allanwallace.uk : Blog
Security Policy


Your privacy is important to me.

To the best of my ability, I attempt to develop & maintain this site in accordance with industry best practice.
Where possible I attempt to exceed the security levels suggested by best practice.
As this website is hosted within the EU, this extends to attempting to comply with GDPR.

You don't have to trust me on this one - you can independently verify this yourself:

• blog.allanwallace.uk | Immuniweb HTTPS SSL security score A+

For HTTPS this site is PCI-DSS, HIPAA, NIST compliant with OCSP stapling enabled.
You can confirm this at the Immuniweb HTTPS SSL security test

HSTS (Hypertext Strict Transport Security) theoretically ensures you only connect via HTTPS.
You can confirm this at the Immuniweb HTTPS SSL security test

DNSSEC theoretically ensures that the DNS records cannot be poisoned.
You can test DNSSEC at VerisignLabs DNSSEC Analyzer
(you may need to click in the box where the domain is and press enter)

OCSP & DANE both work to ensure that the SSL certificates cannot be spoofed.
You can confirm DANE at DANE Tools

• blog.allanwallace.uk | Internet.nl website test Score 100

• blog.allanwallace.uk | SecurityHeaders.com security score A

If I break Google Analytics then I score A+ - but I have Google Analytics and google adsense enabled on this site, I am working to improve this score while remaining compatible with both.
At the moment the multiple VPS I use for hosting cost me money, and I would very much like to cover some of the cost through sensible, limited amounts of advertising.


About Logging:

Apache Logs the following:
IP Address
Timestamp
Page Load
Input Query

Fail2Ban logs:
IP addresses that are a source of attacks against my server - which are added to the firewall rules for a period of time
i.e.
the logged IP addresses exist within the firewall rules.
On balance I believe that this scenario permits storage of unencrypted PII data (the IP address).

PHP (the software) logs the following:
I have no idea what PHP logs, I've not looked into it yet.
There may be duplicate logging. I will look into it and update this once I have investigated.

PHP (my code) logs the following:
IP addresses and any data input into it.
This data is not stored encrypted.
I am working to improve input validation / sanitisation.
e.g.
I have performed a lookup for blog.allanwallace.uk using my tools.wallacenetworks.uk website.
IP address was logged, timestamp of search was logged, and search term "blog.allawallace.uk" was logged.
That is it.
These logs are not currently encrypted.
These logs are not currently stored on an encrypted volume.
If you need to be GDPR compliant you really should do a DPIA (Data Protection Impact Assessment) for this level of logging.
In most scenarios I can forsee involving E.U. citizens I believe even a breach of the above data would pose little risk to those who may be identifiable by such a breach.
I can forsee one scenario where logging this data may be useful for the prosecution of miscreants who may try to misues the information gained by these tools.
On balance, I think the benefit is unencrypted.
Budgetry constraints are another consideration, Items with highest risk to PII data should be dealt with first...
and on that note...

About Email Security

Emails at rest are stored in plain text unencrypted.
This means names, IP addresses, timestamps, etc.
Apart from SPAM, there's always going to be some PII data.
Resolving this is very high up my todo list.

Emails in transit are a much happier matter.
• 1 - SPF authorises a very limited number of mailservers by IP address - I control these servers.
• 2 - DKIM digitally sign my emails to confirm they are genuine - I control these DKIM keys.
• 3 - DMARC sets a policy on how remote servers should treat my emails & how fake ones should be rejected.
• 4 - DNSSEC validates the SPF DKIM and DMARC records are genuine.
• 5 - DANE will very soon validate the SPF DKIM and DMARC DNSSEC records are genuine.
I hope to resolve this issue today as I have already published MTA-STS and would prefer to get this completed...
It shouldn't take long, but I'm experiencing an issue (lack of experience) with the TLSA command that comes with hash-slinger.


Remote Email Access
Not currently enabled as I have higher priorities.
Security is questions of priorities and liabilities.
How much can you afford to spend, how much can you risk getting fined.


Remote Shell Access
To my knowledge only I have remote shell access.
Remote shell access is restricted to a subset of IP addresses or ranges.
Needless to say my password is not 123456

Three Factor authentication
Source IP address is first factor. Without this I cannot connect.
In addition to Source IP address, the combination of USERNAME and PASSWORD (an additional TWO FACTORS) makes this fairly secure.
High-strength password increases security further.





I try and keep it fast too:
• blog.allanwallace.uk | Google PageSpeed Insights Score varies from 95-100 during testing.

This blog doesn't currently get many visitors, Google Analytics seems to add 43KB to each page load and I think the location of the script in the headers may adversely impact that.

About DNSSEC:
blog.allanwallace.uk is DNSSEC signed.
According to APNIC statistics on 27th May 2019 only 7.51% of domains in Great Britain* are DNSSEC signed.

About OCSP:
My understanding is that OCSP is a method by which a website can prove that the SSL certificate you are receiving from it matches the one issued by the CA (Certificate Authority). In theory, only entities with access to the private CA keys can spoof your certificates.
I expect that western governments have this capability with most CAs.
I know that hackers have previously gained this ability through some CAs.
I believe no matter how much you secure something, there will always be a way in.
It's a challenge to keep on top of it the changes too.

About DANE:
I haven't found stats, however DNSSEC is a pre-requisite of DANE so it's a subset of the DNSSEC signed zones
The https for this site is protected by DANE, the mailservers SMTP are not yet protected by DANE.


Please note:

This is a personal website, it is not a business entity.
This site exists to help me teach myself about website design and Google Analytics, which I gives me valuable insight into how people interact with this website.
I want to make this website better for you, the viewer, but I feel that in order to do that I need to better understand how people use this website.
I hope you don't mind, but if you do, I hear good things about the NOSCRIPT addon for Mozilla Firefox.


Technical Information:

• This webpage is https only.
• The https & TLSv1.2 fully support PCI DSS 3.2.1, HIPAA, and NIST compliant ciphers.
• The SSL certificate for this webpage is provided by Lets Encrypt.
• This domain and it's subdomains use a combination of SPF DKIM and DMARC to help validate it's emails as genuine.
• This domain and it's subdomains use DNSSEC to help validate that the SPF DKIM and DMARC records (along with all other DNS records) are genuine.
• on 18th May 2019, OCSP Stapling was implemented for https://blog.allanwallace.uk
• On 18th May 2019, DANE was implemented for https://blog.allanwallace.uk.

At this point the https security for this website exceeds the requirements of GDPR, HIPAA, NIST, and PCI-DSS.

If you have any concerns about how this affects you, Google is your friend.

ToDo: TLSv1.3


Last Updated 2019/06/19 00:11 CET.

Cookie Policy
Privacy Policy
Security Policy
Terms & Conditions

blog.allanwallace.uk © 2019 Allan Wallace