DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default what are your best practices to ensure privacy ?

Hi !

what are your best privacy-keeping practices in OpenBSD?

* when surfing the www
* when using ftp
* when emailing

please share and help us -beginners- learn from you ..
:-)
Reply With Quote
  #2   (View Single Post)  
Old 2nd April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

1. Your scope of concern appears to be that of an individual end-user with a dedicated personal workstation. Do I understand this correctly?

2. Please define "Privacy" for each of your three chosen applications. You have not defined Privacy, and as I understand these applications, the definitions must be unique for each.
Reply With Quote
  #3   (View Single Post)  
Old 2nd April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi jgimmi ! and thanks for directives .. yes your assumption is right ..
your second question is challenging .. privacy is self-defined as far as a newbie is concerned .. keeping one's transmitted/received data (mail/http/ftp) private to oneself .. maybe I'm too dumb to think into this some other way deeper .. examples can help .. for instance listing some good practices or a pocket of tools that harden privacy or limit privacy-threatening risks ..

Last edited by daemonfowl; 2nd April 2012 at 07:20 PM.
Reply With Quote
  #4   (View Single Post)  
Old 2nd April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Privacy:

These must be defined differently because the applications are entirely different in their privacy implications:

One at a time:

  1. Internet Email is public. Internet Email is a post card. That is because the Email contents are "plaintext" messages. Transmissions between Email servers (Mail Transfer Agents, or MTAs) may be encrypted, but there is no requirement, and mail may be sent in-the-clear. The messages at rest on the MTA are also plaintext, and may be read by anyone with appropriate access, or perhaps by an adversary.

    The only privacy possible is through encrypting Email content. However, encrypting the contents does not encrypt Email headers, which include source and destination information, and an adversary can learn a great deal from encrypted Email traffic.
  2. FTP authentication is plaintext. The UserID and the Password are sent in the clear. "Privacy" of authentication/authorization information is therefore not possible, unless the FTP server and FTP client are on a trusted network. The data transferred is also plaintext; privacy can only be assured through encryption.
  3. Web "privacy" under almost any definition is nearly an impossibility -- along with cookies stored locally matched to records kept by the web application, the servers your browser communicate with will often store your IP address, flags for the OS you use, your chosen browser and its particular configuration.

    For example, I reach this forum from a variety of IP addresses, and VBB Forum software logs IP addresses. The admins here can look in the logs here to determine where I live and where I work (I've had the same large customer for about five years) if they had any interest.

    TOR might mask my IP address. But for many of the world's web applications, that wouldn't necessarily hide me.
----
Email:

Personally, I use mutt for my Email client (Mail User Agent) on OpenBSD. I used to use GnuPG or some similar encryption tool, but I never encrypted any outgoing Email, and no longer use it with Mutt. I don't send or receive private information in Email. (Links to secure applications, with authentication/authorization steps, are the most common way to transfer private information via Internet Email for me these days.)
These days, my work is non-technical and I have a great deal of Email that must remain private between parties. These Emails do not transit the Internet directly. They go intra-company on secure networks or inter-company via VPN. OpenBSD is not used in MUA or MTA; my customer has chosen proprietary solutions.
---
FTP:

Due to plaintext authentication, I only use FTP configured for anonymous FTP for public file transfers of read/only files. As an example, the ISO images for my live media are transferred via FTP.

For integrity, authentication, authorization, and privacy of data in transit, I use OpenSSH for file transfers, using either sftp(1) or scp(1) as appropriate. The former is "ftp command compatible" and the latter is easy to script.
At one time I had a need to use FTP for file transfers from a machine incapable of using OpenSSH. (It was a Windows machine where neither Putty nor Cygwin were able to be downloaded and executed.) For this one, singular use case, I set up a userid on OpenBSD with S/Key authentication, for use with FTP. Using S/Key, authentication of the Windows FTP client was conducted with a one-time-pad of passphrases. For more info, see skey(1) and login.conf(5), and their SEE ALSO collection.
---
Web Browsing:

This is such a large can-of-worms, it could easily have its own thread, even its own subforum. I'll bet there are forums out there dedicated to discussing browsing privacy, since it is ever evolving. I'll leave it to others.

