Merge branch 'PrivSec-dev:main' into wingedhorse

2025-02-20 18:31:35 -05:00 · 2023-08-20 03:47:30 +00:00 · 2023-08-20 03:47:30 +00:00 · abf9e41194
commit abf9e41194
parent 2f37abcf2e 950bf8ee1d
9 changed files with 171 additions and 17 deletions
--- a/content/posts/knowledge/Setting
+++ b/content/posts/knowledge/Setting
@ -0,0 +1,94 @@
 ---
 title: "Setting up MTA-STS with a custom domain on Proton Mail"
 date: 2023-07-13T10:00:00Z
 tags: ['Knowledge base', 'Security']
 author: Wonderfall
 canonicalURL: https://wonderfall.dev/mta-sts/
 ShowCanonicalLink: true
 ---
 To this date, [Proton Mail doesn't support MTA-STS for custom domains](https://old.reddit.com/r/ProtonMail/comments/y6q6g8/mtasts_for_custom_domains/). While DANE for SMTP is a much better solution to the same problem, MTA-STS exists for a reason: many providers are slow at adopting DNSSEC. DNSSEC is essential to enabling standards such as DANE or SSHFP. Notably, [Gmail still does not support DANE](https://www.hardenize.com/report/gmail.com/1689164394#email_dane) but has supported MTA-STS for years.
 Therefore, MTA-STS and DANE can complement each other, and you should ideally deploy both.
 ## Why bother? A tale of DANE...
 Mail security is challenging and complex, and humanity might never get it right. Unfortunately, we still rely on this ancient technology for nearly everything. Attempts to make SMTP more resilient and secure have been made in the past, including opportunistic transport encryption (STARTTLS). One tricky issue is that implementing TLS alone in this case does not prevent man-in-the-middle or various downgrade attacks (such as STRIPTLS) from happening.
 **DANE for SMTP** ([RFC 7672](https://datatracker.ietf.org/doc/html/rfc7672)) is an elegant solution to address these issues. DANE relies on **DNSSEC** to protect **TLSA records** of the same DNS zone as the SMTP server. TLSA records indicate that TLS should be enforced for inbound mail, and basically contain information about the public keys that are allowed to be used. Let's briefly dig *(no pun intended)* into how Proton implements this:
 ```
 $ dig +noall +answer mx protonmail.com
 protonmail.com.		1138	IN	MX	10 mailsec.protonmail.ch.
 protonmail.com.		1138	IN	MX	5 mail.protonmail.ch
 ```
 ```
 $ dig +noall +answer tlsa _25._tcp.mail.protonmail.ch
 _25._tcp.mail.protonmail.ch. 915 IN	TLSA	3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E
 _25._tcp.mail.protonmail.ch. 915 IN	TLSA	3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1
 ```
 I will skip the details since this post is not about how DANE works, but as you can see the TLSA records can be easily retrieved and we can verify those. Tools like [Hardenize](https://www.hardenize.com/) may help you in investigating which providers have DANE.
 ## MTA-STS to the rescue
 Despite being a years-old standard, DANE for SMTP is not widely adopted. **MTA-STS** ([RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461)) is an alternative solution which aims to prevent the same security issues, whilst not relying on DNSSEC. When MTA-STS is enabled, it effectively indicates to SMTP servers that TLS (1.2 or higher) should be used with valid certificates.
 In order to do that, MTA-STS relies on a **HTTPS web server** (and thus the WebPKI) to publish the policy at a specific subdomain (`mta-sts`) and address (`/.well-known/mta-sts.txt`). A **DNS TXT record** will also be needed to signal that a MTA-STS policy is available for the domain. Let's see how Proton implements that.
 If we navigate to https://mta-sts.protonmail.com/.well-known/mta-sts.txt, we will indeed find the MTA-STS policy published by Proton:
 ```txt
 version: STSv1
 mode: enforce
 mx: mail.protonmail.ch
 mx: mailsec.protonmail.ch
 max_age: 604800
 ```
 The DNS "discovery" record should be defined at the `_mta-sts` subdomain:
 ```
 $ dig +noall +answer txt _mta-sts.protonmail.com
 _mta-sts.protonmail.com. 1114	IN	CNAME	_mta-sts.protonmail.ch.
 _mta-sts.protonmail.ch.	1114	IN	TXT	"v=STSv1; id=190906205100Z;"
 ```
 Everything is there as expected.
