments_ in the
cloud is very good practice (viewing them locally is a good way to get owned),
running a service that generally slurps your local drive (or big chunks of it)
into the cloud is not a good idea.

If you want to run a Chromium build rather than Chrome, that's fine.

I provided the reasoning for preferring iOS devices to general purpose
computers already. The additional concern you just added doesn't come close to
offsetting.

I'll add, though this isn't in the Tech Solidarity checklist, that if the goal
is _commercially reasonable_ security and not security in the public interest,
Chromebooks are another good option for end-user computing.

~~~
justadudeama
So if I follow all this advice, how am I supposed to receive or send sensitive
documents?

> If you deal with sensitive documents like legal artifacts in immigration
> cases, you want to have control over which of your documents wind up in the
> cloud and which you retain custody over.

This is incredibly easy with Dropbox or Google Drive. Everyone I know who uses
these services has an intuitive knowledge for 'stuff in this folder goes in
the cloud', and if they wanted to keep sensitive data off it they would know
exactly how.

I am on an iPad, so no mature options for encrypting it myself with pgp or
something really exist. I shouldn't upload it to a cloud service (although
chances are that it already is, because pretty much every iOS app uses a cloud
of some sort). I shouldn't email it. I can't plug in a physical usb device
because iOS doesn't have File reading access to. I guess I convince everyone
to use Signal? That is pretty impractical for 'normal' people to convert
everyone over to their own messaging app.

Also, on your phone, what browser do you use? Chrome? Well, not really because
it is all webkit under the hood, so you are going to be using Safari no matter
what.

~~~
tptacek
That's correct, we're not suggesting people use Chrome on their iOS device
(but is a good question and a super common bit of feedback we got doing
training for this stuff with end-users, who assumed that's what we meant). The
subtext for the Chrome recommendation is "that's the browser you use on your
general-purpose computer". WebKit on iOS benefits (imperfectly, but vs. a
general-purpose machine it's probably a wash) from iOS's built-in application
sandboxing and security controls.

Regarding sharing of sensitive documents: if you have to do it over the
Internet, use a secure messenger to do it. Email attachments are probably the
second most dangerous attack vector facing end-users (after phishing). That's
why we tell people to use Google Mail; attachments open in their browser
viewer and are rendered Google-serverside.

You don't need to convince everyone to use Signal; it's adequate to use
WhatsApp, which, again, is already one of the most popular messaging
applications in the world (this is one of the reasons getting Signal Protocol
baked into WhatsApp was such a monumental achievement).

------
jillesvangurp
If someone hacks your webcam, they probably installed a keylogger as well and
helped themselves to whatever files you have, etc. In other words, if that
happens, you have a bigger problem.

You should of course not be using a compromised laptop. Covering the light
that goes on when they activate the camera would be one of the few signals
that something like that is up; that is of course assuming they did not manage
to disable that.

Otherwise solid list.

I'd add a few items:

Plan for the worst and have a contingency plan for breaches. E.g. have a list
of phonenumbers handy that you can call to get cards blocked, critical
accounts that you need to verify the integrity off, secure backups of
essential documents, etc. Also consider what can happen to you when you
travel. Phones, laptops, etc. get stolen all the time. Hardware tokens are
easy to lose. Bags get stolen, etc.

Keep your 2fa recovery codes in a sane place where you can access them but no-
one else can. An encrypted file on a drop box folder with a sufficiently
strong key might do the trick.

Be careful with paper copies of anything. Burglaries do happen and in case you
are targeted, this may be the most valuable thing to steal in your building.

Require passwords to be entered whenever you access your password manager or
2fa app (e.g. authy). It only takes a few seconds to access your password
manager if somebody gets their hands on your unlocked device while you visit
the restroom or grab a coffee.

Have an aggressive screen lock policy (it should be locked whenever you are
separated from your laptop/phone). Many devices have all sorts of convenient
features that boil down to them being unlocked when they shouldn't.

~~~
g45y45
I used to think this way. Its not an accurate assessment of the situation. Its
not about code execution on the OS leaking access to the camera, its that
Spyware browser you use grabbing the camera via its js APIs. Malversting;
Video Conf Apps; Browser Bugs. Don't take a nihilistic view on the Camera
cover. Its saved folks from embarrassment many times.

------
sixstringtheory
I’ve always thought that if someone gained the ability to surreptitiously
capture my devices’ camera feed, I have bigger problems than just my image
getting leaked or used as blackmail (because that would necessitate something
blackmail-worthy). Also, they’ll get some pretty boring pictures. What else
should I consider here?

