There’s a lot of talk about website security, keeping sites updated and making sure passwords are strong, etc. These techniques might be great for your site itself but aren’t helping your privacy or your users and, in the right circumstances, can leave your fancy new passwords and other data open to anyone who might be listening. We’ll look beyond passwords and updates at ways to protect your privacy, your users’ privacy and the data that is sent to and from our own sites as well as those we use every day.

Notes

• Today is about practical security – not a backend dev talk.
• The goal isn’t to keep secrets. It is to maintain your users privacy.
• Proper encryption will maintain security and privacy.
• Limits of encryption:
  • not user management
  • not a policy – it is a mechanism to enforce policy
  • not a firewall
  • not an antivirus
• symmetric encryption
  • same wifi password on each side
• Asymmetric encryption (public key cryptography)
  • different passwords to encrypt/decrypt data
  • allows for verification
  • Verification
    • encode with public key. Only person with public key can open it.
• Your computer
  • Very strong encryption – don’t forget your own password.
• Mobile
  • Very strong (with a real password)
  • Thumbprint can be legally forced in many countries.
• VPN
  • encrypt.me – good, easy , but does keep some logs
  • tunnelbear – harder, no logs (if you are doing someting iffy ;)
• Messaging
  • look up signal
  • WhatsApp
  • iMessage (when blue)
  • Allo (google opt in)
• Files
  • lastpass etc…
• Mail
  • ProtonMail
  • MAc: GPGTools
• Browser
  • Cookies and JS can track you
  • Search: DuckDuckGo
  • Tor Browser
• Resources
  • Tozny
  • Bruce Schneier
  • HPE Security
  • EFF
  • Wireds Threat Level
  • Brian Krebs