Infrastructure

Server

Information about our Tor relays can be found on this page.

Security

Security is important to us. A few selected items of what we do:

  • access to our servers (SSH) requires 2-factor authentication (pubkey and password)
  • authorized SSH keys are handed out in hardware (Yubikeys)
  • where supported updates are installed automatically (including automatic reboot when necessary)
  • our domain is DNSSEC signed
  • we support DANE for email traffic
  • statically generated website for a reduced attack surface (with some security headers)
  • HSTS (without preloading)
  • we make use of 2-factor authentication for all 3rd-party services where supported (njal.la, 1984.is, stripe, github, twitter, mastodon, ...)
  • to make BGP hijacking attacks harder, /24 (IPv4) and /48 (IPv6) prefixes are announced and ROAs exist (partially)
  • we make use of CAA, TLSA and SSHFP DNS records
  • we monitor certificate transparency logs for our domain to spot rough certificates

On our Wishlist

  • DNSSEC for reverse zones
  • HSTS preloading (will require a second domain because we want people to be able to visit Tor's DirPort on port 80 with their browsers if they found our exit IP in their logs)

3rd Party Services

Some of the services we use are not operated by ourselfes for availability reasons (we do not have a 24/7 team), but we try to choose our service providers wisely. We have no affiliation with them, they are listed here so others have some practical input in case they care about similar values.

DNS (Authoritative)

This section is about the authoritative nameservers for "appliedprivacy.net" and should not be confused with our DNS Privacy Services.

We use njal.la in combination with 1984.is as the authoritative name servers for "appliedprivacy.net" because they:

  • support DNSSEC and security related DNS records (CAA, TLSA and SSHFP)
  • support 2-factor authentication (TOTP, Yubikey)
  • are Tor-friendly
  • are affordable

Email

We use mailbox.org for email because they:

  • generally are a privacy-aware email provider (minimal information required during account registration)
  • they are Tor-friendly (and operate a small Tor exit relay
  • offer mailbox access via onion services
  • support DKIM
  • support DANE
  • support 2-factor authentication
  • are affordable