Banner of the month
If you are browsing from a mobile device, you may not have seen it, but there is a banner displayed in the top-right corner of our web pages on medium and high screen resolutions. We are using this space to advertise on endeavours and projects of interest.
This month we are advertising for the collaborative privacytools website, which focus on giving a one-stop online resource to discover privacy-friendly tools that are available out there, free of spyware and trackers and with a focus on end to end encryption (ie encryption starts straight from your device and ends at your contact’s device, so that no one in between can tap on your communication) whenever possible.
The introduction on the website sums it all up:
You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance.
A bug was found using K9-Mail when sending out emails to an invalid recipient as part of a multi-recipients email. We implemented a workaround and raised an issue for this, hopefully this will be addressed in the next versions of K9-Mail.
- We upgraded to latest Jekyll stable for the Nomagic website.
- We have refined the home page to avoid long scrolling. Now the homepage only shows the last 3 news and a condensed view of the next 3 ones.
- We added note support for our website to help differentiating short, context-related notes in our posts.
- We have started working on updating all web servers with security policies (namely Content-Security-policy, Referrer-Policy and Feature-Policy). It’s not always possible to enforce strong policies from the start, but over time this should improve.
- We updated our HTTPS ciphers to be more selective and avoid weak ciphers.
Better privacy over TLS
- We have implemented OCSP Stapling on most of our Web Services (about 90%), which helps improving privacy as the TLS certificate check upon new HTTPS connections can now be done within the same connection and does not require to open an external connection towards the Certificate Authority.
The following applications were upgraded to their latest stable version this month:
- Updating TLS requirements for SMTPS to TLSv1.2 minimum (anything older than TLSv1.2 is considered unsafe and has had security breaches)
- We are still allowing our mail server to negotiate lower/unsafe protocols with external servers as some major telecommunication operators are still not TLSv1.2 compatible (published in 2008!).
- Only GPG/PGP will give you full email encryption (we are planning to gather information on setting your own GPG keys and using them in an upcoming article on foss-notes)
- We have implemented for testing RFC 8461, which is a complement for our already active DANE verification when sending email.
The current roadmap now includes:
- Complete OCSP stapling for all Websites
- Keep on implementing security/privacy policies
- Handle DMARC reports for emails
- Once testing is ok, move our MTA-STS policy to a production profile.
- Generate our own DMARC reports for other mail servers
- Update servers to the new Debian release Buster.
- implementing Single Sign-On (SSO) so that Nomagic users won’t have to authenticate on each and every services in their Web browser.