 ## Enable MTA-STS for custom domains
 The challenge is that Proton does not offer an easy way to host a policy for custom domains. They could eventually offer this in the future, and I expect them to. In the meantime, we can enable MTA-STS ourselves as it should be somewhat straightforward.
 The main challenging part is really to find a way to host the policy. It's just a text file after all, so there are many ways to do that without going through the hassle of self-hosting a web server. [GitHub Pages](https://pages.github.com/) and [Netlify](https://www.netlify.com/) have free offerings to host static websites, and they should be enough to meet our needs here. I will use Netlify since you can host multiple websites with the same account; the only drawback is that you have a 100GB bandwidth limit per month, but it should be more than enough for a simple text file.
 First, you will need to create a GitHub repository - public or private, it doesn't matter. Then, you should push a directory named `.well-known` which contains a `mta-sts.txt` file. The latter will be our policy, and you may simply copy the policy from Proton:
 ```txt
 version: STSv1
 mode: enforce
 mx: mail.protonmail.ch
 mx: mailsec.protonmail.ch
 max_age: 604800
 ```
 > If you're really not sure about what you're doing, setting `mode: testing` might be a conservative approach to avoid breaking things (a report will be sent if you've configured TLS-RPT, more on that later). You may also consider decreasing or increasing `max_age` which corresponds to a time in seconds, and 604800 for instance means that the policy will be cached for one week.
 Then, head to your Netlify account, add a new site, register your GitHub repository and voilà. Once it's done and that you can access your policy through your `netlify.app` address, it's a matter of publishing a few DNS records:
 - An `A` record for your Netlify-hosted policy. If your domain name from which you intend to send and receive mails is `@domain.tld` then you should make this `A` record for `mta-sts.domain.tld`. Netlify will tell you to use a CNAME record but I personnally caution against using CNAME to third parties in general. They have a universal load balancer IPv4 [you can use](https://docs.netlify.com/domains-https/custom-domains/configure-external-dns/), so you should use that.
 - A `TXT` record for MTA-STS discovery. The content should resemble to the following: `"v=STSv1; id=2023071200"`. `v=STSv1` declares the policy version, and `id=` is really just a random number you should increment to signal whenever your MTA-STS policy has been changed. If you're out of ideas you can use the Unix epoch time, or the YMD format followed by two numbers reserved for iterations (just like I do).
 - An *optional* `TXT` record for TLS-RPT so that the sending mail server will receive reports about successful and failed attempts at applying the MTA-STS policy. Since these reports can be very useful, I highly recommend you configure TLS-RPT. To do that, add the following TXT record to the `_smtp._tls` subdomain: `"v=TLSRPTv1; rua=mailto:reports@domain.tld"` where `rua=` should point to the mail address where you want to receive reports.
 > **Security tip :** since `mta-sts` is a subdomain with an A record, I strongly recommend defining a "reject all" SPF policy and a null MX record ([RFC 7505](https://www.rfc-editor.org/rfc/rfc7505)) for that subdomain. That is because even when an MX record does not exist, [A records can be used as a fallback](https://www.rfc-editor.org/rfc/rfc5321#section-5).
 Wait a bit for the DNS propagation to take place, then verify with [Hardenize](https://www.hardenize.com/) that MTA-STS is enabled.
 ## Conclusion
 MTA-STS is far from perfect and suffers from multiple flaws in my opinion: it relies on **certificate authorities** (CA), and is inherently a ***trust on first use*** security policy akin to HSTS for HTTPS (the DNSSEC infrastructure is already trusted in the case of DANE). I also believe that MTA-STS is more tedious to deploy compared to the simplicity and robustness of DANE, DNSSEC deployment quirks aside.
 Nonetheless, I hope this article will prove somewhat useful to Proton Mail users who wish to use MTA-STS with their custom domains.
--- a/content/posts/linux/Desktop
+++ b/content/posts/linux/Desktop
@ -176,6 +176,22 @@ Another option is [Kata Containers](https://katacontainers.io/) which masquerade
 ![opensuse-computer.jpg](/images/opensuse-computer.jpg)
 ### Ubuntu Pro
 If you are using Ubuntu LTS, consider subscribing to [Ubuntu Pro](https://ubuntu.com/pro). Canonical currently allows up to 5 machines with the free subscription.
