Core Infrastructure Initiative (CII) Best Practices

[ypid]

Hey @timthelion

I found https://bestpractices.coreinfrastructure.org and thought it might also be a good fit for this project. Do you want to add subuser there and go thought the criteria?

References

• https://bestpractices.coreinfrastructure.org
• https://twit.tv/shows/floss-weekly/episodes/389

[timthelion]

This looks interesting.

Currently, I'm missing https.

subuser.org is hosted on a VPS running within a huge OpenVZP/ZFS server farm. I'm definitely not the only one with root access to my VPS (my service providers also have access).

If I use Let's Encrypt then I'm also putting my trust in them that they won't sign any fake certificates. And indeed, this is always the case. https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise

Https provides MITM attack prevention at the consumer end point level, but the level of trust that we've come to put in https is horribly misplaced. I wish that organizations like Mozilla and coreinfrastructure.org would stop promoting the standard as a security and privacy mechanism.

[ypid]

Sure https is not ideal. But I think things like HPKP (HTTP Public Key Pinning) can help with that (to some extend). Also TLS is just transport security. We still have other means like GPG.

To your other question, that is something I have been thinking about :wink: https://github.com/debops/debops-playbooks/issues/274