Security notes

This information page is about security-related topics. Have a look at our privacy policy, if you are looking for privacy-related topics.

Security contact

We provide a security.txt file. See our contact page for contact details.

Security and privacy take top priority

The internet is full of criminals, bots, malware, wannabe hackers, and other parties who want your data and cause great harm. On the other hand, many websites require your personal data, track your digital activities and analyze your data for shady purposes. Then, this personal data is sometimes leaked due to insufficient security controls.

Some people try to convince you that your data is secure since their website is rated “secure” by some online assessment tools. However, these tools can never provide a holistic view of the security level of a server due to technical limitations. See also “Pros and cons of online assessment tools for web server security”. Other people use long lists of contextless security controls that don’t protect you at all.

Keep in mind: Information security is about technology, people and processes. Many private individuals are solely focused on technology while humans are continuously the weakest link in the InfoSec chain.

How we protect you

Most importantly, we never collect your personal data. We actually disabled common web technologies (like HTTP POST) that allow your web browser to send data to our web server. We didn’t deploy any tracking technologies and we didn’t embed any third-party content.

As for security, we only use static content that can’t be manipulated without breaking into our web server. There is no PHP, no JavaScript, no cookie. We do not use insecure content management systems (like WordPress, Joomla or Drupal).

The connection between your client and our web server is protected by a modern TLS configuration and we provide two certificates for authenticity (ECDSA and RSA). We deployed modern technologies to make our certificates verifiable so that your clients can check whether the certificates are valid. Supplementary technologies tell your clients how they should handle our content in a secure way.

We are well aware that most of the deployed technologies require client support. Some technologies are really new and may not be supported by your clients.

How we protect our server

Our server is running an up-to-date and hardened version of Linux—hardened as in “we removed features to keep our attack surface small and deployed strict configuration for remaining packages”. This is a single-purpose server: There is only our web server running on the machine. There is no mail server, no chat server, no database server.

Since we do not control our server physically (like most website administrators), we deployed several monitoring technologies that allow us to keep an eye on activities of our server. Furthermore, we concluded a data processing agreement according to Article 28 GDPR with our server provider. All SSH logins are monitored and require two-factor authentication.

As for recovery, every update of our blog automatically triggers a backup process. Our backups are physically located in three different countries. We regularly conduct integrity checks.

Apart from our web server, we verified our accounts using Keybase and sign our comments on other websites to avoid being impersonated.

More than necessary

To be honest, we only provide a static blog. There is no need for many security controls mentioned above and we don’t misuse them for marketing. There is no valuable data on our servers. The biggest risks are a compromised web server that spreads malware or manipulated traffic due to insecure HTTP connections. We go to great lengths to avoid this.