---

Your defined scope is limited to a subset of OpenBSD environments where these three applications may be involved. There are a wide variety of environments you are not considering. On the client side, for example:
  • Multiple users of a single workstation
  • Thin client users of server-based client applications. See diskless(8) and pxeboot(8).
On the server side:
  • Mail servers (MTAs), FTP servers
  • Interlocked web servers, application servers, data base servers, message queue servers, authentication servers .... etc. that might, in their entirety, make up what is commonly described as a "web-based application".
  • The integrated federation of the above web-applications with a myriad set of third party web-applications designed to track web usage by browser users, in order to sell information about them to others.
Reply With Quote
  #5   (View Single Post)  
Old 2nd April 2012
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

@demonfowl

Another way to look at your question is that the base OpenBSD installation includes lynx, ftp and mail all of which have been through rigorous code reviews. These applications in part draw their security by being minimalistic. In lynx, you have to accept every cookie and do not have to worry about viruses embedded in flash or other pictorial content. The base mail client can be made to work (sendmail/fetchmail and other transfer agents) but you will not see images/html content. You can increase your security by using the base applications and encrypting as much content as you have time for.

Last edited by shep; 2nd April 2012 at 07:56 PM. Reason: grammer
Reply With Quote
  #6   (View Single Post)  
Old 2nd April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Jgimmi, thank you so much for taking the time and effort to post back .. I know the question is too general and is a subject of many threads .. but your post is very helpful to me at this stage ..
I'm concerned about how OpenBSD can be better used as a worksation with all security features minus server-specific features that may somehow encumber the OS .. I believe OpenBSD is neither bloated nor blobbish but just how can it be hardened for a workstation by disabling unneeded features and enabling others .. right choices .. for daily usage ..
Shep , thank you ! I do .. lately I replaced sendmail with smtpd ..
Reply With Quote
  #7   (View Single Post)  
Old 2nd April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
I'm concerned about how OpenBSD can be better used as a worksation with all security features...
You are considering privacy and security as if they were a single concept. There are correlations, but the two are not identical.

The applications you mentioned communicate outside your workstation. Therefore, you must consider the applications themselves. Ask questions such as:
  • How do client and server(s) communicate?
  • Is there authentication? How does it function?
  • What happens to data in motion?
  • What happens to data at rest?
Please take a moment to read those questions again. Note, in your second reading -- how much does having an OpenBSD workstation have to do with the answers?

OpenBSD may be able to provide "features" to help you manage network communication; and it may be able to provide "features" to help you manage built in applications or applications you elect to install and run. It cannot protect you from yourself.

"IT Security" is not a product you install. It is an active process, and requires consideration of many aspects of your technology implementation choices. "Privacy" is not granted merely by having a secure workstation. Both require a great deal of thought.

It is good that you ask questions. But now you need to begin asking the right questions, starting with obtaining an understanding of the applications you elect to run. How they work, how they communicate, how privacy can or can not be obtained, what security implications the use of these applications have for YOU. These are not BSD questions, and you should not have BSD questions until you are ready to configure one of these applications for use, after having a grasp of how they operate on the network.
Reply With Quote
  #8   (View Single Post)  
Old 3rd April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi jgimmi !
I must thank you for your interesting directions and helpful notes and I've learnt much from your posts and Ocicat's .. since I'm still at odds with some concepts, some of my questions would sound ridiculous (because vague or irrelevent or badly phrased ..) .. I've been thinking that by knowing the experts daily practices I would start using the OS correctly and avoid unlearning bad habits later ..
Quote:
Please take a moment to read those questions again. Note, in your second reading -- how much does having an OpenBSD workstation have to do with the answers?
some people say OpenBSD is more relevant as a server not as a worksation .. Am I wrong to think that an ultra-secure server can be an ultra secure workstation , optimized for client services .. does the word workstation exclude anything that I asked about ??
The story goes : I advocated OpenBSD to a friend of mine who knows nothing much about computer science & engineering .. but he was informed that OpenBSD proudly carries the "Security first" motto .. so how can I materialize this to him ? by providing examples pertaining to{www-ftp-mail} .. (I helped with the first steps as installing,setting network,desktop setting, etc)
but soon he started asking : what does OpenBSD offer than Mandiva doesn't ? (he once used Mandriva and loved the gui !!)
I answered : security,cryptography,filesystem tidiness,audited software ..
when he asked me further about secure practices, I came here .. :-) ..
Reply With Quote
  #9   (View Single Post)  
Old 3rd April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by daemonfowl View Post
...Am I wrong to think that an ultra-secure server can be an ultra secure workstation , optimized for client services .. does the word workstation exclude anything that I asked about ??
You have missed my point. Let me rephrase it, as clearly as possible. Please note, BSD has nothing to do with this pair of statements. This is applicable for any OS, now or in the future:

