Crédits : Starlink

Comme vous le savez peut-être, l'Arcep a dit oui quant à l'arrivée de Starlink sur le sol français en février 2021. Il n'était donc plus qu'une question de temps avant de voir le réseau internet par satellite d'Elon Musk débarquer dans l'Hexagone, au grand dam d'ailleurs des députés Insoumis. C'est désormais chose faite depuis ce lundi 10 mai 2021.

En effet et comme on peut le lire sur le site officiel du service, les inscriptions à Starlink sont ouvertes en France “à un nombre limité d'utilisateurs par zone de couverture”. SpaceX, maison-mère de Starlink, affirme que “les commandes seront traitées par ordre d'arrivée, selon le principe du premier arrivé, premier servi”. 

À lire également : Starlink – l'Internet par satellite est loin d'être au point, ce test de performance le prouve

Il faudra payer le prix fort pour s'essayer à Starlink

Si vous êtes intéressé par l'offre de SpaceX, il faudra d'abord se procurer le kit Starlink comprenant le routeur Wi-Fi, l'alimentation, les câbles, la parabole et le trépied de montage. Un kit proposé à 499 € il faut le rappeler. À cette coquette somme, vous devrez rajouter 59 € de frais d'expédition et de dossier, puis souscrire à l'abonnement mensuel de 99 € par mois. Soit une enveloppe généreuse de 657 € pour votre premier mois chez Starlink.

À titre comparatif, l'offre de Neosat (une filiale d'Orange Nordnet) propose un abonnement de 60 € par mois, et un kit similaire affiché à 349 € qui comprend d'ailleurs l'intervention d'un technicien pour l'installation. Pour ce prix-là et durant la phase de bêta, Starlink promet aux utilisateurs des vitesses de transfert entre 50 et 150 Mbit/s et une latence de 20 à 40 ms “dans la plupart des lieux au cours des prochains mois à mesure que nous améliorons le système Starlink”. 

Mais, et comme il y a toujours un mais, l'entreprise prévient ses clients que de “brèves périodes sans aucune connectivité” pourront arriver. Au gré de l'activation de nouveaux satellites, de stations terrestres et d'améliorations du logiciel de mise en réseau, Starlink espère offrir une vitesse de connexion proche de la fibre optique, soit 1 Gbit/s.

Source : Starlink

It’s hard to believe now, but in the early days of the public internet, the greatest worry of some of its most high-powered advocates was that it would be empty. As the Clinton administration prepared to transition the internet from its academic and military origins to the heart of the promised “national information infrastructure” (NII), the government’s advisors fretted that the United States entertainment and information industries would have no commercial reason to switch from TV, radio, and recorded music. And without Hollywood and the record labels on board, the new digital environment would end up as a ghost mall, devoid of businesses or users.

 “All the computers, telephones, fax machines, scanners, cameras, keyboards, televisions, monitors, printers, switches, routers, wires, cables, networks and satellites in the world will not create a successful NII, if there is not content”, former Patent Office head Bruce Lehman’s notorious 1994 government green paper on intellectual property on the Net warned. The fear was that without the presence of the pre-packaged material of America’s entertainment industry, the nation would simply refuse to go online. As law professor Jessica Litman describes it, these experts’ vision of the Internet was “a collection of empty pipes, waiting to be filled with content.” 

Even as the politicians were drafting new, more punitive copyright laws intended to reassure Hollywood and the record labels (and tempt them into new, uncharted waters), the Internet’s first users were moving in and building anyway. Even with its tiny audience of technologists, first-adopters, and university students, the early net quickly filled with compelling “content,” a  free-wheeling, participatory online media that drew ever larger crowds as it evolved.

Even in the absence of music and movies, the first net users built towers of information about them anyway. In rec.arts.movies, the Usenet discussion forum devoted to all things Hollywood, posters had been compiling and sharing lists of their favourite motion picture actors, directors, and trivia since the 1980s. By the time of the Lehman report, the collective knowledge of the newsgroup had outgrown its textual FAQs, and expanded first to a collectively-managed database on Colorado University’s file site, and then onward to one of the very first database-driven websites, hosted on a spare server at Wales’ Cardiff University.

Built in the same barn-raising spirit of the early net, the public interest internet exploits the low cost of organizing online to provide stable, free repositories of user-contributed information. They have escaped an exploited fate as proprietary services owned by a handful of tech giants.

These days, you’ll know that Cardiff Movie Database by another name – the IMDb. The database that had grown out of the rec.arts.movies contributions was turned into a commercial company in 1996 and sold to Amazon in 1998 for around $55 million dollars (equivalent to $88 million today). The Cardiff volunteers, led by one of its original moderators, Col Needham, continued to run the service as salaried employees of an Amazon subsidiary.

The IMDB shows how the original assumptions of Internet growth were turned on their head. Instead of movie production companies leading the way, their own audience had successfully built and monetised the elusive “content” of the information superhighway by themselves—for themselves.  The data of the rec.arts.movie databases was used by Amazon as the seed to build an exclusive subscriptions service, IMDbpro, for movie business professionals, and to augment their Amazon Prime video streaming service with quick-access film facts. Rather than needing the movie moguls’ permission to fill the Internet, the Internet ended up supplying information that those moguls themselves happily paid a new, digital mogul for.

But what about those volunteers who gave their time and labor to the collective effort of building this database for everyone? Apart from the few who became employees and shareholders of the commercial IMDb, they didn’t get a cut of the service’s profits. They also lost access to the full fruits of that comprehensive movie database. While you can still download the updated core of the Cardiff Database for free, it only covers the most basic fields of the IMDb. It is licensed under a strictly non-commercial license, fenced off with limitations and restrictions. No matter how much you might contribute to the IMDb, you can’t profit from your labor. The deeper info that was originally built by the user-contributions  and supplemented by Amazon has been enclosed: shut away, in a proprietary paywalled property, gated off from the super-highway it rode in on.