 With Ubuntu Pro, you gain access to the [The Ubuntu Security Guide]([https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788](https://ubuntu.com/security/certifications/docs/usg)), which allows for easy application of the CIS OpenSCAP profile:
 ```bash
 sudo ua enable usg
 sudo apt install -y usg
 sudo usg fix cis_level2_workstation
 ```
 You will also gain access to the [Canonical Livepatch Service](https://ubuntu.com/security/livepatch), which provides livepatching for [certain kernel variants](https://ubuntu.com/security/livepatch/docs/livepatch/reference/kernels). Note that the [Hardware Enablement (HWE)](https://ubuntu.com/kernel/lifecycle) kernel is not supported.
 While livepatching is less than ideal and I still recommend regularly rebooting your computer, it is quite nice to have.
 ### Umask 077
 On distributions besides openSUSE, consider changing the default [umask](https://wiki.archlinux.org/title/Umask) for both root and regular users to `077` (symbolically, `u=rwx,g=,o=`). _On openSUSE, a umask of 077 can break snapper and is thus not recommended._
@ -388,6 +404,15 @@ If decide on using NTS with chronyd, consider using multiple, independent time p
 GrapheneOS uses a [quite nice chrony configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) for their infrastructure. I recommend that you replicate their `chrony.conf` on your system.
 Next, enable the secommp filter for chronyd. On Fedora and Arch Linux, you will need to edit Chrony's environment file in `/etc/sysconfig/chronyd`:
 ```
 # Command-line options for chronyd
 OPTIONS="-F 1"
 ```
 On Ubuntu and Debian, the environment file is `/etc/default/chrony`, and the seccomp filter should already be enabled by default.
 ![Verifying NTS configuration](/images/nts.png)
 ### Pluggable Authentication Modules (PAM)
--- a/content/posts/linux/Slightly
+++ b/content/posts/linux/Slightly
@ -75,13 +75,13 @@ Use the following as your [Content Security Policy](https://developer.mozilla.or
 #### If you use Gravatar with SOGo
 ```
-add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
+add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'";
 ```
 #### If you do not use Gravatar with SOGo
 ```
-add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
+add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'";
 ```
 ### Cross-Origin Resource, Opener, and Embedder Policies
--- a/content/posts/macos/Secure
+++ b/content/posts/macos/Secure
@ -103,6 +103,9 @@ server ptbtime1.ptb.de iburst nts
 minsources 2
 authselectmode require
 # EF
 dscp 46
 driftfile /var/lib/chrony/drift
 ntsdumpdir /var/lib/chrony
@ -117,7 +120,14 @@ cmdport 0
 allow 10.0.2.2/32
 ```
-If you are confused about what this configuration is doing, here are some quick explanations:
+Optionally, you can enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`:
 ```
 # Command-line options for chronyd
 OPTIONS="-F 1"
 ```
 If you are confused about what these configurations are doing, here are some quick explanations:
 * We get our time from 4 different sources:
@ -174,7 +184,7 @@ Now, we can use our NTP server as the time server for your macOS. Set the time s
 Verify that NTP works on your macOS host:
-```
+```bash
 sntp 127.0.0.1
 ```
@ -182,6 +192,22 @@ sntp 127.0.0.1
 Once you have verified that everything is working, you can optionally remove the port `22/TCP` forwarding since we will no longer need it.
 ## Create a Synchronization Cron Job
 macOS synchronizes time with the NTP server around once every 20 minutes. This can cause the clock to be out of sync for quite awhile when the computer wakes up from sleep, as the NTP server may not have its time corrected by the time macOS makes the first synchronization request.
 To work around this, create a cron job to have macOS synchronize time every minute as `root`:
 ```bash
 sudo crontab -e
 ```
 Add the following:
 ```
 * * * * * /usr/bin/sntp -Ss 127.0.0.1
 ```
 ## Automatically start the NTP server at boot
 Finally, follow the [official documentation](https://docs.getutm.app/advanced/remote-control/) to automatically start the virtual machine at boot.
--- a/content/privacy.md
+++ b/content/privacy.md
@ -7,11 +7,9 @@ PrivSec.dev as a project does not collect any personal information. We do not tr
 ## Hosting Provider
-We use Google Domains and Google DNS. We host our website on Netlify. We do not use Netlify assets optimization, so nothing is hosted on CloudFront.
+We use Cloudflare for domain registration, DNS, and web hosting. We use Netlify for website previews. We do not use Netlify assets optimization, so nothing is hosted on CloudFront.
-Netlify does store your IP address and access logs for less than 30 days. Please check out [this link](https://www.netlify.com/gdpr-ccpa/) for their policy regarding this. Their general privacy policy can be found [here](https://www.netlify.com/gdpr-ccpa/).
