Hi all DMT-Nexus members, Due to new insights into security I have changed the configuration of the DMT-Nexus in a few ways. These changes improve the security but they also have one small penalty. PENALTYLets start with this one, since it is probably the only one that might have a direct impact on some users. * Internet Explorer on Windows XP is no longer supported, so you cannot use IE8 or lower on Windows XP. This is not a bad thing since both IE8 or lower is not that secure anyway. You should move to another browser like the newest version of Chrome(ium) or FireFox. IMPROVEMENTSThis will be some technical mumbo-jumbo for many, though for those who are interested here is some extra information. * The SSL certificate now has a SHA256 signature. The old SHA1 signature has several security issues where one with enough resources could possibly crack it. * Cipher suite: -- No more RC4. This one has been found to be insecure. Modern browsers already avoided it, but now it is completely impossible to use it with the DMT-Nexus site. -- No more 3DES. Old, crappy algorythm. Like RC4 modern browsers avoided it like the plague but now it is also impossible to use it on this site. -- SHA256 is now preferred above SHA1 for message authentication, note that this is a different thing than the aforementioned signature of the SSL certificate. If your browser can handle it, it will use this more secure option. The old SHA1 is still available since unfortunately not all browsers can handle these specific cipher suites. * HTTP Strict Transport Security. This is a message from the server to your browser that it should ALWAYS use the HTTP S version of the site and not the plain text HTTP version. This can prevent certain so called man in the middle attacks. Due to this we can a nice A+ overall rating of from Qualys SSL Labs: https://www.ssllabs.com/...lyze.html?d=dmt-nexus.meI hope this make you all feel a tad more secure. However, remind yourself that this is just one layer of protection so make sure you all have a good security policy and it can never hurt to also use a trusted VPN or TOR to visit this site. Kind regards, The Traveler The Traveler attached the following image(s): secure.png (81kb) downloaded 309 time(s).
|
|
|
cheers Trav, much appreciated INHALE, SURVIVE, ADAPT it's all in your mind, but what's your mind??? fool of the year
|
|
|
Nice.
|
|
|
The Nexus has now a better HTTPS protocol implementation (A+) than Google (A) or PayPal (A-). Thumbs up!
|
|
|
well done This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
|
|
|
Good stuff!!!! That moment when you wonder if this time you went too far....
Obviously everything discussed here is the fictional accounts of someone with an out there imagination. I mean really could any of these tales be real?
|
|
|
very good! Thanks for the extra work All these posts are on behalf of Stimpy, my yellow bullhead. He is an adventurous fish, and I feel his exploits are worth sharing...so much so, I occasionally forget that HE is the one who does these things. Sometimes I get caught in the moment and write of his experiences in the first person; this is a mistake, for I am an upstanding citizen who never does wrong. Stimpy is the degenerate.
|
|
|
Thank you! The Traveler wrote:... it can never hurt to also use a trusted VPN ... Can SecurityKISS be called a "trusted VPN"?
|
|
|
Jees wrote:Thank you! The Traveler wrote:... it can never hurt to also use a trusted VPN ... Can SecurityKISS be called a "trusted VPN"? Tor with obfs3 bridges works wonders. This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
|
|
|
Thanks for the update Trav!
|
|
|
Thanks traveler, Makes it safer, jus got chrome so its much better.
|
|
|
Thank you trav! a gazillion times
|
|
|
Many thanks. Akasha224 is a fictitious extension of my ego; all his posts do not reflect reality & are fictional
|
|
|
Jees wrote:..Can SecurityKISS be called a "trusted VPN"? A hard Yes or No might be an insensitive request, but perhaps some criteria to watch out for when deliberating VPN's? nexalizer wrote:Tor with obfs3 bridges works wonders. Started reading about TOR usage, wow this is a little dedication on it's own, like an evolving cat and mouse game to stay one step ahead. Thanks.
|
|
|
Nice work Trav! Are there any mobile browsers that support this?
|
|
|
|
|
|
Jees wrote:Jees wrote:..Can SecurityKISS be called a "trusted VPN"? A hard Yes or No might be an insensitive request, but perhaps some criteria to watch out for when deliberating VPN's? nexalizer wrote:Tor with obfs3 bridges works wonders. Started reading about TOR usage, wow this is a little dedication on it's own, like an evolving cat and mouse game to stay one step ahead. Thanks. If you download their Tails software, it becomes a lot easier. While I prefer setting everything up on my own, I a) have the technical knowledge to do so safely (there are quite a few corner cases, like chrome doing OCSP validation ignoring the proxy settings..) and b) prefer having the control myself. However one big advantage with Tails, regardless of whether one has tecnical know-how or not, is that you will be blending your browser fingerprint with millions of other users, thus making you more 'like the crowd', which in this case happens to be a good thing (TM). You don't need to boot into a live cd/usb pen to use Tails; while less secure (your host OS has access to all that you do inside it), you could use, for instance, VirtualBox, and run Tails there. If you don't want the hassle of having a virtual machine just for this, then the tor browser bundle (glorified firefox with tor-friendly settings) is what you'd be looking for. I strongly recommend using a pluggable transport module like obfs3 (obfs4 isn't ready yet). This will help you conceal your tor usage from your ISP. These days, unfortunately, those of us who care about privacy online, are automatic targets for certain 3-letter agencies. This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
|
|
|
On that note, Traveler, could you change the anoniem.org masking to use https:// ? I just manually checked, and it's supported. This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
|
|
|
Expanding on the above (why not), if you would prefer not to use tor (it is higher profile, and slower than other alternatives, though it has improved drastically over the last couple of years), one very important thing you ought to do, if you are not using any kind of proxy/vpn, is to secure your DNS queries. Normally when you type an address in your browser, your computer will try to resolve this name to an ip address. This is done by contacting a dns server, which typically will be your ISP's. What this means is that EVERY service you visit, unless you're inputting the IP manually, will be resolved at your ISP. The request goes in plaintext, which means it's not private. The solution for this (other than using TOR, a VPN, or a socks5 proxy with remote dns resolution) is DNSCrypt. I won't go over how it works here since the information is linked above, suffice to say that it will offer you privacy in resolving names. While (MUCH) better than nothing, this still wouldn't conceal your usage of the nexus from your ISP; The IP address of the nexus doesn't change often, and so should they want to target the nexus specifically, it is trivial to do so by mining for connections to the nexus ip address. This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
|
|
|
Thanks, digesting all that
|