It’s a story as old as the net is, and echoes historic stories of the enclosure of the commons. A pessimist would say that this has been the fate of much of the early net and its aspirations. Digital natives built, as volunteers, free resources for everyone. Then, struggling to keep them online in the face of the burdens of unexpected growth, they ended up selling up to commercial interests. Big Tech grew to its monopoly position by harvesting this public commons, and then locking it away.

But it’s not the only story from the early net. Everyone knows, too, the large public projects that somehow managed to steer away from this path. Wikipedia is the archetype, still updated by casual contributors and defiantly unpaid editors across the world, with the maintenance costs of its website comfortably funded by regular appeals from its attached non-profit. Less known, but just as unique, is Open Street Map (OSM), a user-built, freely-licensed alternative to Google Maps, which has compiled from public domain sources and the hard work of its volunteer cartographers one of the most comprehensive maps of the entire earth. 

These are flagships of what we at EFF call the public interest internet. They produce and constantly replenish priceless public goods, available for everyone, while remaining separate from government, those traditional maintainers of public goods. Neither are they commercial enterprises, creating private wealth and (one hopes) public benefit through the incentive of profit. Built in the same barn-raising spirit of the early net, the public interest internet exploits the low cost of organizing online to provide stable, free repositories of user-contributed information. Through careful stewardship, or unique advantages, they have somehow escaped an enclosed and exploited fate as a proprietary service owned by a handful of tech giants.

That said, while Wikipedia and OSM are easy, go-to examples of the public interest internet, they are not necessarily representative of it. Wikipedia and OSM, in their own way, are tech giants too. They run at the same global scale. They struggle with some of the same issues of accountability and market dominance. It’s hard to imagine a true competitor to Wikipedia or OSM emerging now, for instance—even though many have tried and failed. Their very uniqueness means that their influence is outsized. The remote, in-house politics at these institutions has real effects on the rest of society. Both Wikipedia and OSM have complex, often carefully negotiated, large-scale interactions with the tech giants. Google integrates Wikipedia into its searches, cementing the encyclopedia’s position. OSM is used by, and receives contributions from, Facebook and Apple. It can be hard to know how individual contributors or users can affect the governance of these mega-projects or change the course of them. And there’s a recurring fear that the tech giants have more influence than the builders of these projects.

Besides, if there’s really only a handful of popular examples of public good production by the public interest internet, is that really a healthy alternative to the rest of the net? Are these just crocodiles and alligators, a few visible survivors from a previous age of out-evolved dinosaurs, doomed to be ultimately outpaced by sprightlier commercial rivals?

At EFF, we don’t think so. We think there’s a thriving economy of smaller public interest internet projects, which have worked out their own ways to survive on the modern internet. We think they deserve a role and representation in the discussions governments are having about the future of the net. Going further, we’d say that the real dinosaurs are our current tech giants. The small, sprightly, and public-minded public interest internet has always been where the benefits of the internet have been concentrated. They’re the internet’s mammalian survivors, hiding out in the nooks of the net, waiting to take back control when the tech giants are history.

In our next installment, we take a look at one of the most notorious examples of early digital enclosure, its (somewhat) happier ending, and what it says about the survival skills of the public interest internet when a free database of compact discs outlasts the compact disc boom itself.

Governor DeSantis is expected to sign it into law, as he called for laws like this. He cited social media de-platforming Donald Trump as  examples of the political bias of what he called “oligarchs in Silicon Valley.” The law is not just about candidates, it also bans “shadow-banning” and cancels cancel culture by prohibiting censoring “journalistic enterprises,” with “censorship” including things like posting “an addendum” to the content, i.e. fact checks.

This law, like similar previous efforts, is mostly performative, as it almost certainly will be found unconstitutional. Indeed, the parallels with a nearly 50 years old compelled speech precedent are uncanny. In 1974, in Miami Herald Publishing Co. v. Tornillo, the Supreme Court struck down another Florida statute that attempted to compel the publication of candidate speech. 

50 Years Ago, Florida's Similar "Right of Reply" Law Was Found Unconstitutional

At the time, Florida had a dusty "right of reply" law on the books, which had not really been used, giving candidates the right to demand that any newspaper who criticized them print a reply to the newspaper's charges, at no cost. The Miami Herald had criticized Florida House candidate Pat Tornillo, and refused to carry Tornillo’s reply. Tornillo sued.

Tornillo lost at the trial court, but found some solace on appeal to the Florida Supreme Court.  The Florida high court held that the law was constitutional, writing that the “statute enhances rather than abridges freedom of speech and press protected by the First Amendment,” much like the proponents of today’s new law argue. 

So off the case went to the US Supreme Court. Proponents of the right of reply raised the same arguments used today—that government action was needed to ensure fairness and accuracy, because “the 'marketplace of ideas' is today a monopoly controlled by the owners of the market.”  

Like today, the proponents argued new technology changed everything. As the Court acknowledged in 1974, “[i]n the past half century a communications revolution has seen the introduction of radio and television into our lives, the promise of a global community through the use of communications satellites, and the specter of a ‘wired’ nation by means of an expanding cable television network with two-way capabilities.”  Today, you might say that a wired nation with two-way communications had arrived in the global community, but you can’t say the Court didn’t consider this concern.

You might wonder why the Florida Legislature would pass a law doomed to failure. Politics, of course.