+We do not have access to your IP addresses or activity logs. Cloudflare does keep logs of your website visits in accordance with their [privacy policy](https://www.cloudflare.com/privacypolicy/).
 We use [Netlify Analytics](https://www.netlify.com/products/analytics/) to analyze the access logs stored by Netlify. This information is not shared with any third parties.
 ## Software
--- a/external-blogs.sh
+++ b/external-blogs.sh
@ -3,7 +3,7 @@
 #Docker and OCI Hardening
 echo "Fetching and Modifying the Docker and OCI Hardening post"
 rm -rf './content/posts/linux/Docker and OCI Hardening.md'
-curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md'
+curl https://raw.githubusercontent.com/Wonderfall/wonderfall.dev/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md'
 sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/posts/linux/Docker and OCI Hardening.md'
 sed -i '/draft:.*/d' './content/posts/linux/Docker and OCI Hardening.md'
 sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Containers', 'Security']/" './content/posts/linux/Docker and OCI Hardening.md'
@ -14,7 +14,7 @@ sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Docker and OCI Ha
 #Securing OpenSSH with FIDO2
 echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"
 rm -rf './content/posts/linux/Securing OpenSSH with FIDO2.md'
-curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md'
+curl https://raw.githubusercontent.com/Wonderfall/wonderfall.dev/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md'
 sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/posts/linux/Securing OpenSSH with FIDO2.md'
 sed -i '/draft:.*/d' './content/posts/linux/Securing OpenSSH with FIDO2.md'
 sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/posts/linux/Securing OpenSSH with FIDO2.md'
@ -22,6 +22,17 @@ sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Securing Ope
 sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/posts/linux/Securing OpenSSH with FIDO2.md'
 sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Securing OpenSSH with FIDO2.md'
 #Setting up MTA-STS with a custom domain on Proton Mail
 echo "Fetching and Modifying the Setting up MTA-STS with a custom domain on Proton Mail post"
 rm -rf './content/posts/linux/Setting up MTA-STS with a custom domain on Proton Mail.md'
 curl https://raw.githubusercontent.com/Wonderfall/wonderfall.dev/main/content/posts/mta-sts.md -o './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 sed -i 's/title:.*/title: "Setting up MTA-STS with a custom domain on Proton Mail"/' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 sed -i '/draft:.*/d' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 sed -i "s/tags:.*/tags: ['Knowledge base', 'Security']/" './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/mta-sts/' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 sed -i '/^tags:.*/a author: Wonderfall' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md'
 # Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown.
 # His GitHub repo: https://github.com/Seirdy/seirdy.one
--- a/netlify.toml
+++ b/netlify.toml
@ -1,5 +1,5 @@
 [build.environment]
-  HUGO_VERSION = "0.116.0"
+  HUGO_VERSION = "0.117.0"
 [context.deploy-preview]
  command = "sed -i 's/! Content-Security-Policy//g' static/_headers && hugo -b $DEPLOY_PRIME_URL"
--- a/static/.well-known/openpgpkey/hu/mmzmicezznjxwooyrfdqjttmh35mattb
+++ b/static/.well-known/openpgpkey/hu/mmzmicezznjxwooyrfdqjttmh35mattb
--- a/static/_headers
+++ b/static/_headers
@ -1,6 +1,6 @@
 /*
  Strict-Transport-Security : max-age=63072000; includeSubDomains; preload
-  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
+  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
  X-Content-Type-Options : nosniff
  Referrer-Policy : no-referrer
  X-Frame-Options : DENY
@ -12,27 +12,27 @@
 /posts/knowledge/multi-factor-authentication/
  ! Content-Security-Policy
-  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
+  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
  Cross-Origin-Embedder-Policy : unsafe-none
 /posts/android/android-tips/
  ! Content-Security-Policy
-  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
+  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
  Cross-Origin-Embedder-Policy : unsafe-none
 /posts/android/choosing-your-android-based-operating-system/
  ! Content-Security-Policy
-  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
+  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
  Cross-Origin-Embedder-Policy : unsafe-none
 /posts/linux/choosing-your-desktop-linux-distribution/
  ! Content-Security-Policy
-  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
+  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
  Cross-Origin-Embedder-Policy : unsafe-none
 /posts/linux/desktop-linux-hardening/
  ! Content-Security-Policy
-  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
+  Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
  Cross-Origin-Embedder-Policy : unsafe-none
 /*.xml