Current Situation[edit]

Introduction[edit]

Whonix ™.org Site Security

This page talks about Whonix ™ online hosting and (non-existing) testing infrastructure.

File Hosting[edit]

Hosted by mirror, downloadable using TLS.

Bug / Feature Request Tracker[edit]

https://phabricator.whonix.org ^[archive].

(Works much better than github for a project at this scale.)

Testing infrastructure[edit]

CI build environment required.
Automated Test Suite ^[1] required.
whonixcheck

mailman3[edit]

https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/thread/UOVLARM4CGR5OZBURPJO7YHMFYMOKNHE/ ^[archive]

backend[edit]

mediawiki[edit]

mediawiki, codeselect, select code, short / long / recommended / detailed buttons

mediawiki advantages[edit]

community contribution friendly - flagged revisions - usable way to allow anonymous users to edit and to let admins review changes before these go live
sufficient protection from spam
seo - plugins provide good OpenGraph meta tags and meta settings (description, images)
wiki templates
footnotes
expand buttons
footer
mobile view
mediawiki markup text file backups (but are not easily importable)
short and detailed buttons ^[archive] (probably not unique to mediawiki)

mediawiki disadvantages[edit]

does not look that great
- our mediawiki skin "foreground" looks better than usual mediawiki / wikipedia with the huge space wasting sidebar that does not have much useful content related to the wiki page being viewed
- still does not look great (but perhaps another mediawiki skin ^[archive] could solve that)
- the table of contents at the top may not be great? Perhaps a table of contents on the left or right side (???) would be better?
- too much white spaces everywhere
offline documentation not solved - https://forums.whonix.org/t/offline-documentation-discussion ^[archive]
translations not solved
data base is binary (mysql) (requires mysql data base)
- in other words: not flat file
- not easy "transparent" backups
- (Backup using git-mediawiki: https://github.com/WhonixBot/whonix-wiki-backup ^[archive] - that can probably not easily be restored.)
- (XML backup: https://github.com/WhonixBOT/WhonixWikiBackups ^[archive])
- cannot rebuild from clean human readable source files

goals for new website[edit]

flat file
git based?
prose.io (example ^[archive]) compatible?
breadcrumbs navigation?
javascript free?
CMS free?
bootstrap based?

mobile friendly
illustrative images
quick page load times
footer links (legal, imprint)!
seo

short and detailed buttons ^[archive]

discourse forums[edit]

TODO: archival using httrack?

cannot make complete backup - https://meta.discourse.org/t/how-to-backup-and-restore-a-whole-var-discourse-app-folder/152598 ^[archive]
backup restoration failing - https://meta.discourse.org/t/restore-problem-relation-theme-fields-does-not-exist/95500/7 ^[archive]
postgres database bugs - https://meta.discourse.org/t/restore-fails-could-not-create-unique-index/151380/20 ^[archive]
difficult to repair database - https://meta.discourse.org/t/a-basic-discourse-archival-tool/62614 ^[archive]
no archival - https://meta.discourse.org/t/a-basic-discourse-archival-tool/62614 ^[archive]
archival feature request #1 https://meta.discourse.org/t/print-long-topic-to-pdf-redux-again/44639/62 ^[archive]
archival feature request #2 https://meta.discourse.org/t/a-basic-discourse-archival-tool/62614/51 ^[archive]
feature request: Option to use flat/text backing files instead of SQL(Postgres) backend ^[archive]

Security[edit]

See Trust#Trusting_the_Whonix_.E2.84.A2_Website.

DANE TLSA[edit]

test websites:
- mail: https://dane-test.had.dnsops.gov ^[archive]
- web: https://danetools.com/dane ^[archive]
test website working example (mail): https://dane-test.had.dnsops.gov/server/dane_check.cgi?host=freebsd.org ^[archive]
another website working example: https://dane.sys4.de/smtp/go6.si ^[archive]
https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/ ^[archive]
what happen to these screenshots?
- https://www.dnssec-validator.cz/pages/screenshots.html ^[archive]
- https://www.dnssec-validator.cz/images/screenshots/firefox.png ^[archive]
- https://www.dnssec-validator.cz/images/screenshots/ie.png ^[archive]
- https://www.dnssec-validator.cz/images/screenshots/cr.png ^[archive]
- https://www.dnssec-validator.cz/images/settings/config.png ^[archive]
- Firefox saying: Verified by: Let's Encrypt
not yet supported by SSL Labs https://github.com/ssllabs/ssllabs-scan/issues/118 ^[archive]
https://www.internetsociety.org/blog/2013/12/want-to-quickly-create-a-tlsa-record-for-dane-dnssec/ ^[archive]
https://www.cambus.net/creating-tlsa-records/ ^[archive]
letsencrypt vs DANE TLSA?
https://webmasters.stackexchange.com/questions/129712/is-letsencrypt-compatible-with-dane-tlsa ^[archive]
DANE TLSA standalone?
DANE TLSA update required, useful when?
https://github.com/FlippingBinary/lets-encrypt-tlsa ^[archive]
https://forums.whonix.org/t/dane-tlsa-dns-based-authentication-of-named-entities-for-whonix-org/10218 ^[archive]

quote https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/ ^[archive]