~~~
zimbatm
It's hard to know what kind of information could leak in advance. It gives the
attacker more information on your surrounding. They could take mug shots to
craft a fake profile. Or maybe see a credit card flashing by... it doesn't
have to be blackmail-worthy material necessarily.

Granted, if the attacker can access the webcam then most likely your system is
compromised, 1password is compromised (including the 2nd factor as advertised
on the site), so you might have bigger problems already. It all depends on the
intent of the attacker.

~~~
sixstringtheory
Ah, the credit cards or other documents is a good point. That would extend to
any meeting room with notes or slides on the wall.

------
Spare_account
Where does disabling javascript fit into this picture? I was interested to
notice that I had to create an exception for this site to enable 1st party
javascript in order to be able to read their security suggestions.

Am I making my own life harder than it needs to be by having a default setting
to block all javascript? I use uMatrix to quickly enable javascript for each
site that requires it.

~~~
calvinmorrison
No. 3 months ago I started using NoScript and my life has gotten so much
easier on the internet. I hate it less now. Usually you can get away without
Javascript, and if not, it only takes a second or two to fix. The biggest risk
is Javascript. You are literally blindly executing code somebody else wrote on
your compute for a website you may or may not trust.

One thing I would like to figure out is how can I 'trust' JS for google on
google maps (required to work), but4 not anywhere else? It seems like Noscript
is per domain but not based on what page you are on.

~~~
enraged_camel
>>The biggest risk is Javascript. You are literally blindly executing code
somebody else wrote on your compute for a website you may or may not trust.

I understand why you used this language, but I think it's worth noting that,
unlike blindly executing a program on the operating system itself (such as by
running an .exe file you receive via email, torrent, download, etc.), you are
executing a _script_ inside a program that is, or should be, sandboxed. So,
even though something can still go wrong, the potential impact is a lot
smaller.

~~~
blattimwind
This is about risk assessment. Most vulnerabilities in browsers are either in
JS or in media support. Pure-HTML+CSS exploits are rather rare these days.
Therefore, disabling or limiting JS and media reduces risk drastically.

~~~
enraged_camel
We are not disagreeing? What I'm saying is that not all "blind code
executions" are the same. The distinction between running an exe file on the
OS and running a script inside a browser does matter, for risk assessment.

~~~
blattimwind
I'm disagreeing on "the potential impact is a lot smaller", because we have
seen time and time again that executing a script in a sandboxed environment
can quickly turn into running machine code with the user's privileges instead.

------
egwynn
People always go on about covering up your camera, but what should I do about
my hardwired microphone? I'm vastly more likely to _say_ sensitive data out
loud than I am to mime it out or write it down and hold it up on a sign.

~~~
sakisv
Recently I was sent a blackmail email that contained a password that I used to
use in the past and the sender was claiming that they had also gained to my
laptop's camera and had recordings of me watching porn or other "embarrassing"
stuff. They threatened to send these recordings to my contacts on email and/or
facebook etc, unless I paid them $1082 in bitcoins (apparently they read that
if you ask for a non-round number you have more chances of getting it :P).

Covering your camera is supposed to protect you from this kind of things,
especially for younger ages or for people less technologically inclined.

~~~
0xb100db1ade
I assume you know this, but just in case:

Note that they may have gotten the password from a hacked website--not from
your webcam/microphone.

Check out [https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
sakisv
Indeed I know it and it's how I knew for some time that the password in
question had been leaked.

~~~
bklaasen
I knew all of that too, but it didn't prevent a very unpleasant visceral
response in the pit of my stomach when I saw that email come in with the old
compromised password on the subject line. The content of the email made me
laugh, though.

------
bugmen0t
What I like about this list, is that it's opinionated and thus terse.

Take note that some of these tips are either not considered good practice or
even harmful depending on your locale.

E.g., the data protection standards in the EU are so high, that there's no
need to worry about DNS or ISP snooping for advertisements/tracking. This
makes using a VPN or using a different DNS less useful. I might even go so far
and call it harmful, because you're introducing a party that you don't have
such a strong contract with.

