Technical Details

The following includes technical details about the behind-the-scenes workings of this website. It is not intended for casual readers, rather for those interested in auditing my methods and helping me improve them.

  1. DDoS
    This website is protected by Cloudflare’s DDoS protection with strong NGINX access rules for redundancy.

  2. Server Access
    The server hosting this website is protected by redundant firewalls. SSH access requires lease access, a valid key pair, and two-factor authentication for all users.

  3. CDN
    The firewalls are configured to only permit direct HTTP/HTTPS connections from Cloudflare, ensuring all traffic to the site passes through their filters first. In essence, when you visit the website, you’re actually getting cached content from Cloudflare. Only when you submit the contact form or a search, do you actually communicate with the server itself.

  4. HTTPS
    This website is secured using TLS 1.2 and 1.3 with perfect forward secrecy. TLS 1.0 and 1.1 are no longer supported. Origin certificates are issued by Let’s Encrypt with edge certificates being issued by Comodo. All origin pulls are required to be authenticated with a valid certificate.

    The website also implements HSTS. HTTP Strict Transport Security (HSTS) vastly improves security of the network encryption layer. With HSTS enabled, browsers no longer allow clicking through certificate warnings errors, which are typically trivial to exploit. Additionally, they will no longer submit insecure (plaintext) requests to the site in question, even if asked.

    Lastly, the domain implements CAA records to prevent malicious or accidental mis-issuance of TLS certificates for the domain.

  5. PGP
    When submitting anything via the contact form on this site, the contents of the message are first encrypted in the browser with OpenPGP.js, then sent to the server. This ensures that neither your ISP, Cloudflare, nor the datacenter hosting the server can read the contents of your message. The encrypted message is then emailed to my ProtonMail account where it remains encrypted on the server at all times. If, for some reason, your browser does not support Javascript, the fallback solution is for the message to be encrypted server-side before being emailed. However, this has potential for snooping and eavesdropping between your browser and the server.

  6. Malware
    The server is scanned daily by rkhunter, chkrootkit, maldet, and ClamAV to ensure the highest possible protection from various threats.

  7. Third party content
    This website is built using Bootstrap, Font Awesome, and web fonts. Additionally, the site uses Matomo for analytics. For security and privacy reasons, Bootstrap, Font Awesome, and the web fonts are all included locally on this server. The Matomo instance used for analytics is hosted locally on this server as well and is used for all of my personal websites. However, IP addresses have the last octet removed to prevent absolute identification of visitors. Additionally, accessing the TOR onion only causes Matomo to record the visit and that it is from TOR. No other information about the visitor is collected.

  8. TOR
    As mentioned in 7, this website runs a TOR Onion site available at offpriv2kalk6oya.onion. The service is hosted on the same server as the site and is subject to the same policies with two notable exceptions: a) Cloudflare is not part of the access route and b) the service does not utilize HTTPS because TOR already encrypts onion sites.

  9. DNSSEC
    This domain is configured to use DNSSEC. DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it’s intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice.

If you have comments, critiques, or suggestions on ways I can improve this security plan, feel free to contact me.