Infrastructure

Autonomous System

We operate AS 208323.

Server

Information about our Tor relays can be found on this page.

Security

Security is important to us. A few selected items of what we do:

  • access to our servers (SSH) requires 2-factor authentication (pubkey and password)
  • authorized SSH keys are handed out in hardware (Yubikeys)
  • where supported updates are installed automatically (including automatic reboot when necessary)
  • our domains are DNSSEC signed
  • we support DANE for email traffic
  • we have DMARC (p=reject) records on our domains
  • statically generated website for a reduced attack surface (with some security headers)
  • HSTS with Preloading
  • we make use of 2-factor authentication for all 3rd-party services where supported (njal.la, desec.io, stripe, github, mastodon, ...)
  • to make BGP hijacking attacks harder, /24 (IPv4) and /48 (IPv6) prefixes are announced
  • our BGP routers reject RPKI INVALID announcements
  • all our services are covered by RPKI ROAs to make BGP hijacking even harder
  • we monitor our IP prefixes for BGP hijacking attempts using BGPalerter
  • we make use of CAA, TLSA and SSHFP DNS records
  • we monitor certificate transparency logs for our domain to spot rough certificates

On our Wishlist

  • DNSSEC for IPv6 reverse zones

3rd Party Services

Some of the services we use are not operated by ourselfes for availability reasons (we do not have a 24/7 team), but we try to choose our service providers wisely. We have no affiliation with them, they are listed here so others have some practical input in case they care about similar values.

DNS (Authoritative)

This section is about the authoritative nameservers for "applied(-)privacy.net" and should not be confused with our DNS Privacy Services.

We use njal.la in combination with deSEC.io as the authoritative name servers for "applied(-)privacy.net" because they:

  • support DNSSEC and security related DNS records (CAA, TLSA and SSHFP)
  • support 2-factor authentication (TOTP, Yubikey)
  • are Tor-friendly
  • are affordable

Email

We use mailbox.org for email because they:

  • generally are a privacy-aware email provider (minimal information required during account registration)
  • they are Tor-friendly (and operate a small Tor exit relay
  • offer mailbox access via onion services
  • support DKIM
  • support DANE
  • support 2-factor authentication
  • are affordable