It is entirely relevant for E2EE since the encryption is performed locally. The only partial exception might be something like a web app which can target malicious javascript towards a specific user and they probably won’t notice.
It is true that being open source doesn’t make or break the security of an application, but it’s really useful to have for many reasons. Apple is known to abuse their users and if they produced open source products, people would have a lot more transparency into what is going on and actually have the ability to change it if they pleased.
Sorry, yes you are right about this. Open source clients do matter for E2EE. But for all other web services or websites that are not E2EE, open source is irrelevant.
Apple is known to abuse their users and if they produced open source products, people would have a lot more transparency into what is going on and actually have the ability to change it if they pleased.
This I disagree with. It is an utopian fantasy to expect all software to be produced for free and given as open source.
people would have a lot more transparency into what is going on and actually have the ability to change it if they pleased.
A lack of customization != abusing their customers. Sure there are services/telemetry I wish I could disable, but that is only a small fraction of a fraction compared to Windows or Android.
Apple is so much more focused on privacy than its competitors. Where is Google’s E2EE drive or messaging service, App Privacy Labels, App Tracking Transparency, etc?
Our economy and political systems are producing a dystopian reality and I’d say it’s a fantasy to expect it to survive and continue as it is into the future. No one is arguing that people shouldn’t be paid for their labor, in fact that is a major issue we have today and there are solutions which can address that while also aiming to provide goods/services which prioritize serving the public’s interests rather than profiting off of or subjugating them.
I’ll end it there since this goes too much into politics which is too off-topic for this forum and certainly this thread.
I’d suggest familiarizing yourself with the concept of free software and you’ll have a better understanding of where I’m coming from.
There’s almost always a lesser evil to choose from, even in a variety of terrible situations. I don’t settle for evil, I aim for good. Under certain circumstances it can be understandable to use Apple products when faced with a series of other bad options, but that doesn’t mean you should defend or promote Apple as a good or acceptable option.
Google messages RCS is E2EE, including the backup (according to the EFF, but couldn’t find a primary source for this).
iMessages is E2EE, but not their backup unless you enable ADP, which very few people probably do.
So in this aspect, Google is actually better than Apple.
This is an informative and an interesting educational thread for me. And while I somewhat knew what you said with that quote there, can you expand on this more?
Specifically:
Where can I go to learn more about this tier from a security perspective as you have written it?
Can you explain the “a lot of nuance within platforms” part of your comment more?
If Linux is and has the capacity to be more private indeed compared to other desktop OS from a consumer POV, how can the average Joe like me make it your desktop Linux (Fedora (workstation and silverblue) in my case) more secure from defaults?
And if Linux is that low in terms of security, how is it mitigated on an enterprise level where its all Linux back ends within companies and their infrastructure?
Any insight would be appreciated.. I’m here to learn so I ask these questions. Thanks!
Without knowing what your goals are, there is no specific answer to this question. You can only get very broad advice, like to reduce your overall attack surface (i.e. minimize the apps you install and use, you can never be hacked through software you don’t use), researching and choosing the highest quality software when you do install something, and using proper digital hygiene. As pointed out above, Linux promotes better digital hygiene compared to Windows or macOS by design, which is (one reason) why most experts consider it more secure out of the box than Windows or macOS for the average computer user.
For the “average Joe,” making Linux more secure from defaults (especially in regard to the 2nd broad piece of advice above) is simply a matter of choosing a well-made distro, which you have already done by using Fedora.
It isn’t bad in the first place. Most companies never have to “mitigate” anything on Linux to begin with, because problems with default setups on sane distros like Fedora or even Debian (on servers) is very rare; and:
The main way they secure Linux systems is simply by minimizing the attack surface, because you can easily install only the tools you actually need and nothing else, and companies definitely do this. A Linux web server isn’t going to have a web browser or an office suite or even a desktop environment at all.
I’m not the person you asked but I hope it’s okay that I take a crack at your questions.
Madaidan has some relevant articles on things like Linux and Android security and how they compare to other systems. I’d warn you that his work might be somewhat outdated and in my opinion he demonstrates some bias against Linux and in favour of Apple/Google/Microsoft.
