Skip to main content

Privacy and Security

Privacy and security are frequently treated as a single discipline, but they pull in different directions more often than most people realise. Security measures that protect infrastructure sometimes do so by collecting detailed telemetry about users. Privacy-preserving architectures sometimes limit the visibility that security teams need to detect threats. The interesting work happens at the boundary, where improving one dimension means accepting trade-offs in the other.

This topic page connects content from across the site that addresses privacy and security from different angles — protocol analysis, real-world testing of protection mechanisms, encryption deployment, server-level defence, and the ecosystem dynamics that determine how well users are actually protected. The coverage spans both the user-facing side (browser fraud protection, chat encryption, TLS deployment quality) and the operator-facing side (intrusion prevention, certificate management, server hardening). A site operator's TLS configuration directly determines the encryption quality protecting their users' data. A browser vendor's fraud protection decisions determine whether users encounter phishing pages or are intercepted before harm occurs. Seeing both sides together is essential.

Protocol and encryption analysis

The strength of encryption in transit depends not just on whether TLS is enabled, but on how it is configured — the cipher suites offered, the certificate chain, the protocol versions supported, and the HSTS policy. These implementation details determine whether a connection is genuinely secure or merely appears to be.

TLS Ratings of Norwegian Banks

This investigation surveys TLS deployment quality across Norwegian banking institutions — cipher suite selection, protocol version support, certificate configuration, and compliance with current best practices. Banking represents one of the highest-stakes environments for transport security, carrying authentication credentials and financial data where the cost of interception is not theoretical.

The results are instructive: even in a sector where security is a regulatory requirement, implementation quality varies considerably. Some institutions maintain exemplary configurations with modern cipher suites and strict HSTS policies. Others show configurations where legacy compatibility has weakened the overall posture. The gap within a single regulated industry is useful calibration for anyone assessing TLS quality elsewhere.

EA Origin Chat — Unencrypted

This investigation documents the discovery that EA's Origin platform transmitted chat messages without encryption — plaintext conversations interceptable by anyone on the network path. The finding is significant not because the vulnerability was complex, but because it occurred in a platform with tens of millions of users, long after TLS had become standard practice for user communications.

The investigation serves as a case study in what happens when security analysis extends beyond the login page. Many platforms encrypt authentication correctly while leaving other channels — chat, voice, file transfers — unprotected. The documented traffic analysis methodology and findings reveal the gap between a platform's security reputation and its actual implementation.

Browser-level protection

The browser is the primary security boundary for most users. The decisions that browser vendors make about phishing detection, malware interception, Safe Browsing integration, and extension permissions determine the baseline protection level for billions of people. Understanding how these mechanisms work — and where they fail — matters for anyone making browser recommendations or assessing their own exposure.

Fraud Protection in Alternate Browsers

This investigation tests the actual fraud protection effectiveness of browsers outside the Chrome and Firefox mainstream, including privacy-focused browsers that disable or modify Safe Browsing integration. The fundamental question: if a user chooses a browser for privacy, what happens to their phishing and malware protection?

Phishing interception rates, detection latency, and the specific mechanisms each browser uses (or omits) are tested and compared. The security-privacy tension is nowhere more visible than in the Safe Browsing decision: the most effective phishing protection requires sending browsing data to a centralised service — precisely what privacy-focused browsers aim to avoid.

Brave Payments

Brave positions itself at the intersection of privacy, ad blocking, and alternative web monetisation — built-in tracking protection paired with cryptocurrency-based publisher payments. This journal entry documents the practical publisher-side experience, assessing whether the privacy-centric model delivers on its promises economically.

Brave's model embodies a particular theory about how privacy and economics can coexist. The built-in ad blocking removes traditional tracking; the replacement system claims to preserve privacy through local matching rather than server-side profiling. Whether this works in practice has direct implications for privacy-respecting alternatives to surveillance-advertising.

Server-level defence

The operator side of security involves a different set of decisions: intrusion detection, automated response, protocol-level hardening, and the configuration of services that determine what attack surface is exposed. These are the choices that site operators and system administrators make, and they directly affect the security posture that users experience.

Fail2ban and IPv6

Fail2ban is one of the most widely deployed intrusion prevention tools on Linux servers — monitoring logs for authentication failures and blocking offending IPs through firewall rules. Its effectiveness for IPv4 is well established. IPv6, where attackers can trivially rotate through addresses within a /64 prefix, is a substantially different problem.

This investigation examines the challenges of applying Fail2ban's ban-by-address model to IPv6, where blocking individual addresses is largely futile. The analysis covers prefix-based banning strategies and practical effectiveness. For anyone running services on dual-stack, understanding where this model breaks down prevents a false sense of security.

Let's Encrypt Experiences

Let's Encrypt transformed the TLS landscape by eliminating cost as a barrier to encryption. This page documents the practical experience of deploying and managing certificates on production infrastructure — automation, renewal edge cases, web server integration, and operational realities beyond the standard documentation.

Certificate management is a security-critical task where failure is visible and immediate: expired certificates break the site, misconfigured renewals create vulnerability windows. The observations cover straightforward deployments and the edge cases — wildcard certificates, multi-domain configurations, non-standard server setups — where ACME workflows encounter friction.

What readers usually need

Readers arriving at this topic page typically have one of these questions:

  • How well do alternative browsers protect against phishing?Fraud Protection in Alternate Browsers provides tested interception rates and mechanism comparisons
  • Is chat on gaming platforms encrypted?EA Origin Chat — Unencrypted documents a specific case of plaintext communication in a major platform
  • How do banks actually deploy TLS?TLS Ratings of Norwegian Banks surveys real-world configuration quality in a regulated industry
  • Does Fail2ban work with IPv6?Fail2ban and IPv6 examines the limitations of IP-based banning in the IPv6 address space
  • What is Let's Encrypt like to operate in practice?Let's Encrypt Experiences covers the operational realities beyond the standard documentation
  • Does Brave's privacy model work for publishers?Brave Payments documents the economic and privacy assessment from the publisher side

Navigating related content

This topic page is one of several cross-section hubs on the site. The topics index provides the full list of available topic clusters. If you are looking for content organised by editorial type rather than by subject, the section hubs are:

  • Security for the full collection of investigations and protocol analysis
  • How-To Guides for practical walkthroughs and configuration guides
  • Tech Notes for behavioural observations and subsystem documentation
  • Web Development for server and front-end notes
  • Development for scripting, tooling, and extension work
  • Reviews for product and service assessments
  • Journal for reflective commentary

Privacy and security concerns surface across nearly every section on the site. The pages linked from this topic hub are the ones where privacy or security is the primary subject rather than a secondary consideration. As new investigations, configuration guides, and analysis pieces are published, those that centre on privacy or security themes will appear here alongside the existing coverage.