Internet security

This is an experimental general Internet security thread for anyone willing to discuss, help newbies or learn more about Internet security in general.

>DNS
Who among you are using DNSSEC [1, 2] already? Why do you use it? What do you use it for? Have you considered TLSA (DANE [3]), SSHFP [4], OPENPGPKEY [5] resource records (RRs) yet?

>HTTP
Who among you running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you use HSTS [6] enforce a secure connection? Do use HPKP [7] for certificate pinning? Do you use CSP [8] to enforce content restrictions?

>Mail
Who among you running your own mail server (MTA)? Do you secure your traffic with (START)TLS? Do you use SPF [9] to restrict only authorised hosts to send mails? Do you use DKIM [10] to cryptographically verify message authenticity? Do you use DMARC [11] to set domain-level message handling policies?

Share your thoughts!

Newbies section:
There are numerous introductory videos about DNSSEC [12, 13], SPF [14], DKIM [15] and DMARC [16] to familiarise yourself more with. There are also numerous websites [17, 18, 19, 20] that can help you checking your server's security.

[1] tools.ietf.org/html/rfc4033
[2] dnssec.net/
[3] tools.ietf.org/html/rfc6698
[4] tools.ietf.org/html/rfc4255
[5] tools.ietf.org/html/rfc7929
[6] tools.ietf.org/html/rfc6797
[7] tools.ietf.org/html/rfc7469
[8] w3.org/TR/CSP2/
[9] tools.ietf.org/html/rfc7208
[10] tools.ietf.org/html/rfc6376
[11] tools.ietf.org/html/rfc7489
[12] youtube.com/watch?v=lTABuMxO2AM
[13] youtube.com/watch?v=qlto6GfZEvA
[14] youtube.com/watch?v=WFPYrAr1boU
[15] youtube.com/watch?v=yHv1OPcc-gw
[16] youtube.com/watch?v=kGk-Af_92Bk
[17] dnsviz.net/
[18] ssllabs.com/ssltest/index.html
[19] observatory.mozilla.org/
[20] securityheaders.io/

Other urls found in this thread:

w3.org/TR/CSP/
nextcloud.com/blog/nextcloud-11-delivers-verified-security-improvements/
docs.nextcloud.com/
scotthelme.co.uk/csp-nonce-support-in-nginx/
twitter.com/NSFWRedditGif

If you don't do anything illegal you shouldn't need encryption

For those of you underwhelmed with the depth of technical information, I can relate. But seeing as we're all limited to 2000 characters for each post I had to cut away a lot of details in order not to go past that limit. This is exactly what I feared when trying to merge the separate DNS and HTTP security threads in a general Internet security thread but a fellow user suggested I should merge them anyway since these separate threads were already "extremely specific". So, let's just see how it works out for now...

>corpcucks actually believe this

>
>>corpcucks actually believe this

But even if we believe that... we do break a lot of laws every day.

I don't think even the purple who vote on these laws in Congress have read everything they've voted on.

thank you for doing this

Our personal data is worth a lot of money. You use cryptography many times a day and you should know that we all have to be able to protect ourselves from criminals on the Web.

If you don't agree because you have nothing to hide, then I invite you to include a picture of your passport and your email credentials in your next post.

Has anyone been able to use CSP 3.0 with cryptographic nonces in script-src yet? I'm aware CSP 3.0 is only a working draft [1] for the time being, but Nextcloud already generates nonces for every request since version 11 [2]. However, I haven't been able to figure out how to make them part of my CSP header. It's not even mentioned in the documentation [3].

[1] w3.org/TR/CSP/
[2] nextcloud.com/blog/nextcloud-11-delivers-verified-security-improvements/
[3] docs.nextcloud.com/

>I haven't been able to figure out how to make them part of my CSP header
script-src 'nonce-whatever';

How? The nonces change everytime (they are supposed to), but I don't know what to put in my CSP header for something so dynamic.

The nonces are arbitrary. You generate them randomly and put the same nonce in the header and in the script tag

This much I know, but how do I make sure the CSP gets automagically updated with the same nonce in the script tag?

Oh, I think I see your issue. Are you only considering the CSP header as part of a static webserver configuration? You can't really do nonces with that. You need to set the header from your website, using something like php's header() function or your language's equivalent

Yes, exactly. I've always sent the CSP header using my Nginx site configuration. This was puzzling me for hours. I found an article [1] that tries to shed some light on this, but I don't want to keep compiling my own custom Nginx package every new upstream release, nor do I know know which variable I should use in the CSP header to work with Nextcloud. I don't think the article's suggested variable automatically matches the nonces that Nextcloud generates, does it?

