Hi all DMT-Nexus members,

Due to new insights into security I have changed the configuration of the DMT-Nexus in a few ways. These changes improve the security but they also have one small penalty.


PENALTY

Lets start with this one, since it is probably the only one that might have a direct impact on some users.

* Internet Explorer on Windows XP is no longer supported, so you cannot use IE8 or lower on Windows XP. This is not a bad thing since both IE8 or lower is not that secure anyway. You should move to another browser like the newest version of Chrome(ium) or FireFox.



IMPROVEMENTS

This will be some technical mumbo-jumbo for many, though for those who are interested here is some extra information.

* The SSL certificate now has a SHA256 signature. The old SHA1 signature has several security issues where one with enough resources could possibly crack it.

* Cipher suite:
-- No more RC4. This one has been found to be insecure. Modern browsers already avoided it, but now it is completely impossible to use it with the DMT-Nexus site.
-- No more 3DES. Old, crappy algorythm. Like RC4 modern browsers avoided it like the plague but now it is also impossible to use it on this site.
-- SHA256 is now preferred above SHA1 for message authentication, note that this is a different thing than the aforementioned signature of the SSL certificate. If your browser can handle it, it will use this more secure option. The old SHA1 is still available since unfortunately not all browsers can handle these specific cipher suites.

* HTTP Strict Transport Security. This is a message from the server to your browser that it should ALWAYS use the HTTPS version of the site and not the plain text HTTP version. This can prevent certain so called man in the middle attacks.


Due to this we can a nice A+ overall rating of from Qualys SSL Labs:
https://www.ssllabs.com/...lyze.html?d=dmt-nexus.me


I hope this make you all feel a tad more secure. However, remind yourself that this is just one layer of protection so make sure you all have a good security policy and it can never hurt to also use a trusted VPN or TOR to visit this site.


Kind regards,

The Traveler

cheers Trav, much appreciated

Nice.

The Nexus has now a better HTTPS protocol implementation (A+) than Google (A) or PayPal (A-).
Thumbs up!

well done

Good stuff!!!!

very good! Thanks for the extra work

Thank you!

Can SecurityKISS be called a "trusted VPN"?

Tor with obfs3 bridges works wonders.

Thanks for the update Trav!

Thanks traveler, Makes it safer, jus got chrome so its much better.

Thank you trav! a gazillion times

Many thanks.

A hard Yes or No might be an insensitive request, but perhaps some criteria to watch out for when deliberating VPN's?

Started reading about TOR usage, wow this is a little dedication on it's own, like an evolving cat and mouse game to stay one step ahead.

Thanks.

Nice work Trav! Are there any mobile browsers that support this?

SSL/TLS Capabilities of Your Browser

* mobile browsers modern or equal > Android 4.x
* mobile browsers modern or equal > IE Mobile 10 / Win Phone 8.0
* mobile browsers modern or equal > Safari 6 / iOS 6.0.1

https://www.ssllabs.com/...lyze.html?d=dmt-nexus.me

If you download their Tails software, it becomes a lot easier. While I prefer setting everything up on my own, I a) have the technical knowledge to do so safely (there are quite a few corner cases, like chrome doing OCSP validation ignoring the proxy settings..) and b) prefer having the control myself.

However one big advantage with Tails, regardless of whether one has tecnical know-how or not, is that you will be blending your browser fingerprint with millions of other users, thus making you more 'like the crowd', which in this case happens to be a good thing (TM).


You don't need to boot into a live cd/usb pen to use Tails; while less secure (your host OS has access to all that you do inside it), you could use, for instance, VirtualBox, and run Tails there.

If you don't want the hassle of having a virtual machine just for this, then the tor browser bundle (glorified firefox with tor-friendly settings) is what you'd be looking for.


I strongly recommend using a pluggable transport module like obfs3 (obfs4 isn't ready yet).

This will help you conceal your tor usage from your ISP. These days, unfortunately, those of us who care about privacy online, are automatic targets for certain 3-letter agencies.

On that note, Traveler, could you change the anoniem.org masking to use https:// ? I just manually checked, and it's supported.

Expanding on the above (why not), if you would prefer not to use tor (it is higher profile, and slower than other alternatives, though it has improved drastically over the last couple of years), one very important thing you ought to do, if you are not using any kind of proxy/vpn, is to secure your DNS queries.

Normally when you type an address in your browser, your computer will try to resolve this name to an ip address.

This is done by contacting a dns server, which typically will be your ISP's.

What this means is that EVERY service you visit, unless you're inputting the IP manually, will be resolved at your ISP. The request goes in plaintext, which means it's not private.



The solution for this (other than using TOR, a VPN, or a socks5 proxy with remote dns resolution) is DNSCrypt.

I won't go over how it works here since the information is linked above, suffice to say that it will offer you privacy in resolving names.

While (MUCH) better than nothing, this still wouldn't conceal your usage of the nexus from your ISP; The IP address of the nexus doesn't change often, and so should they want to target the nexus specifically, it is trivial to do so by mining for connections to the nexus ip address.

Thanks, digesting all that