Website Tests / Server Tests
Security is not a checklist. Security is not about making websites show a lot green and no red at all. The context is important. This is a bit similar to Browser Tests. There are many false positives.
SSL certificate, HSTS, CAA Policy, Expect-CT header, DNSSEC, Content Security Policy (CSP), Feature-Policy, MTA-STS, TLS-RPT, DANE, SPF, DKIM, DMARC, Frame Options, XSS Protection, Content Type Options are all nice sounding and nice to have website or server security features.
While website test websites such as hardenize.com are amazing tools for website owners helping to check security features, these tests say little about the security of the server. Such tests cannot check if kernel, operating system and web app upgrades are up to date or neglect, if SSH is configured for public key authentication only, if the server is Kicksecure hardened, backups are being made and so forth.
For example at time of writing the Microsoft website did not have a CSP, neither DNSSEC, nor DANE and a C level securityheaders.com rating. Does this mean that the Microsoft website gets hacked every year and spreads malicious software uploaded by unauthorized third parties? No. 
As elaborated in the most comprehensive chapter CSP on this wiki page, the threat models are nuanced, imperfections exist, efforts are bound to available resourced, developer time and limited to reasonable efforts, not security theater. It it also important to put test results into perspective through Comparison of Test Results with Others.
See also Email DANE.
Email DANE (SMTP)
DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone. Feature not implemented or disabled
Your server doesn't support this feature.
whonix.org website doesn't offer free or paid e-mail accounts. The extend in which
whonix.org uses e-mail:
- Sends e-mails to wiki editors who signed up to be notified about changes.
- Forum e-mail sign-up and notifications.
- Mailing Lists
- Developer accounts.
Even if e-mail security was "perfected", even if the DANE test would pass on website tests, it should not be relied on DANE. Better use end-to-end encryption such as OpenPGP or even better such as codecrypt.
For now decided not to implement it due to:
- low adaption
- no support in major browsers
- complex, maintenance demanding setup
So what is a CSP? CSP stands for Content Security Policy. "Something about server security." More detailed below. It follows a Quote from OWASP [archive] which sounds accurate but too abstract to make head or tail of it.
Is a W3C specification offering the possibility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use “directive” where a directive defines a loading behavior for a target resource type. Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:
You see how nuanced the threat model is. A faulty or compromised webapp being contained. Wouldn't it be better to avoid faulty or web app compromise to being with? Of course.
A good use case of a CSP is for webmail, i.e. reading e-mail in the browser. For better security and privacy, no contents should be load from third party websites, i.e. contents from websites other than the e-mail provider. However, even better to avoid webmail entirely as recommended, using an e-mail client and disabling HTML and scripts (text-only mails). Again, rely on the server to implement CSP or use local e-mail clients with plaintext only. The latter is much better.
Forum discussion: Content-Security-Policy now deployed on Whonix websites [archive]
whonix.org has an essential CSP. It is useful for
whonix.org onion domain to avoid loading resources from
whonix.org clearnet domain to avoid browser mixed content warnings. It is helpful to avoid clearnet connections for visitors who prefer using the onion version of Whonix ™ website because modern webapps are not designed for being used on multiple domain names with the same database backend and/or use for with onion domains generally.
whonix.org however doesn't have yet a CSP without 'unsafe-inline', 'unsafe-eval' eval for all webapps yet.
- This policy contains 'unsafe-inline' which is dangerous in the script-src directive.
- This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
- This policy contains 'unsafe-inline' which is dangerous in the style-src directive.
Users who have NoScript in their browser enabled are unaffected.
Users are advised to use secure browsers, compartmentalize browsing in different virtual machines (VMs), harden their operating system Kicksecure, use NoScript, rather than relying on websites to deploy CSP. Widespread, perfect deployment of CSP will never probably not happen anytime soon. Kicksecure and Whonix are real efforts for security and privacy. Resources are, developer time is limited. Efforts spent on CSP are limited to reasonable efforts, not security theater.
Adding additional policies can only further restrict the capabilities of the protected resource
Not security relevant. Performance only.
torsocks curl -H "Accept-Encoding: gzip" --head http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation
Comparison with Others
Before demanding what
whonix.org website ought to implement, and might not do yet due to lack of resources, please compare with much better funded organizations for a fair comparison.
- multi billion company, Microsoft, hardenize.com [archive]
- multi billion company, Microsoft, securityheaders.com [archive]
- The Tor Project, hardenize.com [archive]
- Wikipedia, securityheaders.com [archive]
- mediawiki.org, securityheaders.com [archive]
- Discourse, securityheaders.com [archive]
- Privacy on the Whonix ™ Website
- Trusting the Whonix ™ Website
- Distrusting Infrastructure
- Certifiably "F"ine [archive]
The CSP is actually a recommendation for the browser. However, writing the following would be confusing.
For example the CSP as enforced by the web server software can recommend the browser to not load content from external websites and the browser would honor this advice.
$wgCSPHeader[archive] is enabled.
It is not compatible with $wgUseFileCache
Wiki users which are not logged in have 1 CSP, the essential CSP (by nginx). (Except for visitors of pages which are not yet cached.)
Wiki users which are logged in have 2 CSPs, the essential CSP and on top of it the CSP generated by the mediawiki webapp setting
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)