Just out of curiosity, why is your network not a trusted party?
Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.
GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).
Charger8232@lemmy.ml 4 weeks ago
Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.
GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).