Encrypt all the things!

Looks like I'd already flashed my router in preparation for a VPN back in 2014!

Just updated to latest. Will see if I can get it to run all my traffic through the VPN now.

"WARNING: No server certificate verification method has been enabled."

VPN status is just sitting on "Connecting..." now and doesn't seem to be doing much.

Depressing and predictable that the snoopers charter went through parliament with little to no resistance.

Basically, all your shit is fair game now and it will be shared with the US.

What would be the best affordable option to secure my internet connection?
A desktop VPN?

I've used Zenmate before.

Needed "Extra HMAC Authorisation: Outgoing" to connect to VPN but now have "IP/Routing conflict" although it seems to work.

http://www.wired.co.uk/article/ip-bill-law-details-passed

So can anyone tell me what VPN I need for my phone and laptop. And how I can be safe knowing these work and not just log all my data and sell it to anyone!

You can't know unless you run it.

But some VPNs are better than others, you can use Private Internet Access on all of your devices: https://www.privateinternetaccess.com/

They have a mode called MACE, enable it to block adware and malware too (acts as a blocker in addition to privacy router).

I'm revising my current strategy.

I'd originally written recommendations with super-invasive adware and malware in mind, not state actors.

I'm currently adapting what I do to be more secure against state actor over-reach.

Right now, I'd simply suggest:

• Use full disk encryption, and full device encryption on every device that supports it. Linux, Windows and Mac OS all support it. New iPhones should be encrypted by default, if your Android didn't come encrypted turn it on ASAP (may reset the device).
  
• Use Chrome + uBlock Origin + HTTPS Everywhere for all Google stuff and super trusted (LFGSS)
  
• Use Chrome Incognito + uBlock Origin + HTTPS Everywhere, left open max 24 hours, for social (Twitter and Facebook, etc)
  
• Use Firefox + uBlock Origin + HTTPS Everywhere, permanently in private browsing mode (achieved via about:config) for everything else. Close the browser several times per day, whenever you are good to do so.
  
• Use LastPass to make logins in this world not a hassle
  
• Use Pinboard to make bookmarks in this world not a hassle
  
• Use Yubikey 2FA with Google, Dropbox, LastPass
  
• Use Authy 2FA with Google, Dropbox, Microsoft, Github, etc wherever any "enter 6 digit token" works
  
• Use a VPN on all devices always, https://www.privateinternetaccess.com/ is very good and has a feature called MACE which additionally blocks ads and trackers ( https://www.privateinternetaccess.com/blog/2016/07/pia-adds-ad-blocker-introducing-private-internet-access-mace/ ). A second recommendation is https://www.perfect-privacy.com who also have a privacy mode for blocking ads and trackers.
  
  

Other considerations:

• Use Tor
  
• Always power down your laptop when not in use (full disk encryption is only effective if the machine isn't on, as the disk is unlocked when it's on)
  
  

That's pretty much where I currently am.

Encrypt absolutely everything, only transfer to your computer things you trust or want to access, and only keep long-lived sessions for the super-trusted stuff otherwise start each day afresh.

On Authy and Yubikey...

Authy = Google Authenticator replacement, but it can be backed up and transferred across devices. Once you have more than a few providers (I have 20) the thought of losing your phone is really scary... Authy removes that fear.

Yubikey is in addition to the Authenticator codes, it is a very long one-time password that only lasts a few seconds and re-generates. It requires carrying a key to set up new devices, but you can largely leave the key somewhere safe once your devices are registered.

Yubikey ensures that even if someone: 1) Knew your master Gmail password, 2) Figured out the Authenticator hash and could generate a code (or stole your phone)... that they still couldn't set up a new device as they wouldn't have the key.

Basically... Yubikey takes "pretty damn secure" and makes it "pretty insanely secure".

Why I use Firefox for the disposable sessions, and Chrome for the longer sessions is that Firefox can be defaulted into private browsing mode.

This makes it very good for every URL you don't trust (which should be nearly all of them), and for all very short lived sessions (as you'll launch new windows and tabs often and will want them to be disposable).

That's it.

If Google could default into private browsing every single time and never ever slip up... I'd swap the browsers around.

And yes LastPass is good, the general concerns about centralised vaults are not applicable if the encryption is good. And the criticism of "rogue extensions could phish the master password" is not applicable if you aren't installing anything other than 1 or 2 super trusted extensions.

Can you explain why you quitbrower windows?
And what would entering a non trusted URL enable?thanks for the detailed reply

I quit browsers to destroy history and to prevent adware from perform marketing retargeting https://en.wikipedia.org/wiki/Behavioral_retargeting .

Essentially I want to visit a site every time as if I am a new visitor, and history can be used as a signal in tracking, as can long-lived cookies, local storage, plugins, cache status of items served by a site that are unique to you, etc.

I'm not so fanatical that I believe I will never use Google or social media, but I practise compartmentalisation.

• I trust my email and LFGSS the most and those get the main browser.
  
• I trust social media sites directly (but not the things they link to), and they get a Chrome Incognito.
  
• I trust nothing else, and they get short-lived burner sessions in Firefox.
  
  

If you visited a site you don't trust in your main browser, assume at that moment that cookies and trackers have been placed and that you will be subject to retargeting.

If I were a state actor, I'd go to a lot of the advertising companies. They're pervasive, and track everything, and are still using HTTP rather than HTTPS.

So I treat those things as toxic.

If it's not Gmail or LFGSS it isn't going to live more than 1 day.
If it's not Twitter or Hacker News, it isn't going to live more than a few hours.

BTW, missing of my list is Tor.

A lot of people swear by it... it's up to you whether you think it's worth it. I still find it a little annoying, but if you really think you are a target for a state actor then absolutely use Tor.

Ok right thanks. I'll read this again and let it digest. I'll look into that VPN, I presume I can use it on my phone too.

But really a phone is just a perfect way to track you.

You can use that VPN on your phone too. Does not need root or anything daft.

PIA will let you log in on three separate devices, GF and I both have it on our laptops and I've got it on my phone as well... Works well, third year I've been using it...

Thanks both.

Sweet. PIA seems nice. Do you have to use their app on macOS or can I just configure it myself?

The app is nice, does faster connects as they can make lots of assumptions and short-circuit some of the usual cipher negotiation chatter.

But yeah, you can configure this manually if you want. There are instructions online, just pretend you're running Linux and you'll end up with a help page that just gives you details.

I'm using tunnelBlick with it on Mac, setup instructions were on the PIA site IIRC

It's super easy, if I can do it then anyone can...

Yeah, I've set them up before but just wondered if there's a benefit using their app. Sounds like there is; setting the region, using MACE etc...

For what you're paying it's a great little service, I couldn't do without it now...

Any thoughts on whether pia is more or less secure than setting up your own vpn on a cloud machine (digital ocean)?