  1. When you run a networked application on The Most Secure Workstation In The World (tm), no matter what it is, no matter who invented it... the workstation cannot possibly protect information transmitted on an untrusted network that is sent or received without encryption.
  2. When you run a networked application on The Most Secure Workstation In The World (tm), no matter what it is, no matter who invented it... the workstation cannot possibly protect unencrypted or decrypted information stored on computers beyond your control, or forwarded by those computers to other systems, or retransmitted or replicated on other networks. What they do with your information is beyond your control. If you have a contractual agreement with those who control that server, that agreement may describe what they are permitted to do with your information.
------
When you run a networked application, it is your responsibility to determine the capabilities of the application, and its limitations, and then its applicability to your needs. In some instances, there may be features of secure networking technologies that might permit you to use an otherwise insecure application in a secure manner. Before you can make that determination, you must understand the application.
Quote:
The story goes : I advocated OpenBSD to a friend of mine who knows nothing much about computer science & engineering .. but he was informed that OpenBSD proudly carries the "Security first" motto .. so how can I materialize this to him ?
You cannot teach something that you yourself do not yet understand.

------

I will once more repeat what I wrote above in an earlier post, and expand a bit. This is not specific to networked applications, but it is apropos:

IT Security is not a product. IT Security is not a program. You cannot install Security. Security is a continual PROCESS, which involves the active participation of the OS administrator, the network architect, and the user.
Reply With Quote
Old 3rd April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Quote:
You cannot teach something that you yourself do not yet understand.
that wasn't teaching .. but rather an invitation .. anyway I appreciate your guidelines .. Thank you jgimmi
Reply With Quote
Old 3rd April 2012
qmemo's Avatar
qmemo qmemo is offline
Real Name: He
Package Pilot
 
Join Date: Jul 2008
Location: The big B
Posts: 141
Default

@daemonfowl

I have to say this no matter how silly it might look, but I really enjoy your posts and so is the reply's you get as a matter of fact it makes a great reference for feature readings.

Greetings
__________________
If 386BSD had been available when I started on Linux, Linux would probably never had happened." --Linus Torvald
Reply With Quote
Old 4th April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi qmemo ! thanks !!
I know there is a few light years epistemic/cognitive distance between me and most of the folk here .. but I refuse to stop using/learning OpenBSD just because I'm a slow learner .. as I refuse to stop trying to shorten that epistemic distance ., maybe by 2013 I'll have stepped upward enough to consider asking smart & precise questions .. until then .. I go on trying to make this Daemon Journey (not a mere errand) enjoyable ..
( That guy was intimidated by cli & the {cli=hard} stereotype .. when I shew him how to install OpenBSD .. he felt released from cli-phobia .. then when he learnt in a few easy steps how to set gnome .. he got disillusioned and felt eager to learn more about the new OS ..
I guess he learnt a new definition of 'user-friendliness' .. which totally disrupted the old one .. :-) .. )
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Does bridging reinforce privacy? daemonfowl OpenBSD Security 8 1st April 2012 12:32 PM
EFF concerned over AIM privacy J65nko News 0 4th January 2012 06:14 PM
Disaster recovery best practices RandomSF FreeBSD General 8 7th December 2010 06:41 AM
German Government Minister's Letter to Facebook about it's new privacy policy J65nko News 0 5th April 2010 10:26 PM


All times are GMT. The time now is 10:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick