We operate AS 208323.
Information about our Tor relays can be found on this page.
Security is important to us. A few selected items of what we do:
- access to our servers (SSH) requires 2-factor authentication (pubkey and password)
- authorized SSH keys are handed out in hardware (Yubikeys)
- where supported updates are installed automatically (including automatic reboot when necessary)
- our domains are DNSSEC signed
- we support DANE for email traffic
- we have DMARC (p=reject) records on our domains
- statically generated website for a reduced attack surface (with some security headers)
- HSTS with Preloading
- we make use of 2-factor authentication for all 3rd-party services where supported (njal.la, 1984.is, stripe, github, twitter, mastodon, ...)
- to make BGP hijacking attacks harder, /24 (IPv4) and /48 (IPv6) prefixes are announced
- our BGP router rejects RPKI INVALID announcements
- all our services are covered by RPKI ROAs to make BGP hijacking even harder
- we monitor our IP prefixes for BGP hijacking attempts using BGPalerter
- we make use of CAA, TLSA and SSHFP DNS records
- we monitor certificate transparency logs for our domain to spot rough certificates
On our Wishlist
- DNSSEC for IPv6 reverse zones
3rd Party Services
Some of the services we use are not operated by ourselfes for availability reasons (we do not have a 24/7 team), but we try to choose our service providers wisely. We have no affiliation with them, they are listed here so others have some practical input in case they care about similar values.
This section is about the authoritative nameservers for "applied(-)privacy.net" and should not be confused with our DNS Privacy Services.
- support DNSSEC and security related DNS records (CAA, TLSA and SSHFP)
- support 2-factor authentication (TOTP, Yubikey)
- are Tor-friendly
- are affordable
For our reverse DNS zones we use deSEC.io.
We use mailbox.org for email because they: