this post was submitted on 28 Jun 2024
61 points (93.0% liked)
Privacy
32103 readers
723 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The key to encryption is to have your key encrypted with a strong passphrase.
Phones are literally designed to be convenient. Convenient is the antithesis of security.
You want a 20-100+ character passphrase to symmetrically encrypt your private keys, and you want to never type that in public.
Most people have 4 digit pins on their phones, and they constantly type them in public, in plain view of others. And its super easy to snatch out of their hands and run.
Phones are, by design, not secure devices. Marketing teams trying to sell you something say otherwise. Don't be gullible.
TPM in the SOC to transform the "convenient" pin into more robust encryption keys is the gold standard for civilian devices.
"computers" (of which a phone very much is) also use a TPM for this very reason.
But even taking what you say as gospel, the device isn't insecure, its how people are using it.
I will stand by my comments a phone is the MOST secure device a civilian will use. Even with a secured desktop computer where someone diligently types in a 64 bit random code to unencrypt the hard drive... if they use the computer as a general purpose device, the threat surface raises dramatically. Now information and programs are not compartmentalized, install one bad program and it can trivially take over everything.
TPMs protect the data on the drive if the drive is separated from the computer. If the drive is still in the computer, then it doesn't protect the data. It doesn't provide protection from physical attacks.
https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-fundamentals
This is how cell phones and windows hello justify short pins, the pin goes into a rate limited TPM that then discloses a larger key to decrypt the actual secret.
Do you need me to link to the vulnerabilities of TPMs? They do not provide physical security.
Does this mean your also against yubikeys?
Hardware keys can be used well to increase your secuirty (U2F MFA) or used to increase convienence and reduce security (passwordless auth)
It depends how the tool is used.