Security

Inretio works hard to ensure maximum security of it’s systems at multiple levels. Here are some of technologies and implementations that visitors and clients should be aware of.

DNS

Domain Name System is critical infrastructure for all network enabled services that are in the end used by humans. When you type in website address like www.inretio.dev or e-mail us at hi@inretio.dev DNS translates symbolic name (inretio.dev in this case) to IP address which is then used by computers in network. We run our own DNS servers that are distributed geographically for redundancy. DNSstuff test is very comprehensive test to check our DNS health status.

DNSSEC

DNS is very old system designed back in time when internet was invented. Name resolution by default happens in plain text and therefore is vulnerable to man-in-the-middle attacks. To mitigate this risk DNSSEC was created. In short, it does cryptographic authentication of DNS data thus ensuring integrity – client knows for sure that answer received from authoritative DNS server is true and unchanged on the way.

Inretio DNS servers support DNSSEC (check our status here), but you also play important role – visitor should use DNSSEC-enabled resolver to utilize DNSSEC advantages. Typically DNS resolver is set by your internet provider unless you explicitly change it. To check if your DNS resolver validates DNSSEC signatures use DNSSEC Resolver Test.

HTTPS

Secure version of HTTP has became de-facto nowadays and is something visitors see right away due to lock symbol displayed near website address. Regardles of website purpose visitors should demand end-to-end encryption between client and server. Check our status using popular SSL Labs test.

SSL certificate

We use certificate issued by DigiCert Inc. Commercial certificates offers longer validity therefore are more convenient. That doesn’t mean free certificates like LetsEncrypt are bad – technically they offer same functionality and most important factor is key length (the longer the better).

DNS CAA

We have DNS Certification Authority Authorization record in our DNS saying that only rapidssl.com is eligible to issue certificate for us. Decent SSL providers check CAA record before issuing SSL certificate therefore it works in favor for us to minimize malicious actors trying to issue certificate of our domain and afterwards attempt man-in-the-middle attacks.

HSTS

Some top-level domains (like one Inretio uses – .dev) in fact enforces using of HTTPS in HSTS preload lists meaning that by default browser will connect to https://inretio.dev even if inretio.dev (which is http://inretio.dev) was typed in.

Security headers

There are several headers that server can send to visitor’s browser to allow or forbid certain behaviour. E.g.: our site inretio.dev allows JavaScripts to be loaded only from our infrastructure that can be identified by domains inretio.dev, gyt.is and static.is.

While it is up to broswer to enforce taking those headers into consideration, decent browsers apply them. In such way, for instance, Content-Security-Policy can block loading of malicious script inserted in case of content management system vulnerability.

While HSTS is enabled for .dev domains by default, any other extension can be set up correspondingly with Strict-Transport-Security header.

In X-Frame-Options it is worth whitelisting which domains are allowed to be loaded in iframe element. We forbid all except our own.

See all of our Security Headers.

E-mail

E-mail is one of the oldest internet services but still popular and not going anywhere for more decades to come. Sysadmins who deploy and maintain e-mail servers know how complicated it is to setup those precious daemons to transmit mails that won’t be considered as spam on receiving side. There are several add-ons to help.

SPF

Sender Policy Framework lists all servers that are allowed to send mails with particular domain. There are several servers allowed to transmit e-mails ending with @inretio.dev and if it’s not on the list there’s a fine path to Junk for such impersonators.

DKIM

DomainKeys Identified Mail adds digital signature to all sent e-mails that can be validated against public key stored on DNS record of sender’s domain. Practise shows that nowadays servers not implementing DKIM most likely will get their e-mails flagged as Junk by receiving services.

Firewalls and Filtering Proxies

If company or internet provider of your network uses web filtering proxy and/or restrictive firewall, following hostnames should be allowed to ensure proper communication with Inretio infrastructure:

HostnamePortCertificate issuerDescription
inretio.dev
www.inretio.dev
443DigiCert IncThis website. When visiting http (port 80) version, you will always be redirected to secure (port 443).
*.gyt.is443DigiCert IncInretio infrastructure runs on servers with hostnames under gyt.is zone. E-mail, DNS and web servers use *.gyt.is as hostname and reverse records (PTR).
static.is
www.static.is
443Let's EncryptServes static content such as images, JavaScript or public downloadable files. This domain does not set cookies therefore requests/responses are smaller.
dnssec.gyt.is
dns1.inretio.dev (alias)

slave.gyt.is
dns2.inretio.dev (alias)

ice.gyt.is
dns3.inretio.dev (alias)
53 (tcp/udp)Zones signed in registry with DNSSEC keysAuthoritative DNS servers powering domain resolution.
web.gyt.is

email.gyt.is
25DigiCert IncE-mail servers receiving and sending mails from Inretio.

Symantec WebFilter

This site is classified as Technology/Internet by Symantec WebFilter (formerly known as Blue Coat), so make sure this category is allowed by your network policy.

About the Author

Gytis Repečka

My name is Gytis Repečka, I am CEO of Inretio, MB. I am data warehousing professional (Teradata, Informatica), WordPress and Linux consultant, car on-board diagnostics (OBD-2) enthusiast from Vilnius, Lithuania. I enjoy writing code in SQL, PHP, Go and Bash, curious to explore others. Big fan of relational databases (MySQL/MariaDB, PostgreSQL), but learning time series (Prometheus) and in-memory (Redis) too. I enjoy using and promoting open source software and love communicating about tech to both advanced and non-tech people.