The Court also accepted that the consolidation of major media meant “the dominant features of a press that has become noncompetitive and enormously powerful and influential in its capacity to manipulate popular opinion and change the course of events,” and acknowledged the development of what the court called “advocacy journalism,” eerily similar to the arguments raised today. 

Paraphrasing the arguments made in favor of the law, the Court wrote “The abuses of bias and manipulative reportage are, likewise, said to be the result of the vast accumulations of unreviewable power in the modern media empires. In effect, it is claimed, the public has lost any ability to respond or to contribute in a meaningful way to the debate on issues,” just like today’s proponents of the Transparency in Technology Act.

The Court was not swayed, not because this was dismissed as an issue, but because government coercion could not be the answer. “However much validity may be found in these arguments, at each point the implementation of a remedy such as an enforceable right of access necessarily calls for some mechanism, either governmental or consensual. If it is governmental coercion, this at once brings about a confrontation with the express provisions of the First Amendment.” There is much to dislike about content moderation practices, but giving the government more control is not the answer.

Even if one should decry the lack of responsibility of the media, the Court recognized “press responsibility is not mandated by the Constitution and like many other virtues it cannot be legislated.”  Accordingly, Miami Herald v. Tornillo reversed the Florida Supreme Court, and held the Florida statute compelling publication of candidates' replies unconstitutional.

Since Tornillo, courts have consistently applied it as binding precedent, including applying Tornillo to social media and internet search engines, the very targets of the Transparency in Technology Act (unless they own a theme park). Indeed, the compelled speech doctrine has even been used to strike down other attempts to counter perceived censorship of conservative speakers. 

With the strong parallels with Tornillo, you might wonder why the Florida Legislature would pass a law doomed to failure, costing the state the time and expense of defending it in court. Politics, of course. The legislators who passed this bill probably knew it was unconstitutional, but may have seen political value in passing the base-pleasing statute, and blaming the courts when it gets struck down. 

Politics is also the reason for the much-ridiculed exception for theme park owners. It’s actually a problem for the law itself. As the Supreme Court explained in Florida Star v BJF, carve-outs like this make the bill even more susceptible to a First Amendment challenge as under-inclusive.  Theme parks are big business in Florida, and the law’s definition of social media platform would otherwise fit Comcast (which owns Universal Studios' theme parks), Disney, and even Legoland.  Performative legislation is less politically useful if it attacks a key employer and economic driver of your state. The theme park exception has also raised all sorts of amusing possibilities for the big internet companies to address this law by simply purchasing a theme park, which could easily be less expensive than compliance, even with the minimum 25 acres and 1 million visitors/year. Much as Section 230 Land would be high on my own must-visit list, striking the law down is the better solution.

The Control that Large Internet Companies Have on our Public Conversations Is An Important Policy Issue

The law is bad, and the legislature should feel bad for passing it, but this does not mean that the control that the large internet companies have on our public conversations isn’t an important policy issue. As we have explained to courts considering the broader issue, if a candidate for office is suspended or banned from social media during an election, the public needs to know why, and and the candidate needs a process to appeal the decision. And this is not just for politicians - more often it is marginalized communities that bear the brunt of bad content moderation decisions. It is critical that the social platform companies provide transparency, accountability and meaningful due process to all impacted speakers, in the US and around the globe, and ensure that the enforcement of their content guidelines is fair, unbiased, proportional, and respectful of all users’ rights. 

This is why EFF and a wide range of non-profit organizations in the internet space worked together to develop the Santa Clara Principles, which call upon social media to (1) publish the numbers of posts removed and accounts permanently or temporarily suspended due to violations of their content guidelines; (2) provide notice to each user whose content is taken down or account is suspended about the reason for the removal or suspension; and (3) provide a meaningful opportunity for timely appeal of any content removal or account suspension. 

Introduit il y a quelques mois par Brave au sein de son logiciel, le protocole IPFS permet d'héberger ses propres pages web sur un réseau décentralisé, ou chaque élément est stocké dans plusieurs nœuds.

Avec IPFS nous retrouvons plusieurs avantages. D'une part ce dispositif permet de répartir la charge réseau et donc d'optimiser la bande passante. Par ailleurs, le contenu se charge plus rapidement, surtout si le nombre de nœuds pour ce dernier est conséquent. Il ne s'agit alors plus d'accéder à un serveur central classique mais de récupérer le contenu sur les nodes les plus proches. Enfin, et c'est une bonne nouvelle, puisque l'on passe outre le protocole HTTP cela permet d'accéder à des contenus censurés.

Au-delà des simples page Web, ce protocole permet également de partager des fichiers très simplement en peer-to-peer à plusieurs de ses proches en passant directement par le navigateur. En d'autres termes, c'est une peu comme si nous retrouvions une sorte de WeTransfer directement intégré au navigateur.

De la même manière qu'un client BitTorrent , plus il y a de contacts partageant le même fichier, plus la vitesse de téléchargement sera importante.

Comment créer un serveur de fichiers avec Brave ?
1. Ouvrez une fenêtre du navigateur Brave et tapez l'adresse brave://ipfs-internals/ dans la barre d'adresses.

2. Cliquer sur Démarrer.

3. Cliquer sur « Mon nœud »

4. Vous arrivez sur l'interface de gestion. Pour envoyer un fichier, cliquez maintenant sur « Fichiers », dans le menu situé à gauche de l'interface.

5. Pour importer un fichier, cliquez sur le bouton "+Import", puis sur « Fichier ». Vous pouvez également envoyer un dossier entier en cliquant sur « Folder ».

