In light of Eden’s reply, we must also realize that there are people out here who want protection but don’t really know specifics of what they want to protect themselves from. I will not discount the primacy of motivation in this telos.
A really good accounting for this would be a book that could help you really understand how things are being protected at the enterprise level in the current field. Since home networking and enterprise networking has different goals, you’ll definitely sharpen your mindset on what Eden was speaking about above. I 100% agree that listening to anyone’s advice on this forum can give you a general idea of a tool to help you accomplish a specific goal, but if you don’t know what that goal is yet you need to put effort into understanding it more and that’s why I recommend this.
I think for most use, this is not actually a problem. Specifically, what are the privacy implications for my ISP knowing that I connected to an IP address belonging to youtube for 30 minutes or that I connected to an IP address belonging to Amazon for another 30 minutes. Routing those connections over so my ISP sees an hour worth of traffic to PIA doesn’t buy much in the way of increased privacy.
This is why its important to know the goal in my opinion. How can we give a good answer to the question that will actually protect @staykoff without knowing what you’re trying to protect from. Otherwise you almost always end up with a half baked solution and false sense of security.
It all depends how tinfoil hat you want to get. There’s a reasonable expectation that the US government is recording every single byte that passes through major exchanges in the nation, and we know that every single byte that passes through the UK has been recorded since circa 2013 or so. If that information is encrypted by SSL, should you care?
Well, many SSL implementations don’t have perfect forward security, so once you crack it you can look through every transaction and interaction a given user has made on the internet for years.
Something like a 2048 bit key isn’t very easy to crack… today. Even assuming no vulnerabilities in the implementation, normal computing performance increases would lead to a 2048 bit key remaining secure certainly for your lifetime. But with quantum computing there’s a very good chance it could be cracked in a blink of an eye with technology available to nation-states in, if not already available, a time horizon of a few years at most.
So if you truly want to maintain your privacy and anonymity in a way that protects your future self, you would need to use something like Tor with Tails. But wait, Tor is vulnerable to a 51% attack and it only takes a couple thousand exit nodes to do that-- not a substantial investment for a nation-state. So you’re screwed there too.
The real answer is you should try to limit your exposure but not focus on eliminating it. Ultimately nothing will protect against a nation-state targeting you specifically and your actions today could burn you 15 years in the increasingly dystopian future.
Any SSL provider who had a weak cert has been eliminated thanks to google.
Besides, anything using SHA1 was still only broken in a lab with googles data center resources. So unless the government just really wants to get at you 99.999999% of people would be totally fine with DNS over TLS and HTTPS everywhere.
But yeah I agree on this.
A lot of what you would have to do is impractical.
Lots of smaller sites don’t support perfect forward security. L1T does, but LTT doesn’t.
Sparrow:~ $ openssl s_client -connect linustechtips.com:443 -cipher "ECDHE, EECDH"
CONNECTED(00000006)
140735936308168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_lib.c:124:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 208 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
Check out mullvad.net they have a nice blog for setting up your vpn connection if you want some more options to protect your traffic and a client with Linux support.
Speeds are sometimes not that great, but never totally slow. As far as I know its a small team and they won’t ask for any personal information. Its like 5 bugs a month and is based in Sweden.