~~~
Hbthegreat
That is if every company that is in the chain follows those strict data
protection laws. It wouldn't be the first time that bad actors exploited
legally protected browsing.

~~~
sc11
The same applies to VPN providers. You're just moving around who you trust.

------
terofle
It's quite funny to see a security checklist "designed to improve your online
privacy and security", which has on top of the page a "Share on facebook"
button.

Furthermore I find it contradictory that the site uses Google Analytics while
encouraging the use of DuckDuckGo.

~~~
Gigablah
“Don’t trust these corporations! Trust _these_ corporations instead.”

~~~
kozak
This is a valid approach if we want to encourage corporations to compete by
providing better privacy.

------
cabraca
I'm missing some open source software

Bitwarden or KeePass for password management

FreeOTP for 2FA

cut off headphone jack plugged in in your laptops mic port complementary to
the webcam covering

~~~
austinjp
It looks like FreeOTP has no desktop option, is that right?

~~~
dcbadacd
And that's how 2FA is supposed to be, if you put eggs into boxes and those
boxes into one basket you still technically have all your eggs in one basket,
which was what 2FA tries/d to fix.

------
XiS
Why is using 1.1.1.1 as a DNS resolver and using VPN better than trusting your
ISP...

~~~
ahje
This. I fail to see how an issue, which is essentially about trust, can be
solved by trusting someone else. If you don't trust your ISP you should
switch. If you don't trust your ISP and can't switch then you should be using
VPN or TOR.

~~~
newaccoutnas
ISP's can do awful things to traffic. I'm not sure why you should trust your
ISP and if anything trusting makes you blinkered to some of their practices.

~~~
lmm
For me the point is: why would you trust a VPN provider any more than you
trust an ISP? There might be specific reasons for specific providers, but in
general you're putting the same amount of trust in either way.

~~~
rustyfe
Maybe you are not in the United States, but for those that are, the answer is
pretty simple.

It is reasonable to trust a VPN provider more than an ISP because you have a
choice of VPN provider, you can vet them and choose the one that you feel
provides the best safeguards to your privacy and security. Most Americans have
between zero and one choices for high speed internet. Even in major
metropolitan areas it is common to live in a cable monopoly, with a phone
company providing sub-par "competition". You cannot vet your choice and choose
the one that provides the best experience because you have no options. Even
those that do have a choice may still connect to coffee shop or hotel WiFi on
occasion, losing choice again.

In short, VPN providers are a) competitive and b) portable.

You're not wrong that you're putting the same amount of trust in them, but
these properties mean you would not be wrong to do so.

------
executesorder66
All of that, and they act as if Linux doesn't even exist.

~~~
tchaffee
I opened an issue for that. Please give it a +1 and let's get Linux on the
list of platforms.

[https://github.com/brianlovin/security-
checklist/issues/40](https://github.com/brianlovin/security-
checklist/issues/40)

~~~
anc84
> often used as a desktop in countries where people cannot afford Windows or
> macOS

often used by people in preference to other operating systems due to a variety
of reasons

Linux being available free of cost is certainly one of the least relevant
features for me.

~~~
tchaffee
Negotiating / psychology 101: give a reason, any reason, for why you need
something done. Feel free to add a comment to the issue request about why
Linux is important to you personally.

~~~
anc84
I meant my comment to provoke _you_ into rethinking before you speak for
others again in the future.

~~~
tchaffee
Except I didn't do anything like that. Show me where I claimed to give an
exhaustive list of what motivates people to use Linux. I gave one reason why
_some_ people use Linux. That I thought might motivate the author of the
project. Besides that, it's a friggin issue on github, not an essay on why
people use Linux. Get over yourself.

------
femiagbabiaka
Cloudflare DNS as an action item here is bizarre. Why would sending all of my
DNS queries to a black box service be any more secure because it’s now
Cloudflare and not Comcast or Google?

~~~
pat2man
Probably more of an issue for people on public WiFi networks. Who knows what
dns provider is being sent from DHCP. Cloudflare is easy.

~~~
gruez
>Who knows what dns provider is being sent from DHCP.

What's the concern here? That it's set to some DNS provider that does evil
things? If they intercept DNS requests (not unusual as even my home router can
do that), this migitation is useless _and_ you're sending your DNS requests to
a third party.