6. Choisissez sur votre ordinateur le fichier à importer.

7. Pour partager votre fichier avec un ou plusieurs contacts, cliquez sur le menu d'options, symbolisé par les trois petits points à droite du fichier importé puis sur « Partager ».

8. Cliquer sur « Copy » pour copier le lien de partage.

Il ne reste plus qu'à l'envoyer à vos contacts pour qu'ils puissent commencer le téléchargement.

Ainsi, selon Gizmodo, l’avocat Ramon Rozas, du Maryland, a décidé de s’appuyer sur la note de blog de Moxie Marlinspike pour demander un nouveau procès pour son client.
« Un nouveau procès devrait être ordonné afin que la défense puisse examiner le rapport produit par le dispositif Cellebrite à la lumière de ces nouvelles preuves, et examiner le dispositif Cellebrite lui-même », explique-t-il dans sa demande.
On verra si les juges seront réceptifs à ce type d’argument. Si oui, les enquêteurs et les procureurs vont avoir problème, car ils s’appuient de plus en plus sur cet outil technologique.

A découvrir aussi en vidéo :

Cette méfiance n’apparaît pas qu’aux États-Unis. En Israël, un militant des droits de l’homme a demandé aux autorités d’arrêter toute utilisation de Cellebrite au sein des forces de l’ordre, tant que la fiabilité de l’appareil n’est pas analysée.
Cellebrite, de son côté, tente d’éteindre le feu. Selon Vice, le fournisseur aurait déjà diffusé un patch pour minimiser la surface d’attaque des failles en question, sans pour autant publier de communiqué officiel à ce sujet.

Sources : Gizmodo, Vice

A découvrir aussi en vidéo :

Le malware adapte son comportement en fonction du type de compte compromis (root ou non). Il est capable d’analyser le terminal infecté, d’exfiltrer des données sensibles et d’exécuter des plugins. Ces derniers n’ont toutefois pas pu être décortiqués par les chercheurs. Par ailleurs, on ne sait pas encore quel est le mode de diffusion de ce code malveillant. Enfin, les chercheurs ont remarqué que le code avait des similitudes avec Torii, un botnet d’objets connectés assez sophistiqué détecté en 2018 par Avast. Beaucoup de questions restent donc encore ouvertes sur ce curieux malware.

Source: Qihoo 360

This is why it’s so important to only use browsers you know will protect and improve your internet privacy. In this article, we explain how browsers capture so much information and which web browsers in 2019 are best at keeping your browsing history safe from data-hungry tech companies and advertisers

Further reading: Easy steps to improve your internet privacy

How you are tracked online

Before examining the impact your browser can have on your privacy, you need to understand how your online activity is monitored.

While having a company directly record your browsing history is a risk (see Google Chrome), the more common threats to your privacy come from online advertisers and third-party trackers. Similar to Google, advertisers and trackers want to record as much of your online browsing as possible. The more data they have, the better they can show you ads specifically tailored to you. The two tools they use to follow you around the Internet are device fingerprinting and cookies.

Device fingerprinting is when a site looks at all the characteristics of your device (the make and model of your device, what browser you are using, what plugins you have installed, what timezone you are in, etc.) until it has enough information to identify and follow it. Your device share this information to optimize the websites you visit. For example, websites want to know if you’re using a laptop or a smartphone so that it can select the correct font size and screen resolution. This can be surprisingly accurate. To see if your device has an easily identifiable fingerprint, check out the Electronic Frontier Foundation’s Panopticlick.
Cookies, or HTTP cookies, are tiny data packets that websites or services plant on your browser while you’re on a website. These cookies differentiate your browsers from others, like a nametag. 
The privacy risks of Chrome

Any discussion of privacy and Web browsers must begin with Google Chrome. It is, by far, the most popular Web browser. Chrome handles over 60 percent of web traffic. This is unfortunate because Google uses Chrome as a window to peer into every action you take online. Unless you modify your Google privacy settings, Chrome records every site you visit so Google can serve you targeted ads.

Even worse, Chrome does very little to block other advertisers and trackers from monitoring you with cookies or device fingerprinting. A Washington Post article reported Chrome gathers roughly 11,000 trackers in an average week. Do you want 11,000 pairs of eyes on you every time you do an Internet search?

[embedded content]

However, you do not need to give away your personal data to access the Internet.

There are Internet browsers that do not record your every action and protect you from trackers. Switching from Chrome to one of the following browsers can drastically reduce the amount of data you are inadvertently sharing as you browse the Internet.

Further reading: Gmail’s privacy problem and why it matters

Best secure and privacy-first web browsers: 
1. (tie) Brave

The Brave browser was designed to make privacy simple enough for everyone. It is an open source browser built on top of Chromium (an open source version of the Chrome browser), which means it’s easy for Chrome users to make the switch.

However, unlike Chrome, Brave does not collect any data about your online activity. Your data remains private and on your device.

Brave also makes blocking trackers easy. Instead of forcing users to decide which plugins and browser extensions they should download, Brave comes fully equipped. It automatically blocks all third-party and advertising cookies, and because HTTPS Everywhere is built-in, it ensures all your connections are securely HTTPS encrypted. Brave also features Fingerprinting Protection in the browser.

The company also has a social mission: to encourage websites not to rely on advertising based on tracking you around the Internet. Brave has introduced a system that allows you to reward creators and sites you visit directly.

Called Brave Rewards, it uses a utility token called a Basic Attention Token and enables you to anonymously reward the websites you visit most. Brave also has opt-in, privacy-preserving Brave Ads, and users who choose to view them earn 70% of the ad revenue, which they can then use to reward their favorite online creators.

Brave is available for desktop, Android, and iOS. 

