Partners for your Secure Messaging - practical privacy Partners
Description of the Services and Cost - practical privacy Product
Who we are - practical privacy Company
contact us - practical privacy Contact Us
vertical placeholder
 

Details to make your secure messaging experience better

Key Contact: Your hardware provider, operating system provider, browser provider, connectivity provider, and other relevant public sources must remain your primary/immediate choice when addressing client side security and privacy issues ...

List of possible dangers to your client (not exhaustive):
  • Browser Caching: Your browser may cache the documents it up- and downloads on your permanent storage. This is particularly exposing you if
    • your (browser's) temporary directory are on a server/shared drive
    • you share your machine - e.g. you have multiple login's on your PC
    • you access your permanent storage over a LAN that is open - e.g. a wireless LAN without at least WEP.
    • you use a public terminal - e.g. in an internet cafe
    • you use a desktop search tool such as Google's. There, you can at least turn off the indexing of the https received pages.
    • ...
  • Remote Screen Reading: Now we get into a field that appears more remote. But if there are determined intruders, especially if they are equipped with military-grade intelligence tools, it is after all not that esoteric: Your screen can be read from a distance (even through windows) if your client is not tempest-proof.
  • Local Encryption: It is advisable to encrypt information you downloaded on your local disk as well. Among many solutions, Windows Privacy Tray appears to be an interesting one - open source oriented...
  • Remember Me Cookies: If done properly, such cookies that only remember your login, but not your password nor any other profiling information are not particularly detrimental to your privacy. The unfortunate thing, however, is that most browsers are not supporting you particularly well in separating good (i.e. typically session cookies and cookies that do not store sensitive information) from bad cookies. Most browsers on the other hand do support efficient login with their built-in password managers Mozilla/Netscape family, MSIE, etc. that provide acceptable privacy protection.
    PrivaSphere Services therefore have been architected not to require cookies. You can safely block any cookies that might come from us. We do this for our users not have to configure their browser in a way that in other contexts may become privacy-threatening...
  • Remembering your passwords: Best is if you remember by passwordSafe on sourceforge.net (see also: (How to choose good passwords!)).
    (http://www.bagus-software.de/ has a nicer user interface, but is not open source ...).
    It is also important to be aware that when configuring " Send and receive from your mail program", your mail program is another place from where a determined attacker potentially could retrieve your PrivaSphere password. Therefore, only store your password in such programs if you are sure that no unauthorized persons will have access to corresponding account profiles you configure.
  • Protection against viruses and spam: While PrivaSphere has already provided basic mechanisms against unsollicited eMail (a.k.a. SPAM) such as the option to block certain senders or to require a " Human In the Loop Test" in your " Secure Contact Me" and it offers some server-side virus protection , it remains your responsibility to ensure the integrity of your machine in view of received eMail and attachments as well as downloads you get.
    • An approach that can be effective and is very hands-off for yourself (at the cost of an extra plaintext relay of your unprotected traffic) are outsourced services such as Cleankail aka spamfree.ch.
    • If you have MSIE, turn off "open files on content, not on extension". Sure, some of your legitimate counterparts may not get the filename extension (and the MIME type) right, but in the vast majority, nowadays, this is mainly misused by attackers attempting e.g. exploit cross-site-scripting. (Tools - Internet Options - Security Tab - Custom Level)
  • JavaScript, ActiveX, Plugins, applets and other macros: PrivaSphere Services have been architected not to require such browser-side functionality that are a likely attack-point for all kinds of "malware" (see for example "cross-site scripting" in chapter 'Common Problems' in the OWASP Guide). You can safely disable these features and still enjoy our full service line. Unfortunately, quite some other sites are not crafted in such a security aware way and require you to have these enabled. In this case, it makes sense to only temporarily activate these features if you really need to work with such a site.
  • Walk-By Impersonators: Without appropriate precautions taken, somebody walking by your computer, there are various risks of impersonation:
    • Logoff omitted: with in the session auto-time-out period a walk-by user could sit at your browser and use the back-button or if the browser even has been closed, the URL-history might still contain a valid jsession id. Therefore, always logoff, use a password-protected screen-saver when walking off your desk (and additionally auto-activate it after e.g. 5 idle-minutes just in case)
    • After client certificate base authentication, even if you logoff, a re-login might not prompt for the private key password since often, the private key is cached in the browser. Therefore, if walking off your desk, unplug your keystore device, or if the keys are in your operating system, close the browser to ensure it no longer caches the private key needed for login.
    • So, wiping the browser-URL-history if shortly after you, next person is to use the same account may be useful.
    • Other advice: Wipe your cache regularly, prevent https pages from being stored.
    • ...
  • .
  • ...





Further sources on this topic are:
TBD


 
Infos how to use this service - practical privacy Help
Our privacy policy - practical privacy Privacy
General Terms and Conditions of Services - practical privacy T&C
Notification "This Page English Only"
Page last modified: Tue, Oct 29, 2024 06:28:44 CET; ©2002-2024 by PrivaSphere AG, all rights reserved   .