subuser icon indicating copy to clipboard operation
subuser copied to clipboard

Published 20 hours ago verified publisher icon subuser-security

Core Infrastructure Initiative (CII) Best Practices

Open ypid opened this issue 9 years ago • 2 comments

Hey @timthelion

I found https://bestpractices.coreinfrastructure.org and thought it might also be a good fit for this project. Do you want to add subuser there and go thought the criteria?

References

  • https://bestpractices.coreinfrastructure.org
  • https://twit.tv/shows/floss-weekly/episodes/389

ypid avatar Jul 12 '16 06:07 ypid

This looks interesting.

Currently, I'm missing https.

subuser.org is hosted on a VPS running within a huge OpenVZP/ZFS server farm. I'm definitely not the only one with root access to my VPS (my service providers also have access).

If I use Let's Encrypt then I'm also putting my trust in them that they won't sign any fake certificates. And indeed, this is always the case. https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise

Https provides MITM attack prevention at the consumer end point level, but the level of trust that we've come to put in https is horribly misplaced. I wish that organizations like Mozilla and coreinfrastructure.org would stop promoting the standard as a security and privacy mechanism.

timthelion avatar Jul 12 '16 08:07 timthelion

Sure https is not ideal. But I think things like HPKP (HTTP Public Key Pinning) can help with that (to some extend). Also TLS is just transport security. We still have other means like GPG.

To your other question, that is something I have been thinking about :wink: https://github.com/debops/debops-playbooks/issues/274

ypid avatar Jul 12 '16 09:07 ypid