I provide some justifications for why some would prefer Linux in my earlier answer which itself links to another answer on a different thread.
Most desktop Linux distributions do not share any data without your permission and in that sense they could be considered more private. But when it comes to concerns over cyber threats, things become more complicated and have a lot of nuance. As I mentioned, it’s not like the average Joe needs to fear Linux for not being secure enough in the current day, though that could change in the future if desktop Linux security doesn’t keep up with the pace of its growing market share. Sticking with a recommended distribution (as you have) puts you ahead of most other users.
System hardening is primarily targeted towards system administrators rather than average Joe’s, but there are some guides for it. Even so, “hardening” desktop Linux doesn’t provide it with comparable security features and exploit mitigations to something like macOS. Anyone who’s extremely concerned with both privacy and security on desktop should consider using QubesOS rather than Linux. Due to its strict hardware requirements and usability limitations, many may settle for a security-focused Linux distribution like Secureblue instead.
I sort of take offense in the sentiment that Windows is ahead of Linux in terms of security.
Printnightmare and other “insecure by design” like letting peripherals automatically install unsigned drivers for ease of use does not in fact make Windows more secure.
If we are going to ignore nuances, the reverse is also true where Windows is less secure than Linux.
I mean that Linux, for example, is not a single OS with a universal security level. There are distros which are more or less secure than average, which all fall under the umbrella term Linux. The same is true for Android, where different OEMs make various changes to Android, which can impact its security.
If you must use Linux, you should start from the most secure starting point, like secureblue, and follow best practices. There is a practical limit to what an end user can do to harden their system. For example, Android uses the Linux kernel, but that doesn’t mean it’s even remotely possible to make desktop Linux as secure as Android.
The article linked by @TheDoc answers this question well. I’ll just add that Linux is also chosen for it’s performance and stability. Linux is used on the 500 fastest supercomputers in part for this reason.
The fact that you might take offence makes me wonder if your belief that Linux is more secure is more ideological than evidence-based. A lot of people use Linux for ideological reasons, which is perfectly fine, but it isn’t a sensible way to evaluate the security of an operating system.
Yes, Windows has serious security shortcomings just as Linux does. I have not made any claim in regard to how much more secure Windows is compared to Linux, only that it is typically considered more secure.
I said:
The key is within platforms. That is, Linux is a very broad term which encompasses lots of distros of various security levels. You can also configure Windows to be a lot more or less secure than by default. This is the sort of nuance I am referring to.
I am trying to reflect and while I do have ideological reasons to use Linux, I also think Linux is better simply because security news after security news mostly talks about the insecurity of Windows rather than the security of Windows. I would argue that it is the only metric that truly matters.
I do recognize that, yes, it does get better for every inch of known security issues it comes across and patches to correct the issue. But the same is also true for Linux.
For as long as Window have this legacy baggage and desire to support legacy customers, I cannot in good concience conceive Windows of being more secure.
I guess I am just upset with the optics of Windows as being perceived as secure. But in the end, I do get the point you want to come across.
Do you think this is probably do to the fact that Windows has a huge market share compared to linux? If you want to reach a broader audience and to gain peoples attention, this is much more effective that the ~5% of linux based users.
I think both can be similar in security depending on configuration but I do believe windows out of the box is “more secure” than you would see in most “beginner” friendly distros.
Windows- Firewall and windows defender are default enabled
Ubuntu- Firewall installed but not enabled and no built in antivirus
Mint- Need some knowledge to setup UFW correctly and no built in antivirus
Fedora- Firewalld is default enabled but no built in antivirus
You will have a larger attack surface on windows but some stronger defaults compared to Linux. I do believe however Linux can be quite secure (looking at you Secureblue) and remain private while windows will struggle to meet the same level (if at all possible). So for what I would consider an everyday user (non tech savvy) Windows will provide the best user experience with decent security without having to tinker with settings they may not be comfortable with.
I would really like this to change as Fedora has been my daily driver for a bit of time now and find that it is quite comparable in usability after a small learning curve and can be hardened quite well to surpass Windows. For those interested in gaming (many windows users are) Bazzite with some hardening using selective brace settings is a great option.