------
normanchopstik
For developers looking for application security information, I can't recommend
PentesterLab[1] strongly enough. It has changed how we approach security
education internally and has made going through security code reviews and
penetration testing audits much less stressful.

[1] [https://www.pentesterlab.com/](https://www.pentesterlab.com/)

~~~
frederikvs
Do you / does anyone happen to know a similar resource that isn't focused
solely on web security?

I work in embedded systems, mostly C code, and I find this area is often
missing from general "security guidelines" type of resources.

------
OscarTheGrinch
1) Whitelist and allow only trusted sites to exicute script on your devices.

Sorry, securitycheckli.st I can't see your content because you fail this basic
test.

~~~
XCabbage
I don't get it. The word "whitelist" doesn't appear anywhere on the page, for
me. Has the content changed? Or are _you_ sincerely suggesting that nobody
should ever load a webpage from a non-trusted domain?

~~~
mfontani
Not "load a webpage", "execute (java)script(s)".

I think they're suggesting we should default to no JS anywhere by default,
other than sites one whitelists JS usage on.

IOW what NoScript (and maybe uMatrix?) does.

------
Abishek_Muthian
Password manager should include Password Store [1], it is open source & well
maintained.

Perhaps the authors felt, storing passwords in their own infrastructure is
beyond many users (or) unavailability of iOS app is a downer.

[1]:
[https://play.google.com/store/apps/details?id=com.zeapo.pwds...](https://play.google.com/store/apps/details?id=com.zeapo.pwdstore&hl=en_US)

~~~
Ayesh
Bitwarden is far better than every password manager I've tried. Open source
and free of charge.

~~~
afroboy
Or use Keepass and take control of were your passwords should be saved, better
than third party place.

~~~
minty_phoenix
BItwarden does offer the ability to use on-premise hosting [1] rather than
using their infrastructure to store/sync your data. Admittedly, I personally
use their infrastructure so I can’t speak to the experience
(config/maintenance/etc.) of their self-hosted offering.

1: [https://help.bitwarden.com/article/install-on-
premise/](https://help.bitwarden.com/article/install-on-premise/)

------
herodotus
I have a question about using 1.1.1.1 for DNS. The claim is that this stops my
local ISP knowing which websites I am visiting. However, my connection by
definition goes through my ISPs equipment. Can't they log my DNS queries even
if the DNS server is not theirs?

~~~
sakisv
Yes, this is why Cloudflare's 1.1.1.1 supports DNS over HTTPS (DoH), to avoid
exactly this.

You can read more about it here:
[https://developers.cloudflare.com/1.1.1.1/dns-over-
https/](https://developers.cloudflare.com/1.1.1.1/dns-over-https/)

~~~
Tharkun
And why should I trust CF any more than I trust my ISP? The latter is a
European company which is bound by all kinds of privacy protection laws, and
which I have to trust to at least some degree because I pay them. The former
is an entity which is largely unknown to anyone who isn't tech savvy.

~~~
ctrlaltdev
Oh in Western Europe you'll be mostly fine. But I can tell you I noticed the
change when I moved to the US. I had no mean to change my ISP-provided router
DNS settings, and I couldn't access certain sites, while other would land me
on pages filled with ads.

~~~
tialaramex
Even in Western Europe, the list of stuff being meddled with isn't empty, it's
not large but it does exist. And presumably everything is recorded to be used
against you later.

All "normal" UK ISPs (I use a tiny boutique one that doesn't do this but
anything advertising on TV is big enough to have agreed to participate)
voluntarily filter DNS. Right now in theory they just try to filter out child
pornography, "extreme" pornography, and whatever Hollywood told them was a
copyright violation. In 2019, in the event they find time to do something
other than bickering about their ludicrous "Brexit" the British government
wants to upgrade this to let them filter out anything they want.

Their 2018 white paper about this supposes that DNS blocking will be effective
against ordinary users, though it notes if you have Tor you aren't blocked.
Coincidentally at the same time they were publishing that paper, there was an
IETF in London discussing DPRIV which is a set of protocols like DNS over
HTTPS designed to er... make such filtering impossible.

~~~
ctrlaltdev
Uh. My comment may become 'more' true if the Brexit does happen then.

------
TimTheTinker
> Using an all-in-one solution like 1Password for both password management and
> 2FA creates a single point of failure. Take this into account when picking
> your 2FA client.

I _strongly_ disagree with that statement, though I don't necessarily advocate
use of a password manager for 2FA. When 2FA is in use, you have 2 points of
failure, since the failure of either will lock you out of your account.
Reducing that to 1 point of failure actually _increases_ your overall
resilience.

It's like a car: reducing the number of necessary parts decreases your car's
overall likelihood of breaking down.

