diff --git a/about.html b/about.html index 78790a1..c844df8 100644 --- a/about.html +++ b/about.html @@ -1,7 +1,7 @@ - + @@ -227,157 +227,108 @@
- - - - + + + + - - + +
TypeHardwareDescriptionSource model
-
- (License - SPDX)		TypeHardwareDescriptionSource model
+ (License)
Smartphone + Smartphone
-
Google Pixel - - 		+ +
Security/Privacy
-

Google Pixel devices - are the best Android - devices available on the - market for +

Google Pixel devices are the best Android + devices available on the market for security and privacy.

-

They allow locking - the bootloader with a +

They allow locking the bootloader with a custom Android Verified Boot (AVB) key - in order to preserve - security and privacy - features when installing - a custom operating + in order to preserve security and privacy + features when installing a custom operating system, such as verified boot - which verifies that the - OS has not been - corrupted or tampered - with, and + which verifies that the OS has not been + corrupted or tampered with, and rollback protection - which prevents an - adversary from rolling - back the OS or firmware - version to a previous - version with known - security vulnerabilities.

+ which prevents an adversary from rolling + back the OS or firmware version to a + previous version with known security + vulnerabilities.

They also include a hardware security module - (Titan M2, improving on - the previous generation + (Titan M2, improving on the previous + generation Titan M) - which is extremely - resistant to both remote - and physical attacks due - to being completely - isolated from the rest - of the system, including - the operating system. - Titan M2 ensures that - the device cannot be - remotely compromised by - requiring the side - buttons of the device to - be physically pressed - for some sensitive - operations. Titan M2 - also takes the role of + which is extremely resistant to both remote + and physical attacks due to being completely + isolated from the rest of the system, + including the operating system. Titan M2 + ensures that the device cannot be remotely + compromised by requiring the side buttons of + the device to be physically pressed for some + sensitive operations. Titan M2 also takes + the role of Android StrongBox Keymaster, a hardware-backed Keystore - containing sensitive - user keys which are - unavailable to the OS or - apps running on it - without authorisation - from Titan M2 itself. + containing sensitive user keys which are + unavailable to the OS or apps running on it + without authorisation from Titan M2 itself. Insider attack resistance - ensures that Titan M2 - firmware can be flashed - only if the user - PIN/password is already - known, making it - impossible to backdoor - the device without - already knowing these - secrets.

-

Google Pixel device - kernels are compiled + ensures that Titan M2 firmware can be + flashed only if the user PIN/password is + already known, making it impossible to + backdoor the device without already knowing + these secrets.

+

Google Pixel device kernels are compiled with forward-edge control-flow integrity and backward-edge control-flow integrity - to prevent code reuse - attacks against the - kernel. MAC address - randomisation is + to prevent code reuse attacks against the + kernel. MAC address randomisation is implemented well, along with minimal probe requests and randomised initial sequence numbers.

Google releases guaranteed monthly security updates, - ensuring Google Pixel - devices are up-to-date - and quickly protected - against security + ensuring Google Pixel devices are up-to-date + and quickly protected against security vulnerabilities.

-

Pixel 6-series and - 7-series devices are a - large improvement over - the already very secure - and private previous - generation Pixel - devices. They replace - ARM-based Titan M with - RISC-V-based Titan M2, - reducing trust by - removing ARM from the - equation. Titan M2 is - more resiliant to - attacks than Titan M, - and is +

Pixel 6-series and 7-series devices are a + large improvement over the already very + secure and private previous generation Pixel + devices. They replace ARM-based Titan M with + RISC-V-based Titan M2, reducing trust by + removing ARM from the equation. Titan M2 is + more resiliant to attacks than Titan M, and + is AVA_VAN.5 certified, - the highest level of - vulnerability - assessment. Google's - in-house Tensor - System-on-Chip includes - Tensor Security Core, - further improving device - security.

-

Pixel 8-series - includes Armv9's + the highest level of vulnerability + assessment. Google's in-house Tensor + System-on-Chip includes Tensor Security + Core, further improving device security.

+

Pixel 8-series includes Armv9's Memory Tagging Extension, - which dramatically - increases device - security by eliminating - up to 95% of all - security issues caused - by memory-unsafety.

+ which dramatically increases device security + by eliminating up to 95% of all security + issues caused by memory-unsafety.

Support
-

Pixel 4a (5G), Pixel - 5, and Pixel 5a, are +

Pixel 4a (5G), Pixel 5, and Pixel 5a, are supported for a minimum of 3 years from launch.

-

Pixel 6-series, Pixel - 7-series, Pixel Fold, - and Pixel Tablet, are - supported for a +

Pixel 6-series, Pixel 7-series, Pixel + Fold, and Pixel Tablet, are supported for a minimum of 5 years from launch. -

Pixel 8-series is supported for - a +

Pixel 8-series is supported for a minimum of 7 years from launch, - putting it on the same support - level as Apple; Google have even - surpassed Apple in this regard, - as Apple does not commit to a - support timeframe for their - devices.

+ putting it on the same support level as + Apple; Google have even surpassed Apple in + this regard, as Apple does not commit to a + support timeframe for their devices.

+
@@ -387,85 +338,67 @@
- - - - + + + + - - + - - - + - @@ -475,170 +408,132 @@
TypeSoftwareDescriptionSource model
-
- (License - SPDX)		TypeSoftwareDescriptionSource model
+ (License)
Operating system + Operating system
-
Gentoo Linux - - 		+ +

Gentoo Linux - is a highly modular, - source-based, Linux-based - operating system which allows - vast customisation to tailor the - operating system to suit your - specific needs. There are many - advantages to such an operating - system, with the most notable - being the ability to optimise - the software for security, - privacy, performance, or power - usage; however, there are - effectively unlimited other use - cases, or a combination of - multiple use cases.

