Falena

Security

There's a saying a good admin has to be something of a paranoid freak. So here is my little rant for telling you not to follow the man giving away sweets.

Password and user accounts

When you subscribe, you'll get passwords for whatever services you asked for. Those password are generated with security in mind and I won't replace them for anything like "letmein". You can try to memorize them but don't force yourself to, remember a good password is a password you don't ask your admin to change every week. The best solution to store passwords is an encrypted file but let's face it, I don't expect anyone to do that. Writing it down is an okay solution as long as your trust the people around you. Or you can store it on a thumbkey. It's your own security I'm talking about so choose whatever suits you the best. Just remember, you're responsible for whatever happens with your account.

Regarding that, don't give your password to anyone. You want a friend to help you? That's fine, ask me and I'll provide him with it's own login. This way I can tell exactly who did what, and you won't have to change your own password if you change your mind on this friend of yours.

Encrypted communications (SSL/TLS)

Most of the services are provided with encryption capabilities. However, due to issues inherent to the protocol, HTTPS can only publish one certificate for the whole server. Hence, website encryption is only available for falena.fr subdomains.

Invalid certificate, unknown certification authority

SSL is a fine protocol as far as encryption is concerned. But the authentication part has a major drawback for pennyless people like me: a well-known certification authority is not cheap. I choose to rely on CAcert for this, a non-commercial authority based on mutual trust instead of money.

At the moment, only Linux systems come with their root certificate out of the box. If you're using Mac OS, Windows or any web browser using it's own certificate database, I encourage you to read the HowTo safely get ride of those warning messages. Only web browser are mentioned here, but many applications use the system certificate database, so the procedure for Internet Explorer and Safari should take care of Outlook, Apple Mail and the like. I can't provide detailed explanations for each and every software in the wild, but feel free contact me if you're having trouble with this part.

Anti-virus, emails and TLS upgrading

Some anti-virus like Avast have a very stupid way to filter emails, which conflict with TLS connection upgrading. Keep that in mind if you can't get encryption to work. A sure way to tell if you're affected is to force TLS upgrading and see what happens. The solution is either to turn off email filtering or to use the SSL-dedicated ports (respectively, IMAPS/993 or POP3S/995). Your choice.

Digital signatures, end-to-end encryption (OpenPGP)

I have an OpenPGP key (ID E5654709) and actively use it to digitally sign my emails and Jabber messages. I'm not going to waste my time on a paranoid rant like "If it's not signed, IT DID NOT COME FROM ME", but keep in mind this signature is the closest thing you'll ever get from an absolute proof I was the one who sent this message. Consider it like a token of good will.

• About
• Terms of service
• Technical specs
• Members
• Security
• Apply

Service and lack of design provided by Johann Queuniet since 2006, server hosted in France by Ikoula