~~~
inapis
Not really. Having your password manager store both the tokens and the
password increases the odds of all your logins being compromised in one swoop.
Separate them out and you’ll at least be able to hedge against some account
compromises given that your 2FA solution doesn’t fall apart.

For the user it doesn’t really change much. Loss of password manager or 2FA
client will lock them out of their account. This is easily hedged against
because a lot of providers provide easy access to reset a password and provide
backup 2FA tokens or fall over to SMS/Email tokens.

~~~
TimTheTinker
> increases the odds of all your logins being compromised in one swoop

Yes... but if someone has access to your 1Password account, they most likely
gained physical access to or otherwise pwned your computer. Sure, it's
slightly easier for an attacker to do that than to get 2FA tokens off your
phone, if that's where you keep them.

So the increased risk of using 1Password for 2FA (given you're already using
1Password for passwords) would be roughly quantified by taking the risk of
computer pwnage and subtracting the risk of phone pwnage given they already
pwned your computer -- not much in my opinion, if you're reasonably security-
conscious on your computer. Note that I'm ignoring the risk of 1Password's
encryption being broken or insider threat at AgileBits, which in my opinion is
vanishingly small at present.

------
felixfoertsch
Nice list and well designed, too. I dislike the "sign up and get 3 months
free" ad for 1Password. I like 1Password and I am using it myself. However, to
me, this gives off a wrong vibe on a security focused website.

One thing I read somewhere and previously never thought about: if you are
_really_ about security, you __should __use a password manager and __should
__enable 2FA.

But: you __should not __use one program for both (1Password offers this),
because you are creating a single point of failure.

------
Ayesh
This looks quite opinionated and I didn't honestly like the subtle ad for the
password manager.

~~~
brianlovin
Creator here - thanks for bringing this up. I was concerned about the message
here as well. I'm not getting paid for that ad. I had a couple companies offer
sponsorship of this list, but I decided to not pursue. In the end, 1Password
simply offered this discount to visitors. For me this felt like the best thing
I could do from a user experience point of view (switching to a password
manager is hard for most people, and giving the extra nudge to do something
really important for their online security might just do the trick) and from
an ethical point of view (I'm not getting paid, and will continue adding
competing password managers to the list).

------
nicolaslem
Regarding SIM hijacking, I had no idea that it was so easy and widespread
until I listened to a great episode of Reply All about it:
[https://www.gimletmedia.com/reply-
all/130-lizard](https://www.gimletmedia.com/reply-all/130-lizard)

~~~
dewey
Episode 7 of Vice's new podcast is also great on the topic:
[https://itunes.apple.com/us/podcast/cyber/id1441708044?mt=2](https://itunes.apple.com/us/podcast/cyber/id1441708044?mt=2)

------
gok
About half of this is really a "Privacy Checklist"

~~~
brianlovin
I thought about buying privacycheckli.st at the same time and pointing it
here, but ended up deciding that "security" feels like a broader umbrella and
might reasonable capture privacy concerns of an average person.

------
dbg31415
Things to add:

* Keep your software updated.

* Restrict & remove online access as needed. After the 2nd time she gave out her password, Granny's web banking was turned off.

* Lock users down to just the access they need; if managing devices for kids or the elderly or less technically savvy, consider removing admin access.

* When using any tool, get the paid version. Free means your privacy is what it cost.

* Keep backups, and know how to restore in case you are compromised.

* Set up access alerts going to a separate email account for as many of your accounts and services as possible.

Things to question:

* Not sure we can safely promote Australian-based Fastmail thanks to their backwards new laws.

* Mobile browsers, like Firefox Focus, are great - not sure that I'd put Brave ahead of Firefox.

