跳轉至

常見的迷思

「開源軟體永遠是安全的」或「商業軟體更安全」

這些迷思源於許多偏見,原始碼是否開放以及軟體的許可並不會以任何方式影響其安全性。 ==開源軟件 可能 比商業軟件更安全,但絕對不能保證這一點。==評估軟體時,您應該根據每個工具的聲譽和安全性進行評估。

開源軟體能夠由第三方人員進行審計,比起同類商用軟體,前者對待潛在漏洞更為透明。 它還允許您查看代碼並禁用您發現的任何可疑功能。 然而,除非您真的這樣做了,否則不能保證程式碼曾經被評估過,特別是小型軟體專案。 The open development process has also sometimes been exploited to introduce new vulnerabilities known as Supply Chain Attacks, which are discussed further in our Common Threats page.1

另一方面,專有軟件不太透明,但這並不意味著它不安全。 主要的商用軟件專案會由內部和第三方機構進行審計,獨立的安全研究人員仍然可以通過逆向工程等技術發現漏洞。

避免決策上的偏見,這點在評估所使用軟體的隱私與安全標準上至關重要。

「信任的轉移可以增加隱私」

在討論 VPN 等解決方案時,我們經常談到「轉移信任」 (將您對 ISP 的信任轉移到 VPN 提供商)。 雖然這可以保護您的瀏覽資料免受 特定 ISP 的侵害,但您選擇的 VPN 提供商仍然可以訪問您的瀏覽數據:您的資料並非完全受到各方的保護。 這意味著:

  1. 把信任轉付給挑選的服務供應商時,您必須謹慎行事。
  2. 您應該利用其它技巧,如 E2EE 來完全保護您的資料。 僅因個別供應商的信任與否,並不能確保資料的安全。

「以隱私為中心的解決方案本質上是值得信賴的」

僅專注於單一工具或提供商的隱私政策和營銷可能會讓您忽視其弱點。 當您正在尋找更私密的解決方案時,您應該確定潛在的問題是什麼,並找到該問題的技術解決方案。 例如,您可能希望避免 Google 雲端硬碟,這會讓 Google 存取您的所有資料。 這種情況的問題是缺乏 E2EE ,因此您應該確保您轉換的供應商真正實現了E2EE ,或者使用可在任何雲提供商安裝 E2EE 的工具(如 Cryptomator)。 轉換到“以隱私為中心”的提供商(其不用 E2EE )不能解決您的問題:它只是將信任從 Google 轉移到該供應商。

您選擇的供應商的隱私政策和商業實踐非常重要,但應視為隱私技術保證的次要條件:當無須信任供應商時,您不必將信任轉移到另一個供應商。

「愈複雜愈好」

我們經常看到人們描述過於複雜的隱私威脅模型。 通常,這些解決方案包括許多不同的電子郵件帳戶或具有許多移動部件和條件的複雜設置等問題。 答案通常是“做 * X *的最佳方式是什麼?”

為自己找到“最佳”解決方案並不一定意味著您正在尋找具有數十種條件的絕對解決方案-這些解決方案通常很難實際使用。 正如先前所討論的,安全性通常是以方便為代價。 下面,我們提供一些訣竅:

  1. == 行動需要達到特定的目的:== 想想如何用最少的行動做到想做的事。
  2. 移除人類的失敗點: 人總會失敗、疲倦、忘記事情。 要保持安全性,請避免依賴大腦記憶的手動條件和流程。
  3. 使用您要想的適當保護等級。 我們經常看到所謂的執法或傳票證明解決方案的建議。 這些通常需要專業知識,通常不是人們想要的。 建立一個複雜的匿名威脅模型是沒有意義的,如果您的行為容易地被一個簡單的監督去匿名化。

那麼,這看起來會怎麼樣?

最清晰的威胁模型之一是,部分人,知道你是谁 ,而另一部分人不知道。 有些必須提出您的法定姓名的情況,但也有其他情況不需要提供全名。

  1. Known identity - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses.

    We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means.

    Tip

    When shopping online, the use of a parcel locker can help keep your physical address private.

  2. Unknown identity - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc.

    You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as Monero. Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.

  3. Anonymous identity - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly.

    Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.)

  1. A notable supply chain attack occurred in March 2024, when a malicious maintainer added a obfuscated backdoor into xz, a popular compression library. The backdoor (CVE-2024-3094) was intended to give an unknown party remote access to most Linux servers via SSH, but it was discovered before it had been widely deployed. 

You're viewing the English copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out! 訪問 Crowdin

You're viewing the English copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out!