1. (tie) Firefox 

The open source Firefox is the third-most-popular browser on the Internet, behind Google’s Chrome and Apple’s Safari. Developed by Mozilla, the Firefox team has improved the browser’s privacy protections in recent years.

They have introduced advanced anti-fingerprinting and Enhanced Tracking Protection features this year, both of which make it much more difficult for third-party trackers to follow you around the Internet.

Unlike Brave, the standard Firefox does not automatically block advertisements. However, there are numerous browser extensions that you can download that will prevent advertisers from getting your information or showing you ads.

Or, if you primarily browse the Internet on your mobile device, Firefox Focus incorporates automatic ad blocking. (Focus was developed as an ad blocker for Safari, but was then transformed into a minimalistic privacy browser for Android users.) 

Firefox is available for desktop, Android, and iOS. 

3. Tor browser

As we have discussed elsewhere, Tor is the best option if privacy is your utmost concern. The Tor browser is based on Firefox, but it has been stripped down and specially calibrated to run on the Tor network.

When you use Tor, your traffic is encrypted three times and bounced between three Tor servers before it reaches your desired website. The encryption is handled in such a way that each server only has access to one set of instructions, so no server has access to both your IP address and the website you are visiting.

This setup makes it impossible for Tor to keep any records about your online activity, and every time you close your session, the browser deletes your cookie cache and browsing history. The browser itself is formatted to prevent fingerprinting, and it blocks all kinds of trackers.

Unfortunately, it also blocks a lot of plugins that websites rely on. For example, with its privacy settings fully activated, the Tor browser will block JavaScript. JavaScript can expose user information, but blocking it can make websites unusable. Using Tor can also mean performing endless CAPTCHA verifications when you try to access larger sites. Finally, the Tor browser is slower than other browsers because of the extra encryption.

Download the Tor browser app for desktop and Android, as well as a Tor-approved open source Onion browser for iOS.  

4. DuckDuckGo (honorable mention)

Unlike the other browsers mentioned above, DuckDuckGo does not have a standalone desktop browser, which means it is only a solution if you are browsing the Internet on your smartphone or tablet. With the DuckDuckGo browser, your browsing history never leaves your device. Deleting your entire browsing history is as easy as tapping a single button.

It automatically blocks ads, stops third-party trackers, and ensures HTTPS encryption on all sites where that’s possible. One feature that does set it apart is the Privacy Grade it gives each site. This makes it easy for you to evaluate how much data each website collects from you, with and without DuckDuckGo’s protections, at a single glance.

The DuckDuckGo browser is available for Android and iOS.
You can also use the extension for Chrome and Firefox.

The Web browser you choose can have a dramatic impact on your overall online privacy. By switching to one of the privacy-focused browsers in this article, you can protect your browsing history from the companies and trackers that want to monitor your every digital move.

What’s your favorite web browser? Let us know in the comments below on Twitter or Reddit.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

Cela vous intéressera aussi

[EN VIDÉO] Qu'est-ce qu'une cyberattaque ?  Avec le développement d'Internet et du cloud, les cyberattaques sont de plus en plus fréquentes et perfectionnées. Qui est derrière ces attaques et dans quel but ? Quelles sont les méthodes des hackers et quelles sont les cyberattaques les plus massives ? 

Pour espionner et contre-espionner, les agences du renseignement de n'importe quel pays utilisent les mêmes outils que les pirates : des malwares. Tout est secret défense, mais Kaspersky pense avoir mis la main sur les logiciels utilisés par la CIA. Bien évidemment, en prenant le soin de ne pas la nommer.

Dans son rapport trimestriel, le seul célèbre éditeur d'antivirus explique ainsi qu'il a étudié des échantillons de malwares envoyés en février 2019 aux experts de sécurité. C'est ce qui se fait habituellement, et les plus grands antivirus sont chargés de les analyser pour renforcer la protection de leurs solutions, mais aussi de faire le point sur les menaces actuelles.

Une variante d'un cheval de Troie utilisé depuis 2014

Certains des échantillons ne peuvent être associés à aucune activité connue. Kaspersky explique qu'il a alors isolé les malwares les plus sophistiqués, et les experts ont découvert des similitudes dans le codage, le style et les techniques utilisés dans la famille des logiciels malveillants dits Lambert. Il y a quatre ans, sous le nom de Vault7, WikiLeaks avait révélé au grand public les outils de la CIA et, chez Kaspersky, on avait décidé de les classer sous le nom de Lambert, avec un code couleur pour chaque variante.

Aujourd'hui, il s'agit donc de Purple Lambert, et ce cheval de Troie permet de surveiller l'activité du réseau sur l'ordinateur infecté. C'est un malware passif, qui agit en arrière-plan, et selon Kaspersky, son code date de 2014. C'est une découverte extrêmement rare et, bien sûr, l'éditeur ne nomme pas la CIA... Mais comme il range sa découverte dans la « famille Lambert », forcément, il s'agit des toolkits de piratage utilisés par le renseignement américain dans le passé contre l'« État islamique », ou encore le secteur de l'aviation civile chinoise.

Intéressé par ce que vous venez de lire ?

Lien externe

Définitions associées

All solutions support integration into directory services. External users can join Threema Work without having to complete a tedious registration process and even without providing a phone number or email address. On top of that, Threema Work can also be restricted to a closed user group.

Not to offer an option to archive user chats on a central server (e.g., for compliance purposes) is a deliberate decision of Threema Work because this would, in theory, allow the service provider to access message contents, which, in turn, would render the security benefits of end-to-end encryption completely useless.

