Security notes

This information page is about security-related topics. Have a look at our privacy policy, if you are looking for privacy-related topics.

Technical and organizational measures

We take your and our security very seriously. We implemented technical and organizational measures to ensure a level of security appropriate to identified risks. These measures include but are not limited to:

  • no personal data stored on our web server
  • no CMS (like WordPress, Drupal, Joomla etc.) in use
  • no databases in use
  • no dynamic content like JavaScript or PHP
  • no cookies
  • links to external pages are separated from articles
  • state-of-the-art transport encryption (TLS 1.2 only with PFS and AEAD)
  • modern authentication using ECDSA certificate (384 bits) or RSA certificate (4096 bits)
  • limitation to HTTP GET and HEAD methods
  • strict Content Security Policy
  • SSH access with IP whitelisting and 2FA for server management and access control
  • additional security features like:
    • DNSSEC (for signed DNS records)
    • HSTS (to avoid downgrade attacks (HTTPS → HTTP))
    • OCSP Must-Staple (for obtaining the revocation status of our certificate)
    • Certificate Transparency (for monitoring and auditing our certificate)

Please note that online scanning tools do not provide a holistic view of the security level of a server. Many aspects can only be tested if one has access to the server. Thus, we do not suggest specific online scanning tools to “test” our web server security. See also “Pros and cons of online assessment tools for web server security”.

Verify our identity

Verifying our identity before you contact us is very important to avoid man-in-the-middle attacks and leakage of your personal data.

  1. We operate the following accounts on the internet:
    • Keybase.io
    • E-Mail: moc.liamnotorp@koobdnahcesofni
    • Mastodon.at
    • Github.com
    • Accounts which aren’t on this list but pretend to relate to our website are obviously fake. Feel free to report any fake account.
  2. We publish our GPG key on keybase.io and on our website. All other GPG keys aren’t trustworthy and may be faked. Don’t use public GPG key servers.
  3. We sign our comments on other websites to prevent impersonation. You can use Keybase to verify our signature:
    • echo "BEGIN KEYBASE SALTPACK SIGNED MESSAGE. […] END KEYBASE SALTPACK SIGNED MESSAGE." | keybase verify
    • Unsigned comments are very likely faked. Feel free to report any unsigned comment.

Security contact

Did you find a vulnerability or other security-/privacy-related issues? Please contact us: moc.liamnotorp@koobdnahcesofni

We are also providing a signed security.txt file.