Current Situation[edit]

Introduction[edit]

Whonix ™.org Site Security

This page talks about Whonix ™ online hosting and (non-existing) testing infrastructure.

File Hosting[edit]

Hosted by mirror, downloadable using TLS.

Bug / Feature Request Tracker[edit]

https://phabricator.whonix.org ^[archive].

(Works much better than github for a project at this scale.)

Testing infrastructure[edit]

• CI build environment required.
• Automated Test Suite ^[1] required.
• whonixcheck

mailman3[edit]

• https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/thread/UOVLARM4CGR5OZBURPJO7YHMFYMOKNHE/ ^[archive]

backend[edit]

mediawiki[edit]

• mediawiki, codeselect, select code, short / long / recommended / detailed buttons

mediawiki advantages[edit]

• community contribution friendly - flagged revisions - usable way to allow anonymous users to edit and to let admins review changes before these go live
• sufficient protection from spam
• seo - plugins provide good OpenGraph meta tags and meta settings (description, images)
• wiki templates
• footnotes
• expand buttons
• footer
• mobile view
• mediawiki markup text file backups (but are not easily importable)
• short and detailed buttons ^[archive] (probably not unique to mediawiki)

mediawiki disadvantages[edit]

• does not look that great
  • our mediawiki skin "foreground" looks better than usual mediawiki / wikipedia with the huge space wasting sidebar that does not have much useful content related to the wiki page being viewed
  • still does not look great (but perhaps another mediawiki skin ^[archive] could solve that)
  • the table of contents at the top may not be great? Perhaps a table of contents on the left or right side (???) would be better?
  • too much white spaces everywhere
• offline documentation not solved - https://forums.whonix.org/t/offline-documentation-discussion ^[archive]
• translations not solved
• data base is binary (mysql) (requires mysql data base)
  • in other words: not flat file
  • not easy "transparent" backups
  • (Backup using git-mediawiki: https://github.com/WhonixBot/whonix-wiki-backup ^[archive] - that can probably not easily be restored.)
  • (XML backup: https://github.com/WhonixBOT/WhonixWikiBackups ^[archive])
  • cannot rebuild from clean human readable source files

goals for new website[edit]

• flat file
• git based?
• prose.io (example ^[archive]) compatible?
• breadcrumbs navigation?
• javascript free?
• CMS free?
• bootstrap based?

• mobile friendly
• illustrative images
• quick page load times
• footer links (legal, imprint)!
• seo

• short and detailed buttons ^[archive]

discourse forums[edit]

TODO: archival using httrack?

• cannot make complete backup - https://meta.discourse.org/t/how-to-backup-and-restore-a-whole-var-discourse-app-folder/152598 ^[archive]
• backup restoration failing - https://meta.discourse.org/t/restore-problem-relation-theme-fields-does-not-exist/95500/7 ^[archive]
• postgres database bugs - https://meta.discourse.org/t/restore-fails-could-not-create-unique-index/151380/20 ^[archive]
• difficult to repair database - https://meta.discourse.org/t/a-basic-discourse-archival-tool/62614 ^[archive]
• no archival - https://meta.discourse.org/t/a-basic-discourse-archival-tool/62614 ^[archive]
• archival feature request #1 https://meta.discourse.org/t/print-long-topic-to-pdf-redux-again/44639/62 ^[archive]
• archival feature request #2 https://meta.discourse.org/t/a-basic-discourse-archival-tool/62614/51 ^[archive]
• feature request: Option to use flat/text backing files instead of SQL(Postgres) backend ^[archive]

Security[edit]

See Trust#Trusting_the_Whonix_.E2.84.A2_Website.

DANE TLSA[edit]

• TODO
• test website: https://dane-test.had.dnsops.gov ^[archive]
• test website working example: https://dane-test.had.dnsops.gov/server/dane_check.cgi?host=freebsd.org ^[archive]
• another website working example: https://dane.sys4.de/smtp/go6.si ^[archive]
• https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/ ^[archive]
• what happen to these screenshots?
  • https://www.dnssec-validator.cz/pages/screenshots.html ^[archive]
  • https://www.dnssec-validator.cz/images/screenshots/firefox.png ^[archive]
  • https://www.dnssec-validator.cz/images/screenshots/ie.png ^[archive]
  • https://www.dnssec-validator.cz/images/screenshots/cr.png ^[archive]
  • https://www.dnssec-validator.cz/images/settings/config.png ^[archive]
  • Firefox saying: Verified by: Let's Encrypt
• not yet supported by SSL Labs https://github.com/ssllabs/ssllabs-scan/issues/118 ^[archive]
• https://www.internetsociety.org/blog/2013/12/want-to-quickly-create-a-tlsa-record-for-dane-dnssec/ ^[archive]
• https://www.cambus.net/creating-tlsa-records/ ^[archive]
• letsencrypt vs DANE TLSA?
• https://webmasters.stackexchange.com/questions/129712/is-letsencrypt-compatible-with-dane-tlsa ^[archive]
• DANE TLSA standalone?
• DANE TLSA update required, useful when?
• https://github.com/FlippingBinary/lets-encrypt-tlsa ^[archive]

quote https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/ ^[archive]

The problem with regular Let’s Encrypt certificates

As you know, Let’s Encrypt certificates renew every 90 days. This is not a problem in itself, however, the standard procedure is to generate a new private key with each renewal and, thus, an entirely new public key also. This will necessarily change the hashed key value that would appear in our TLSA record meaning that we would have to remember to update our DNS records on each renewal otherwise the wrong key will be specified and no one will trust our site/server/application! We need to tell Let’s Encrypt to re-use our private key so that the public key hash value does NOT change – that way our DNS record remains valid across certificate renewals.

-> https://github.com/letsencrypt/boulder/issues/1882 ^[archive]

-> https://www.internetsociety.org/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/ ^[archive]

-> https://www.internetsociety.org/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ ^[archive]

• https://dane.sys4.de/common_mistakes ^[archive]
• https://wiki.archlinux.org/index.php/DANE ^[archive]
• https://github.com/FlippingBinary/lets-encrypt-tlsa ^[archive]
• https://web.archive.org/web/20200310053046/https://moxie.org/blog/ssl-and-the-future-of-authenticity/ ^[archive]

See Also[edit]

• mediawiki, codeselect, select code, short / long / recommended / detailed buttons
• Web Backend, CMS vs non-CMS, vs github-pages, etc.

Footnotes[edit]

• Deprecated#Infrastructure

---

---

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier

---

Follow:

Donate:

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee ^[archive] of the Open Invention Network ^[archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian ^[archive]. Debian is a registered trademark ^[archive] owned by Software in the Public Interest, Inc ^[archive].

Whonix ™ is produced independently from the Tor® ^[archive] anonymity software and carries no guarantee from The Tor Project ^[archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.