Inretio works hard to ensure maximum security of it’s systems at multiple levels. Here are some of technologies and implementations that visitors and clients should be aware of.
Domain Name System is critical infrastructure for all network enabled services that are in the end used by humans. When you type in website address like www.inretio.dev or e-mail us at email@example.com DNS translates symbolic name (inretio.dev in this case) to IP address which is then used by computers in network. We run our own DNS servers that are distributed geographically for redundancy. DNSstuff test is very comprehensive test to check our DNS health status.
DNS is very old system designed back in time when internet was invented. Name resolution by default happens in plain text and therefore is vulnerable to man-in-the-middle attacks. To mitigate this risk DNSSEC was created. In short, it does cryptographic authentication of DNS data thus ensuring integrity – client knows for sure that answer received from authoritative DNS server is true and unchanged on the way.
Inretio DNS servers support DNSSEC (check our status here), but you also play important role – visitor should use DNSSEC-enabled resolver to utilize DNSSEC advantages. Typically DNS resolver is set by your internet provider unless you explicitly change it. To check if your DNS resolver validates DNSSEC signatures use DNSSEC Resolver Test.
Secure version of HTTP has became de-facto nowadays and is something visitors see right away due to lock symbol displayed near website address. Regardles of website purpose visitors should demand end-to-end encryption between client and server. Check our status using popular SSL Labs test.
We use certificate issued by DigiCert Inc. Commercial certificates offers longer validity therefore are more convenient. That doesn’t mean free certificates like LetsEncrypt are bad – technically they offer same functionality and most important factor is key length (the longer the better).
We have DNS Certification Authority Authorization record in our DNS saying that only rapidssl.com is eligible to issue certificate for us. Decent SSL providers check CAA record before issuing SSL certificate therefore it works in favor for us to minimize malicious actors trying to issue certificate of our domain and afterwards attempt man-in-the-middle attacks.
Some top-level domains (like one Inretio uses – .dev) in fact enforces using of HTTPS in HSTS preload lists meaning that by default browser will connect to https://inretio.dev even if inretio.dev (which is http://inretio.dev) was typed in.
While it is up to broswer to enforce taking those headers into consideration, decent browsers apply them. In such way, for instance, Content-Security-Policy can block loading of malicious script inserted in case of content management system vulnerability.
While HSTS is enabled for .dev domains by default, any other extension can be set up correspondingly with Strict-Transport-Security header.
In X-Frame-Options it is worth whitelisting which domains are allowed to be loaded in iframe element. We forbid all except our own.
See all of our Security Headers.
E-mail is one of the oldest internet services but still popular and not going anywhere for more decades to come. Sysadmins who deploy and maintain e-mail servers know how complicated it is to setup those precious daemons to transmit mails that won’t be considered as spam on receiving side. There are several add-ons to help.
Sender Policy Framework lists all servers that are allowed to send mails with particular domain. There are several servers allowed to transmit e-mails ending with @inretio.dev and if it’s not on the list there’s a fine path to Junk for such impersonators.
DomainKeys Identified Mail adds digital signature to all sent e-mails that can be validated against public key stored on DNS record of sender’s domain. Practise shows that nowadays servers not implementing DKIM most likely will get their e-mails flagged as Junk by receiving services.
Firewalls and Filtering Proxies
If company or internet provider of your network uses web filtering proxy and/or restrictive firewall, following hostnames should be allowed to ensure proper communication with Inretio infrastructure:
|443||DigiCert Inc||This website. When visiting http (port 80) version, you will always be redirected to secure (port 443).|
|*.gyt.is||443||DigiCert Inc||Inretio infrastructure runs on servers with hostnames under gyt.is zone. E-mail, DNS and web servers use *.gyt.is as hostname and reverse records (PTR).|
|53 (tcp/udp)||Zones signed in registry with DNSSEC keys||Authoritative DNS servers powering domain resolution.|
|25||DigiCert Inc||E-mail servers receiving and sending mails from Inretio.|
This site is classified as Technology/Internet by Symantec WebFilter (formerly known as Blue Coat), so make sure this category is allowed by your network policy.