The problem with regular Let’s Encrypt certificates
As you know, Let’s Encrypt certificates renew every 90 days. This is not a problem in itself, however, the standard procedure is to generate a new private key with each renewal and, thus, an entirely new public key also. This will necessarily change the hashed key value that would appear in our TLSA record meaning that we would have to remember to update our DNS records on each renewal otherwise the wrong key will be specified and no one will trust our site/server/application! We need to tell Let’s Encrypt to re-use our private key so that the public key hash value does NOT change – that way our DNS record remains valid across certificate renewals.

-> https://github.com/letsencrypt/boulder/issues/1882 ^[archive]

-> https://www.internetsociety.org/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/ ^[archive]

-> https://www.internetsociety.org/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ ^[archive]

drop-www vs yes-www[edit]

Quote https://docs.gandi.net/en/domain_names/faq/record_types/alias_record.html ^[archive]

An ALIAS record will break DNSSEC on the bare domain (@), because @ A and @ AAAA responses will be missing the RRSIG records, which will break resolution on all resolvers.

Quote https://docs.gandi.net/en/domain_names/faq/dns_records.html ^[archive] (bold added)

A, AAAA, ALIAS (not yet supported with dnssec-enabled domains), CNAME, MX, NS, TXT, WKS, SRV, LOC, SPF, CAA, SSHFP, PTR, DNAME

Quote https://help.heroku.com/NH44MODG/my-root-domain-isn-t-working-what-s-wrong ^[archive]

Cloudflare - Note: Cloudflare use CNAME Flattening. This is the same thing as an ALIAS or ANAME record

https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ ^[archive]

SEO:

https://seranking.com/blog/www-vs-non-www/ ^[archive]

Hide Server IP[edit]

Separate server/IP for e-mail required since it cannot be hidden by CDN.

Quote https://support.cloudflare.com/hc/en-us/articles/115003687931-Warning-about-exposing-your-origin-IP-address-via-DNS-records ^[archive]

To take advantage of Cloudflare’s performance and security benefits, we recommend you orange-cloud DNS records that handle HTTP traffic, including A, AAAA, and CNAME. However, do not orange-cloud A, AAAA, or CNAME records used to resolve MX records.  For instance, if you have an MX record that points to mail.example.com as your mail server, orange-clouding the A record for mail.example.com will break your mail traffic.

However, there are times when some of your DNS records need to remain grey-clouded. For example:

    A, AAAA, or CNAME records used for mail traffic must not be orange-clouded because email routing won’t pass through Cloudflare's proxy.
    When you have to host multiple services (for example, a website and email) on the same physical server

To mitigate this risk, we recommend that you:

    Host your email service in a server (in-house or external) that is different from your site’s origin server
    Analyze the impact of hosting multiple services on the same origin server in cases when having grey-clouded DNS records can’t be avoided
    Orange-cloud all records that share the same origin IP address as your root domain and can be safely proxied through Cloudflare

Quote https://support.cloudflare.com/hc/en-us/articles/200168876-Email-undeliverable-when-using-Cloudflare ^[archive]

Use separate IP addresses for mail traffic and HTTP/HTTPS traffic. Cloudflare recommends using non-contiguous IPs from different IP ranges.

Compatible with SPF, DKIM and DANE?

https://www.secjuice.com/finding-real-ips-of-origin-servers-behind-cloudflare-or-tor/ ^[archive]

https://blog.0day.rocks/securing-a-web-hidden-service-89d935ba1c1d ^[archive]

pricing when sending through third party server:

Others[edit]

Qubes[edit]

Qubes Documentation using jekyll and markdown

pros:

hosted inside git
editable through git

cons:

without javascript there is no table of contents
without javascript, anchors are broken
ugly table of contents anchors #tocAnchor-1-1-1 (example: https://www.qubes-os.org/doc/split-gpg/#tocAnchor-1-1-1 ^[archive])
unstable table of contents anchors(?)
no wiki templates support?
no footnote support?
web based editing is cumbersome
- previews so not match actual result
- links cannot be tested if those actually work as expected from github editor
- can only edit whole page, not chapter wise
- github editor does not let one use the browsers internal search function and github editor's one is cumbersome