At Proton, we view end-to-end encryption as a core requirement for any messenger app that claims to be secure and private. This means messages are encrypted on your device and can only be decrypted on the device of the intended recipient. 

WhatsApp uses end-to-end encryption, so the actual messages are therefore secure on the platform. But this does nothing to stop Facebook from abusing metadata: information about whom you communicate with, from where, at what time, how often, and from which device.

Open source code is another important indicator that a service is secure. By publishing an app’s code publicly, anyone can examine it to ensure the app is doing what it is supposed to be doing. We believe open source is one of the best indicators that an app can be trusted.

We have therefore limited the following list of best WhatsApp alternatives to open source messaging apps that use end-to-end encryption (E2EE). Please note that apps are not reviewed in any particular order.

Signal

Pro

Free
Very good encryption
Almost no metadata kept
Protocol independently audited
Seamless to use on Android
Disappearing messages
E2EE text, voice, and video group chat

Cons

Requires a valid phone number to register
Hosted on Amazon Web Services (AWS)

The Signal messaging protocol is an end-to-end messaging protocol developed by the Signal Foundation, a non-profit organization founded by cryptographer and privacy activist Moxie Marlinspike. The Signal Protocol is open source, has been professionally audited for security vulnerabilities, and is widely admired for its cryptographic strength. 

Because of the quality of the Signal protocol, it is used by a variety of third-party messaging apps to provide secure end-to-end encryption for messages. These include WhatsApp, Facebook Messenger, and Skype, Unlike WhatsApp and other third-party apps that implement the Signal protocol, however, the Signal app from the Signal Foundation is 100% open source. 

Crucially, in light of recent heightened awareness about WhatsApp’s privacy policies, the Signal app and Signal Foundation keep almost no metadata related to the app’s usage. Only “the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.” This is a claim that has been proven in court.

The app app itself has not been audited, however, and some security concerns exist around Signal’s reliance on Intel Software Guard Extensions (SGX). In theory, this could result in users’ metadata and data(but not messages) being compromised at the server level. This is a particular concern because Signal uses AWS to host its infrastructure, which is subject to legal demand from the US government.

Unlike WhatsApp, Signal is designed to replace your phone’s regular SMS messenger app on Android (not iOS). Texts exchanged to other Signal users are end-to-end encrypted, but texts to non-Signal users are not. Signal will warn you when messages are sent unencrypted. 

This makes Signal very transparent in use, but the fact that users must register with a valid phone number in order to match contacts is also the main source of criticism the app receives. It should be noted, though, that contacts are stored locally only and cannot be accessed by Signal Foundation.

In addition to messages, Signal supports disappearing messages, E2EE group voice chats, and now group video chats between up to eight users. Signal is a non-profit organization that relies on donations to operate.

Telegram

Pros

Free
Channels for broadcasting messages
Bots for managing groups
Sync across multiple devices (not E2EE)
Polls, stickers, sharing live location, identity management
E2EE 1-1 text, voice, and video chat

Cons

Encryption concerns
Only Secret Chats are E2EE 
Group chats (text or voice) are not E2EE
Collects lots of metadata
No group video chats
Requires a valid phone number to register
Headquartered in the UAE, which is not known for human rights or privacy from the government (despite having some strong privacy laws)

With over 500 million users, Telegram is a very popular WhatsApp alternative. A big part of this popularity is the widespread perception that Telegram is highly secure, a perception only heightened by a number of governments, notably Indonesia, Russia, and Iran, trying to block or ban the app.

There are, however, some big caveats regarding the security that Telegram offers its users. Regular default “Cloud-based messages,” that can be accessed on any of a user’s devices, are encrypted in transit and when stored on Telegram’s servers, but they are not end-to-end encrypted. Only client-to-client “secret chats” are end-to-end encrypted. Secret Chats are not available for groups or channels.

The open source in-house MTProto encryption used to secure communications in Telegram (whether E2EE or otherwise) has come under criticism from security experts, although the new version (MTProto 2.0) has been formally verified to be cryptographically sound. The Telegram API and all Telegram apps are open source, but its server-side backend is not. 

Another issue is that Telegram may collect a great deal of metadata from users: “We may collect metadata such as your IP address, devices and Telegram apps you’ve used, history of username changes, etc.”

On the other hand, Telegram has built its own secure cloud infrastructure, distributed across the globe. The encryption keys used to secure the Telegram Cloud are split in pieces and never stored in the same place as the information they protect.

Security considerations aside, a key feature that contributes to Telegram’s popularity (especially in repressive countries such as Iran, where it enjoys over 40 million users despite government attempts to regulate use of the service) is support for “channels.” Users can create and post to channels that any number of other users can subscribe to. 

Public channels can be created using an alias and a URL that anyone can subscribe to, making Telegram a powerful tool for organizing resistance and disseminating information in repressive countries. 

Other features that help make Telegram popular include polls, stickers, sharing live locations in chats, and an online authorization and identity management system for those who need to prove their identity. A bots feature assists managing groups and channels. 

It also features One-to-one voice and video chats are fully end-to-end encrypted, although group voice chats are not. Group video calls are not supported.

Telegram is funded by public donations (notably from its own founder, Pavel Durov), although it is possible in-app monetization features will be introduced in the future.

Threema

Pros

No phone number or email required to sign up
Almost no metadata kept
Independently audited 
Swiss-based with own servers
GDPR compliant
E2EE group text and voice chat
Group polling and distribution lists (Android only)

Cons

Not free
Relatively small userbase
No group video calls

Like Proton, Threema is based in Switzerland, a country with very strong data privacy laws and independent from the United States and European Union. It also owns its own server infrastructure located in Switzerland. 