-

I have focused on security - hardening and privacy hardening, - placing performance below those - aspects, although my system is - still very performant. Some of + is a highly modular, source-based, Linux-based + operating system which allows vast customisation to + tailor the operating system to suit your specific + needs. There are many advantages to such an + operating system, with the most notable being the + ability to optimise the software for security, + privacy, performance, or power usage; however, there + are effectively unlimited other use cases, or a + combination of multiple use cases.

+

I have focused on security hardening and privacy + hardening, placing performance below those aspects, + although my system is still very performant. Some of the hardening I apply includes stack protection, signed integer overflow trapping, and GrapheneOS' hardened_malloc memory allocator.

- You can find my Gentoo Linux - configurations in my + You can find my Gentoo Linux configurations in my configuration respository.

 - Open source
-
+ 		+ Open-source
(GPL-2.0-only)
Web browser + Web browser
-
Chromium - - 		+ +

Chromium - is a highly secure web browser - which is often ahead of other - web browsers in security - aspects. It has a dedicated - security team and a very - impressive + is a highly secure web browser which is often ahead + of other web browsers in security aspects. It has a + dedicated security team and a very impressive security brag sheet. - Chromium's security features - include a strong + Chromium's security features include a strong multi-layer sandbox, strong site isolation, Binding Integrity memory hardening, and control-flow integrity (CFI).

 - Open source
-
+ 		+ Open-source
(BSD-3-Clause)
- - - - + + + + - - + - - - + - - - + - - - -
TypeSoftwareDescriptionSource model
-
- (License - SPDX)		TypeSoftwareDescriptionSource model
+ (License)
Operating system + Operating system

GrapheneOS - - 		+ +

GrapheneOS - is a security-hardened, - privacy-hardened, - secure-by-default, Android-based - operating system which - implements extensive, systemic - security and privacy hardening - to the Android Open Source - Project used as its base - codebase. Its hardening includes - closing gaps for apps to access - sensitive system information, a - secure app spawning feature - which avoids sharing address - space layout and other secrets - AOSP's default Zygote app - spawning model would share, + is a security-hardened, privacy-hardened, + secure-by-default, Android-based operating system + which implements extensive, systemic security and + privacy hardening to the Android Open Source Project + used as its base codebase. Its hardening includes + closing gaps for apps to access sensitive system + information, a secure app spawning feature which + avoids sharing address space layout and other + secrets AOSP's default Zygote app spawning model + would share, hardened kernel, hardened memory allocator (hardened_malloc) - to protect against common memory - corruption vulnerabilties, + to protect against common memory corruption + vulnerabilities, hardened Bionic standard C library, stricter SELinux policies, - and local and remote - hardware-backed attestation + and local and remote hardware-backed attestation (Auditor) - to ensure the OS has not been - corrupted or tampered with.

+ to ensure the OS has not been corrupted or tampered + with.

GrapheneOS only supports high security and well-supported devices - which receive full support from - their manufacturers, including - firmware updates, long support - lifecycles, secure hardware, and - overall high security + which receive full support from their manufacturers, + including firmware updates, long support lifecycles, + secure hardware, and overall high security practices.

-

For an extensive list of - features GrapheneOS provides, - visit its +

For an extensive list of features GrapheneOS + provides, visit its official features list - which provides extensive - documentation.

+ which provides extensive documentation.

 - Open source
-
+ 		+ Open-source
(MIT)
Web browser + Web browser
-
Vanadium - - 		-

Vanadium is a - security-hardened, - privacy-hardened Chromium-based - web browser which utilises - GrapheneOS' operating system - hardening to implement stronger - defenses to the already very - secure Chromium web browser. Its - hardening alongside Chromium's - base security features includes + +

+

Vanadium is a security-hardened, privacy-hardened + Chromium-based web browser which utilises + GrapheneOS' operating system hardening to implement + stronger defenses to the already very secure + Chromium web browser. Its hardening alongside + Chromium's base security features includes disabling JavaScript just-in-time (JIT) compilation by default, stubbing out the battery status API to prevent abuse of it, and always-on Incognito mode as an option.

-

Vanadium's source code, - including its Chromium patchset, - can be found in its +

Vanadium's source code, including its Chromium + patch-set, can be found in its official repository.

 - Open source
-
+ 		+ Open-source
(GPL-2.0-only)
Messenger + Messenger
-
Molly - - 		+ +

Molly - is a security-hardened, - privacy-hardened + is a security-hardened, privacy-hardened Signal - client which hardens Signal by - using a variety of + client which hardens Signal by using a variety of unique features, allowing locking the database when not in use, and utilising Android StrongBox - to protect user keys - using the device's hardware + to protect user keys using the device's hardware security module.

Molly is available in 2 flavours:

    -
  • Molly, which - includes the - same proprietary - Google code as - Signal to - support more - features.
    • -
  • Molly-FOSS, - which removes - the proprietary - Google code to - provide an - entirely - open-source - client.
    • +
  • Molly, which includes the same + proprietary Google code as Signal to + support more features.
    • +
  • Molly-FOSS, which removes the + proprietary Google code to provide + an entirely open-source client.

 - Open source
-
+ 		+ Open-source
(GPL-3.0-only)
Messenger +
-
Conversations - - 		+ +

Conversations is a well-designed Android XMPP - client which serves as the de - facto XMPP reference client and - has great usability.

+ client which serves as the de facto XMPP reference + client and has great usability.

 - Open source
-
+ 		+ Open-source
(GPL-3.0-only)