[1] scotthelme.co.uk/csp-nonce-support-in-nginx/

>Who among you are using DNSSEC [1, 2] already?
I am
>Why do you use it?
Why not? Was easy to enable.
>What do you use it for?
Verifying the domain records for my websites
>Have you considered TLSA (DANE), SSHFP, OPENPGPKEY resource records (RRs) yet?
No

>Who among you running your own Web server?
I am
>Do you secure your traffic with TLS and HTTP security headers?
Yes
>Do you use HSTS [to] enforce a secure connection?
Yes. Preloaded even.
>Do use HPKP for certificate pinning?
No
>Do you use CSP to enforce content restrictions?
Yes

>Who among you running your own mail server (MTA)?
I am
>Do you secure your traffic with (START)TLS?
Yes
>Do you use SPF to restrict only authorised hosts to send mails?
Yes
>Do you use DKIM to cryptographically verify message authenticity?
No
>Do you use DMARC to set domain-level message handling policies?
No

If Nextcloud is generating nonces itself, you'll have to use whatever interface it provides for accessing those nonces and putting them in the header.

>I don't think the article's suggested variable automatically matches the nonces that Nextcloud generates, does it?
No. That article is describing a totally separate thing.

Reading up on it, it seems like nextcloud will set its own CSP header (using its generated nonces) and you shouldn't set it in the webserver configuration

Awesome! Do you also intend to use any of the technology you answered no to, btw?

I don't intend to right now, but I could probably be convinced to use some of it.
I would use HPKP but it seems really dangerous and especially hard to use with Let'sEncrypt certs that rotate out so frequently

Yes, I thought as much. I've looked around the documentation and asked around on their forum but so far nobody seems to be able to help me. That's why I asked here second.

It's weird, I can't be the only one asking this, and why would they promote this cool new security feature on their blog, and then not document it how to implement it yourself...

Well, that kinda sucks because I also want to add my own configurations in the header. Is this a design flaw or a poor implementation of the current draft?

It's a design choice of nextcloud. I would expect them to offer a configuration option for setting the rest of the rules, but if they're already as tight as possible for what nextcloud requires, I suppose there isn't any reason to.

You're of course welcome to set the header differently for other locations of your website assuming you're running more than just nextcloud

> (You)
>I don't intend to right now, but I could probably be convinced to use some of it.
I'm not trying to convince you to do anything, friend.
>I would use HPKP but it seems really dangerous and especially hard to use with Let'sEncrypt certs that rotate out so frequently
True, you can break your website for your customers that don't clear their cache, but you can set the max-age option accordingly.

>I'm not trying to convince you to do anything, friend.
I know, but I'd welcome you to do so.
>you can break your website for your customers that don't clear their cache, but you can set the max-age option accordingly.
I'd rather my website not be broken for any amount of time

I'm running more than just Nextcloud, indeed. Seems I'll just have to find a way to configure this without available documentation. But in any case thanks for your help, mate.

Is an IPS worth the trouble on installing behind the gateway when I have multiple users connecting to an outside VPN? Or should I isolate the network into two parts, one managed by the IPS and the other purely for VPN connections?

Just setup DKIM for my mail server. Thanks OP

hmm...how can i find out what i should be employing here? I use mac os and dont really do anything special, just normal stuff. Since finding Sup Forums ive done most of the things recommended in that cyberpunked pastebin.

Also do i need to nuke my gmail account?

Lastly, what vpn do you guys like best? I can pay.

Great! Have you considered SPF and DMARC, too? It improves security even further than just DKIM

I already had SPF setup. Working on DMARC now

wow that's the worst fpbp in my history of 4cheng

>I know, but I'd welcome you to do so.
Sure, I'll give it a go. DKIM improves security by adding cryptographic signatures to your messages, increasing your message's authenticity.

And DMARC improves message handling of other domains that receive messages from you. DMARC depends on SPF and DKIM to do so. It also allows you to gain much more insight into how these domains are handling your mail: whether they arrive, are being quarantined, or dropped entirely, as per your DMARC policy.

There. Enabled DMARC

Nice! Do you also send out and process incoming aggregate reports? Looking at me, I forgot to actually send out these reports entirely at first...

Btw, perhaps this thread has overlooked some other interesting mail security aspects you're willing to share?

>Do you also send out and process incoming aggregate reports?
I have no idea what those are so probably not

>perhaps this thread has overlooked some other interesting mail security aspects you're willing to share?
I install postfix, configure it to use my domain, and add an SPF record. I don't usually do anything fancy with mail, and I generally find that if I try to make mail setup even remotely complicated, something ends up going wrong.
So no, nothing I know of that this thread's overlooked

My work network made us sign an agreement that they can watch our traffic. I thought I would be safe behind TLS but I now suspect a SQUID proxy server. I'm currently dynamic ssh tunneling using a SOCKS proxy to overcome the proxy here. I've tried using my vpn but every outgoing udp port i've tried is blocked. I'm switching to tcp but a lot is also blocked. I know my XMPP server is working, luckily using omemo should keep me safe.

nuke your gmail? yes
they own all your emails after 30 days if still stored on the cloud

Do you even know what dentistry is, Theresa?

>I now suspect a SQUID proxy server.
Why would that prevent you from using TLS to secure your communications?

>I've tried using my vpn but every outgoing udp port i've tried is blocked. I'm switching to tcp but a lot is also blocked.
Have you tried having your VPN server listen on port 443/tcp? That typically isn't blocked because normal HTTPS uses that port as well.