When logging in (or signing up) using a web service, always check for the green lock and
https:// in the front of the
http (which stands for Hyper-Text-Transfer-Protocol), but
https, with the extra
s at the end (which stands for HTTP Secure).
HTTPS allows for Client-Server encrypted communication, while HTTP transfers everything in plain-text allowing “intruders” to sniff in on your traffic and steal your credentials. Even worse, HTTP allows for Man in the middle attacks.
Traffic over HTTPS is encrypted using SSL Certificates. You can read more about SSL here.
Web Extension that tries to use HTTPS on all websites:
They generally block ads, but can also block:
Web Extension that blocks ads:
Some websites (most large websites) offer the option of 2 factor auth. This means that after logging in using your password, the website will ask for a code (usually 6 digits). This code will either:
The codes can be time based (they expire after 30-60 seconds), or count based (only valid in some order).
In case your password gets compromised, 2FA will stop attackers from gaining access to your account without having access to your 2FA device (this is why an app is prefered, or dedicated hardware for code generation (eg: bank tokens)).
2FA will save your accounts security in case the websites password database gets leaked, your password gets stolen, your password gets cracked.
RSA/ECDSA/(or other) keys are usually used to replace passwords. Keys provide protection agains brute force/dicionary attacks. Keys can also be used to “sign” (verify that something comes from you) a “message” (or file, or anything).
In order to generate a key:
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (~/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
This will create a RSA key pair for you (in ~/.ssh). Do not share the
id_rsa file ever! Only share the public key, found in
# My public RSA key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTuTjOy984o3SuXoGfsnuaOuqET8wzmE+B0oDTDcl/Hz3SkNvHuKwYrXx0oHi2JUkKSwUx7XZtil0TN+U3mZ63gsfJ3ITazzsQ4hb39seajUiLK5Tcfgx1XnAevXRb9Bp+6LyEws4KbNbHv2bruYDYdoypkdTTfRJKZVjP0t4YxTkE69ImsW4K/Wi8f8WVa9EZecqEs3TvbVc4iuiJ9Fm2qkRCgD+kOmYf7+YNkLcgvuYDx0m7zRNqJyGs2r31qm8f/BMgpVZdN8o0441zotalDqLUHFlITxspKfiQyMr4NHQ/YuJZcAe5zhjutbEqi6FNGOMCK1YgYSUeywlCpxar # My public ECDSA key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAT4L1J12pZm3Ga/NHOvC0mudTRz5bv2UON/2Z294Z/ZCEy4wLqkIip4GnrJEbt9pJwG721fheVHP2PqBKwXyZU=
Secure SHell, or SSH for short is a protocol which allows a users machine (client) to connect to another machine (host), allowing the user to run commands on the host. The link between the two is secure (no tampering is possible or sniffing).
A SSH server allows multiple auth methods (or any combination of these):
If the server does not have a firewall setup, brute force attacks (or dicionary attacks) are possible on the admin accounts. The best practice for security is disabling password auth, admin auth and force key only login over SSH.
Clients can find their SSH configurations, keys and known hosts in
.ssh/known_hosts contains a list of all previously connected machines, their “id” (used to determine the authenticity of the host).
The default directory for
ssh-keygen will be
* will be the format used (ecdsa, rsa, …).
Never share your private keys! (
id_rsa). Your public key is the only one you should ever share (
# This will show a nice ascii art image on connection # allowing you to identify a host/key used. VisualHostKey=yes
# If you have a Mac, you might want to turn this on # for all hosts. Host * UseKeychain yes
# Example of a host config Host gst.io HostName gstechnologies.io User example Port 22
gst.io is an alias in this case. Allowing you to run
ssh gst.io instead of
ssh [email protected]
# You can send environment variables to your host Host * SendEnv VARNAME
If you add this to your
.ssh/config, you can
Host gstech HostName gstechnologies.io User YOUR_USERNAME Port 22 IdentityFile $HOME/.ssh/YOUR_KEY
LoginGraceTime 1m PermitRootLogin no MaxAuthTries 3 PasswordAuthentication no
This enforces key only auth, and some more severe auth.
You can encrypt files using your GPG key. You can also sign files (prove that they are coming from you) using GPG.
You can run
sum FILE_NAME to get a number which represents the version of the file. This can tell you if the file you obtained was modified or replaced.