* Not sure VPNs are really all that helpful, feels more like a personal preference vs. a real security measure.

~~~
ilikepi
> Not sure we can safely promote Australian-based Fastmail thanks to their
> backwards new laws.

Disclaimer: not an Australian citizen, not a lawyer, etc.

All the coverage I've heard about this law has focused on the idea that
companies and service providers are expected to "assist" with government
access to encrypted communication. In that context, I'm not sure how this
particular law really impacts Fastmail. For the basic use case, their service
is built in a such a way that it already has access to all your unencrypted
data. So the Australian government didn't need this law specifically to get at
your data, they just needed to issue a lawful order. If you're taking the
additional steps encrypt your data before it reaches their service (e.g. using
a third-party email client with PGP), then there's not really anything
Fastmail is going to be able to "assist" with beyond providing access to the
data you've encrypted.

------
mickeyben
This checklist by sqreen is pretty good too
[https://www.sqreen.io/checklists/saas-cto-security-
checklist](https://www.sqreen.io/checklists/saas-cto-security-checklist)

I'm not affiliated - not even using their product.

------
bausshf
I have a question and maybe someone here can answer me.

For the "Use a privacy-first email provider".

I currently use G Suite for business emails within my personal business.

Are there any alternatives that offers something similar to G Suite but with
the expected privacy of the listed provider.

I'm aware that I won't be able to get all the features of G Suite, but I
primarily only use the email part (Of course with multiple users so it has to
have support for that.)

~~~
ubermonkey
I use, and am very happy with, FastMail.

~~~
dbg31415
FastMail is Australian, so not without risks thanks to a new horribly
draconian law (with a gag order built in).

* Signal >> Blog >> Setback in the outback || [https://signal.org/blog/setback-in-the-outback/](https://signal.org/blog/setback-in-the-outback/)

* Advocating for privacy in Australia || [https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...](https://fastmail.blog/2018/12/21/advocating-for-privacy-aabill-australia/)

* Honest Government Ad | Ass Access (anti-encryption law) | The Juice Media || [https://thejuicemedia.com/honest-government-ad-ass-access-an...](https://thejuicemedia.com/honest-government-ad-ass-access-anti-encryption-law/)

~~~
ubermonkey
True, but it's still better than Google.

------
buzzy_hacker
I’ve been working on something similar[0] aimed at your average technology
user. To that aim, it’s very opinionated, which I also like about this list.

[0]
[http://www.pepperparadox.com/privacyguide/privacyguide.html](http://www.pepperparadox.com/privacyguide/privacyguide.html)

------
NoPicklez
The mobile carrier PIN is the big downfall here, most ISP's don't have this
type of option. Some might claim they do but don't have a formalised process
to maintain it. Whereby a comment is simply placed on your account on the
Goodwill the next consultant will enforce it.

*Having worked for a large telecommunications provider

------
irundebian
For it's automated password changing function, Dashlane sends the passwords in
cleartext to its servers to do the password changing process.

------
WilliamEdward
I want something like this but for making a website. A security checklist
while making a backend, using a database, etc.

~~~
dodgyb
Another good source of info - produced by ThoughtWorks:

[https://martinfowler.com/articles/web-security-
basics.html](https://martinfowler.com/articles/web-security-basics.html)

------
badrabbit
It's not bad per se but I don't know about recommending 1.1.1.1 for DNS.

Cloudflare is suddenly better than Google? Not a fan of either company but I
suppose it's possibly the best public dns provider.

------
abarringer
Looks good, but I expected uBlock to be on the list?

~~~
brianlovin
Open a PR! This list is far from complete.

------
tyteen4a03
How do you put 2FA codes on 1password?

~~~
zachberger
I'm not sure I'd recommend that. If your password are compromised would you
want your 2FA compromised as well?

Also the answer to your question is the first result when googling "1password
2fa".

~~~
TimTheTinker
2FA in 1Password is premised on (1) 1Password use (with 2FA) being more secure
in general than using 2FA and not a password manager, and (2) your 2FA key is
more secure within the 1Password vault than it would be in Google
Authenticator or similar. I think these premises are mostly correct,
especially because 1Password enables use of practically uncrackable unique
passwords for each service, and because getting into the vault requires 2 auth
factors.

If there's any risk of an attacker breaching your 1Password vault, I don't
know if it's even worth talking about whether you have 2FA enabled for
accounts -- at that point it's very likely they also have access to whatever
you'd have used for 2FA also.

(One exception might be if a AgileBits insider were to install malicious code
into the 1Password client. In that case, those who use 2FA _outside_ 1Password
would be significantly less vulnerable.)