All Threema’s apps use the open source NaCl cryptography library for end-to-encryption of all communications, and all have been recently audited (in 2020) by security professionals. 

An email address or phone number is not required to register an account, and it is possible to purchase Threema for Android anonymously using Bitcoin. Threema claims this allows you to text and make calls anonymously, and it goes to lengths to ensure that a minimum amount of metadata is collected. 

The fact that the app is not free is likely to be a pain point for some, but at around US$3 (one-time purchase), it’s unlikely to break the bank for most. This may contribute, however, to one of the biggest downsides with Threema: that its userbase is relatively small. 

The Android app features distribution lists that allow you to send messages to multiple separate recipients. In addition to fully E2EE group text and voice calls, Threema offers a group polling feature. E2EE video calls are supported, but not for groups.

Wickr Me

Pros

Free
Built for ephemeral messaging
Anti-censorship feature
E2EE group text and voice chat
No phone number or email needed for signup

Cons

Apps themselves are not open source 
Security audits are not published
No video chat (although available on free Pro version of app)

There are three Wickr apps, with the free Wickr Me being the version designed for personal use. The lowest tier of the more Slack-like Wickr Pro is also free, although it requires you to verify your identity at start-up.

Wickr Me places ephemeral messaging front and center, with messages disappearing from both the sending and receiving devices after a set period of time (six days by default). Undelivered messages sitting on Wickr servers are also deleted after this time.

You can also set a Burn-On-Read timer to determine how long a message lasts before self-destructing once it has been read. If it is not read then it will self destruct at the end of the message timer length. All metadata is scrubbed once a message is opened or expires (whichever comes first)

Wickr advertises itself as open source software, but there are a couple of major caveats to this claim. The code for the core wickr-crypto-c end-to-end encryption protocol that underpins all Wickr apps is available on Github for anyone to examine, but licencing restrictions mean that it cannot truly be described as open source.

More serious from a security stand-point, though, is that while the core crypto protocol is source-available, the code for the Wickr apps themselves is not. Wickr says that its code has undergone multiple independent security audits, but the full results of these audits are not publicly available.

No phone number or email is needed to register with the service. Up to 10 people can be invited into a room or end-to-end encrypted text or voice group chat. Video conferencing is not available in Wickr Me, although it is supported in the Wickr Pro app (including E2EE group chat with all room members).

Wickr is hosted on public server networks (such as Google and AWS), but has partnered with Psiphon to offer Wickr Open Access, a powerful anti-censorship feature.

Wickr Me is free, but it is funded through Wickr’s premium Pro and Enterprise apps. 

Wire

Pros

Free option
E2EE text, voice, and video group chats
Syncs across up to eight devices
Advanced video conferencing features

Cons

Quite a lot of metadata logged (and possibly stored in plaintext)
Phone number or email address required to register

Wire is another service based in privacy-friendly based in Switzerland. A phone number or an email email to register. In order to facilitate syncing across multiple devices, however, Wire keeps quite a lot of metadata. 

For years Wire kept a list of all users a customer has contacted in plaintext on their servers until an account is deleted, and it is unclear if this practice continues. Wire’s privacy white paper, however, makes it clear it logs data such as the participants in a group chat and user-defined folders used for organizing chats. 

The functional benefit of this is that it allows Wire to work across multiple devices in a way most E2EE messenger apps (including Signal) do not. It’s also worth noting that Edward Snowden recommends using Wire (or Signal).

Wire uses the Proteus protocol to provide end-to-end encryption for text messages. Proteus is an early fork from the code that went on to become the Signal Protocol. Proteus, and all Wire apps, have been publicly audited (making Wire the only app we are aware of to have this done).

Voice (up to 25 participants) and video calls (up to 12 participants) are end-to-end encrypted using DTLS with an SRTP handshake.

The app does support advanced video conferencing features that will appeal to business users, though, including screen sharing, screen recording, and advanced meeting scheduling.

Wire is keen to push users toward its premium Pro and Enterprise products, but a free version is available which offers similar features to the Pro app.

Element (was Riot.im)

Pros

Free option
Server federation
“Bridges” for interoperability with other apps
E2EE text chat
No phone number or email needed for signup

Cons

Questions over Matrix server network reliability
Not fully audited

All the other messenger apps discussed in this article rely on a centralized server network to function (although, as in the case of using AWS, this can be a highly distributed network).

Element is instead built on the idea of federation. Users can set up their own servers using the Matrix communications protocol or connect to Matrix servers that have been set up by other users. Federation has received the support of Edward Snowden, but remains a controversial idea due to the potentially unreliable ad-hoc peer-to-peer nature of such a network.

Matrix servers are interoperable, so any user of any Matrix client (Element is the most popular of these) can communicate with any other Matrix user. Matrix “bridges” even allow for communication with the users of other popular messaging platforms, such as Signal, Slack, or even WhatsApp.

Matrix (and thus Element) uses the Olm implementation of the Double Ratchet algorithm, with Megolm used for group communications. All Element apps, plus the Matrix protocol itself, are open source, but have not been formally audited. Olm and Megolm, however, have.

An email or phone number is not required to register with Element, although these can be added to make contact matching easier. By default, messages are hosted on a large public server run by Matrix, but you can connect to any Matrix server or set one up yourself in a matter of seconds.

All text chats and 1:1 voice and video calls are end-to-end encrypted. Group voice and video calls ( which also allow screen sharing) leverage Jitsi ( without E2EE support in Element at the present time). The Element app is free, but premium plans are available for Element-managed Matrix servers.