This is all my opinion for general usage for a common user.
I don’t agree with the idea that an antivirus makes your system more secure; I actually strongly disagree.
If you’re fluent in german I recommend reading Fefe’s blog and watching his yearly Fnords - he is a very well-known security researcher and often writes about this topic (he is absolutely not the only reason why I think that antivirus is bad, but his blog was the reason I took time to dig into this topic).
Here are two links that search his blog for typically used german keywords regarding antivirus:
Antivirus runs inside the kernel, so bugs and security issues introducted by Antivirus are even worse
Antivirus can easily be bypassed
Rule of thumb: Less code = higher security (obviously thats not true for everything, but it is definitely true for this topic)
(Also, Fefe does code reviews with some anti-virus developers and if you want to trust his claims (which I and many other readers of his blog do) then their code is terrible - and it runs in the heart of your operating system…)
I doubt antivirus is really useful on Linux systems and the only open source option (ClamAV/ClamTk) isn’t very usable or useful. Building systems to be secure is more effective than adding reactive antivirus software which are typically privacy-invasive and increase attack surface.
I don’t use Secureblue but it looks like they don’t even bother adding an antivirus, possibly for these reasons.
I know windows defender is excellent at detecting malware and better than anything after market. I agree that Morten, mcaffee etc is all bloat. I just think the extra protection against a bad actor is nice to have. It wouldn’t be a horrible idea as Linux grows into a larger base to have additional protection against malware.
Antiviruses built in ones like Window’s is not inherently a bad thing to have especially as it is not bloating your OS and no it cannot be bypassed that easily, tamper protection also allows so that Windows Defender cannot be touched at all. (and to my understanding some or most of the antiviruses also have tamper protection)
Lete put it into analogy:
Windows Defender is like that Guard that was included in the purchase of your home, And it’s just around to protect from threats and other malicious things, It is not Mandatory to carry the Guard and it’ll only act as it’s sole purpose to protect from threats so it will not unnecessarily interrupt you.
A dedicated Antivirus is like that Guard you found or bought except now you have to carry them on your back and they might even interrupt you unnecessarily.
“Now carrying it’s back” is an exaggeration but the point is yes it’ll be more bloated but windows defender is not, that’s why it’s general recommendation to leave it alone (and maybe even harden it, your choice).
With that said yes, I do feel like an antivirus on Linux just gets unnecessary, It doesn’t have big enough market to even justify needing one and putting protections like sandboxing can help mitigate this and most attacks that happen are like 99% or maybe 98% plus or minus of the time Dedicated to Linux servers, not to an Average Joe.
It took Google until 2021 to add end to end encryption to Google Messages.
From Wikipedia:
In June 2021, Google introduced end-to-end encryption in Messages by default using the Signal Protocol, for all one-to-one RCS-based conversations
iMessage has had end to end encryption for almost 15 years.
Pointing out that ADP needs to be turned on is irrelevant, because iCloud backup is not turned on by default either.
I think you are just trying to cherry pick a single feature that shows Google in a good light (without a primary source as well).
My comment was about the significant difference in the privacy track records of the companies.
Is Google Drive end to end encrypted, like iCloud Drive. How about your sensitive health data in Google Fit? Apple Health Data is end to end encrypted. What about Google Keep? Apple Notes is end to end encrypted.
I don’t recall Google ever standing up to government backdoors.
That doesn’t make sense. Google Messages only supported RCS in 2019, so they took just a couple of years to devise a protocol that encrypts its messages.
No? I just said that point is incorrect. Nothing about my comment said Google was better or worse than Apple in general. In this particular aspect, they are better though.
iMessage in iOS 5 brings the functionality of iPhone messaging to all of your iOS devices―iPhone, iPad and iPod touch. Built right into the Messages app, iMessage allows you to easily send text messages, photos, videos or contact information to a person or a group on other iOS 5 devices over Wi-Fi or 3G. iMessages are automatically pushed to all your iOS 5 devices, making it easy to maintain one conversation across your iPhone, iPad and iPod touch. iMessage also features delivery and read receipts, typing indication and secure end-to-end encryption.
iMessage has been End to End encrypted from it’s launch in 2011.
