Recommendations

This page contains security-related recommendations. Kindly note that we exclusively recommend hardware, software, and services that we use and own. We do not endorse any products based on sponsoring or things we only know from hearsay.

General information security topics | Home network | Disk and file encryption | DNS | Instant messaging | Operating systems | Repositories | Secure key and password storage

General information security topics

The following resources are useful to learn about InfoSec in general:

Blogs

• Scott Helme (InfoSec blog, focused on web application security)
• n-o-d-e (various hardware projects)

Podcasts

• Security Now (weekly podcast with Steve Gibson and Leo Laporte)
• StormCast (daily 5-10 minute podcast about current InfoSec topics)
• Darknet Diaries (bi-weekly podcast about “hacker” stories)

Q&A websites/forums

• Information Security Stack Exchange (Q&A website for information security professionals)

Other useful websites

• EFF Security Education Companion (for digital security educators)
• EFF Surveillance Self-Defense (tips, tools, and how-tos for more secure online communications)
• IT and Information Security Cheat Sheets (cheat sheets on numerous topics)
• OWASP Cheat Sheet Series (cheat sheets on multiple topics)

Home network

Your home network connects you and your family to the internet. The most vulnerable point is your router since it has to fulfill different functions and is the primary point of entry for a remote attacker. Feel free to read our home network security series.

Books

• Introducing Basic Network Concepts (PDF file)
• Peterson/Davie: Computer Networks: A Systems Approach (free online access)
• Meyers: CompTIA Network+ Certification All-in-One Exam Guide (Exam N10-007), ISBN 978-1-26-012238-1
• Kizza: Guide to Computer Network Security, ISBN 978-3-319-55606-2
• Lowe: Networking for dummies, ISBN 978-1-119-25777-6

Blogs

• Router security blog by Michael Horowitz

Hardware

• Turris Omnia (open hardware and open-source router) (#Turris-Omnia)

Disk and file encryption

We recommend the following applications or standards. Some recommendations are based on a talk of Mr. Schumacher from Magdeburger Institut für Sicherheitsforschung. Only use well-maintained and well-tested software for cryptography. Otherwise, your data could be exposed in some way, or you could lose your data.

Full-disk encryption

• LUKS (Linux; see our article on using a YubiKey for two-factor authentication)
• VeraCrypt (open-source disk encryption software for Windows, Mac OSX and Linux)

Built-in file encryption

The Linux file systems ext4, F2FS, and UBIFS natively support file encryption. See our article on fscrypt.

Other software

• GoCryptFS (uses modern crypto but leaks metadata)
• CryFS (uses modern crypto and hides metadata but is slower than GoCryptFS)

DNS

Many private users are focused on HTTPS and forget about their insecure DNS traffic. Cleartext DNS traffic can be modified or logged, and third parties can learn about your surfing habits. People who are familiar with network protocols and DNS can configure DNSSEC as well as DNS-over-TLS. If set correctly, you get validated DNS responses, and your DNS traffic is authenticated and encrypted.

Check our DNS-related articles.

Websites

• DNS Privacy Project (collaborative open project to promote, implement and deploy DNS Privacy)
• DNS leak test (see the DNS server that is used by your client)
• List of public recursive name servers on Wikipedia
• DNS Privacy Public Resolvers
• DNS Privacy Test Servers

Instant messaging

Ask ten people about their preferred instant messenger, and you’ll get 15 recommendations. Some people say that federation is best for privacy (no, this is wrong), some recommend closed-source messengers like Threema, and most people keep on using WhatsApp. We aren’t interested in wars of opinions and stay with the facts.

When it comes to security, privacy, usability, and support for different operating systems, Signal is the clear winner. See also our articles on Signal.

If you still want to use XMPP-based messengers like Conversations, Gajim, Dino, and so on, keep in mind that server-side parties can access and manipulate everything. We strongly recommend running your own XMPP server in this case. If you don’t know how to do this, use a messenger like Signal. Unlike many XMPP-based messengers, Signal uses client-side account management and enforces end-to-end encryption by default.

Operating systems

We recommend Arch Linux for advanced users. It allows you to set up a minimal operating system that can be highly customized. Besides, you get current software packages. Try to avoid unmaintained packages from the AUR (Arch User Repository) to keep your system stable and secure.

Repositories

The following repositories contain useful resources and links:

• Awesome Cellular Hacking
• Awesome Infosec
• Awesome Hacking
• Awesome Security
• Awesome Social Engineering
• Awesome Web Security
• Probable Wordlists

Secure key and password storage

If you use OpenPGP, SSH, etc., you probably store your keys on your computer. We recommend storing private keys on dedicated security hardware. Furthermore, we recommend using password management software. If available, enable and use two-factor authentication for online services (WebAuthn, U2F, OATH-TOTP).

• Nitrokey Pro 2 (and its predecessor) (#Nitrokey)
• YubiKey 5 (and its predecessor) (#YubiKey)
• Yubico Security Key (supports FIDO2, WebAuthn, and U2F) (#YubiKey)
• KeePass Password Safe 2 (well-tested password manager)
• KeePassXC (password manager similar to KeePass 2) (#KeePassXC)