Keybase

Pros

Free (funding model is unclear)
E2EE text chats with support for public and private channels
Can connect to people via their social media profiles with PGP verification
Syncs across multiple devices
Self-destructing messages
Stellar wallet
250 GB free storage per user
Encryption is not TOFU

Cons

Owned by Zoom
A lot of metadata logged (much of it shared on a public blockchain)

Keybase is a free and open source (FOSS) messenger app (servers are not open source) that end-to-end encrypts all texts and files between users. Voice and video calls are not supported directly, but are possible using a (not E2EE) Jitsi bot.

E2EE group chat, with support for private and public “Teams” (i.e., channels) is end-to-end encrypted.

Keybase is notable for allowing you to connect to others using their social media (Twitter, GitHub, Reddit, Hacker News, and Mastodon) identities, which are verified using PGP encryption keys. No phone number or email address is required, and the app will sync across multiple devices. 

The PGP-based end-to-end encryption used by Keybase is solid and underwent a full independent audit in 2019. Interestingly, Keybase is almost unique in not supporting Trust On First Use (TOFU) when connecting to servers. This helps to make it resistant to man-in-the middle attacks.

The app also offers self-destructing messages; bots to automate your Keybase tasks; a Stellar wallet; full PGP support for encrypting and decrypting messages and files; and 250 GB free storage per user.

However, messages are stored on centralized servers (based in the US), which log a worrying amount of personal data. This includes your Team names and memberships, hashed passwords, account activity, your Keybase user ID and your IP address, network activity, and more. Not only is information stored encrypted, but much of it is added (in hashed form) to a public blockchain.

Arguably even more concerning is that Keybase is now owned by Zoom, a company widely criticized for its many privacy and security lapses, and which may be subject to pressure from the Chinese government. The fact that it is not clear how Zoom benefits from offering Keybase for free may also be a reason for concern.

Final thoughts

As a replacement for WhatsApp as a general purpose messenger that genuinely respects your privacy, Signal is an obvious choice, although being hosted on AWS servers remains a concern in light of its reliance on SGX. The security concerns around Telegram make it harder to recommend as a simple messenger, although its “channels” feature remains a powerful tool for organizing resistance in restrictive countries.

Another alternative for secure communication is end-to-end encrypted email. The biggest benefit of ProtonMail is its interoperability: You don’t need to have your recipient using the same messenger service to benefit from end-to-end encryption because, unlike any of the messenger apps discussed here, you can send end-to-end encrypted messages to anyone who has an email address using our Encrypt for non-ProtonMail users feature. The simplest way to benefit from E2EE, though, is to have both ends of the conversation using ProtonMail. Our servers are located in privacy-friendly Switzerland, and as with the messenger services discussed in this article, ProtonMail apps are open source.

The other apps discussed above all offer useful features that will appeal to those who need them, whether it’s anonymous sign-up, business collaboration tools, or server federation. Element/Matrix is a particularly strong choice for privacy enthusiasts, although its niche user base severely hampers its practicality as as a WhatsApp replacement.

As you take back your privacy in the digital age, anything you do to move more of your personal data behind strong encryption is an important step toward building an internet that puts people first.

FAQ

What are the dangers of using WhatsApp?

Since 2016, WhatsApp has shared the vast majority of its users’ transactional data and metadata with Facebook. A new privacy statement, which users must agree to by May 15, 2021, or use access to their accounts, “clarifies” this situation.

Information shared by WhatApp with Facebook includes your IP address, device ID, operating system, browser details, mobile network information, who you message, how long and how often you interact with them, transaction and payment data, and more.

Is WhatsApp chat private?

Messages in WhatsApp are end-to-end encrypted using the Signal protocol. This means only you and the intended recipient(s) can read your actual messages. So WhatsApp is secure. It does, however, collect a lot of metadata that is damaging to your privacy (see above).

What is the safest messaging app?

Signal is both highly secure and respects your privacy. We discuss it, plus the pros and cons of other good WhatsApp alternatives, in this article. 

How can WhatsApp be free?

WhatsApp is owned by Facebook, which makes a huge amount of money from invading users’ privacy in order to better target you with personalized ads. WhatsApp adds to the data Facebook knows about you by sending a great deal of metadata regarding your use of WhatsApp to Facebook. 

Note that, as Signal and some of the other apps discussed in this article, show, it is possible to offer a free messaging app without invading users’ privacy in this way.

Return to table

Footnotes:

All Telegram apps are open source, but the backend isn’t. This would not really be an issue if all communications were E2EE, but they are not by default (and no group chat is E2EE).
By default, Telegram chats are not end-to-end encrypted. Only client-to-client “secret chats” are. Secret chats are not available for groups or channels.
The 2015 audit of MTProto protocol was not very favorable. MTProto 2.0 has been formally verified to be cryptographically sound.
Wickr says its code has undergone multiple independent security audits, but the full results of these audits are not publicly available.
The Element apps and the Matrix protocol have not been formally audited. However, the Olm and Megolm protocols that underpin Matrix have.
All metadata is scrubbed once a message is opened or expires (whichever comes first).
Contacts can be added using social media profiles and verified using PGP keys.
Wickr has partnered with Psiphon to offer Wickr Open Access, a powerful anti-censorship feature for its servers.
Element and/or Matrix don’t actually own their own servers, but new Matrix servers can be set up within minutes on any server platform (or can be self-hosted). It is therefore almost impossible to shut down or block access to the Matrix platform. 
Wire is based in Switzerland and all users outside the United States are subject to Swiss law. US users, however, are subject to US law.
Matrix is a community-developed open source platform whose federated servers can be hosted anywhere in the world. 
Keybase is owned by Zoom, which may also be subject to pressure from China.

Return to table