Services/Security

From DcUsers

Introduction

All services containing sensitive information are protected using cryptography. Whenever possible, we add the necessary configuration to ensure unsecure usages are not possible, to protect your data. Nevertheless, a few things are needed on you side to improve security, that's why we are providing the following notes in order to help you configure your software in a secure fashion.


Areas of Security

Mails from DC's Administrators

You should not trust mails pretenting to come from us. The only way to be sure a mail is from someone, is to agree on exchanging cryptographically-protected messages. On this page you'll find the list of DC's administrators from which you may receive mails (on the users's mailing-list for example). You could trust their GPG keys directly, but that would not be secure at all. The best way is to meet, live, in a key signing party. If a friend has already signed our key, and is not too far from you, you may also propagate your trust to our keys. Once done, you'll be sure what seems to come from us is really from us.

Talking to the Right Machine/Service

All remote services use an address on the internet, like superservice.duckcorp.org, but if you are connected through an untrusted network (like if you're using a third-party's WIFI), you cannot be sure you'll be connecting to the right machine, and you may disclose important information like your credentials.

Remote TLS/SSL-based Services

To ensure you're talking to the right server, and noone pretend to be a DC's server to tricks you, you need to install the following certificate in your browser : File:Duckcorp.crt (clicking on the link should ask for installation, and you'll just need to confirm you trust it).

Service Locator Security

One possible attack is to alter replies to the machine locator service (DNS) in order to redirect your communication to a nasty machine. Since November 2010, duckcorp.org and milkypond.org domains are cryptographically signed using the DNSSEC system, so you are now able to verify the address returned for the service is the right one. This system is not new, but has recently switched into production, so your operating system may not yet be properly configured to use this protection. Until it is pre-configured in most of them, you may configure it yourself using this procedure.

Warning! Beware this protection solves certains security problems but is not sufficient to ensure you're talking to the right machine/service. Nevertheless it ensures:

  • the address of the machine/service is the right one
  • information related to the domain, list of mail servers, security information on hosts (SSHFP)… are not tampered

Using this security plus certificate verification (see previous section) would ensure full security.

Retrieved from "https://users.duckcorp.org//index.php?title=Services/Security&oldid=171"