Security

From Inkbunny
Jump to: navigation, search

Important Security Advice

When using public computers or untrusted/public internet access points, always log out of your session (by clicking Exit) when you are finished.

You should also clear your browser cookies, cache and browsing history to be extra safe.

If you forget to do these things, there is a chance someone could hijack your account by simply using the computer right after you leave.

Page Encryption

All content and pages on Inkbunny are encrypted using SSL/TLS. This does not totally guarantee your privacy or security. But it makes it much less likely that anyone on the network between you and the Inkbunny server can see contents of pages you visit or any data you send.

Your browser gives you complete information about a page's encryption settings. Always check these details before trusting that you are really connected to the site you expect, and that the security certificate is valid.

Inkbunny requests that browsers always use HTTPS when connecting to it. For more information see Transport Layer Security and HTTP Strict Transport Security on Wikipedia.

The Inkbunny SSL Certificate

You can check site certificate details in your browser. Each browser has a different way of doing this. With some you can click the special green or blue section in the title bar when you connect to an encrypted site. On others you need to click a padlock icon that appears at the edge of your browser window (at the top or bottom).

Never trust certificate details that come from clicking links or buttons inside the actual website view area. Those can be faked by scam sites or people compromising your network.

The real and valid Inkbunny SSL certificate should have the following details:

  • Verified by "Comodo", "USERTrust" or "PositiveSSL".
  • Connected to https://inkbunny.net/ (usually just listed in the certificate details as "inkbunny.net").
  • Run/owned by "unknown", "inkbunny.net", or "www.inkbunny.net".

If you check advanced details you should see some of these (be sure you're checking the last certificate, for inkbunny.net):

  • Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
  • Serial Number: 00:C6:FC:07:50:CF:B8:09:BF:0D:47:0D:F4:9F:32:06:E4
  • SHA-256 Fingerprint: 3F:4B:7F:CC:D4:AC:2D:41:87:A8:00:63:EC:3D:9B:C6:7F:35:22:E6:F5:44:0A:1C:B3:D5:2F:6C:C8:B0:7B:C5
  • SHA-1 Fingerprint: 04:17:D7:55:2B:E6:BA:1A:68:C2:80:92:BA:DB:4F:09:B0:DE:E3:BA

Inkbunny uses a SHA-256-signed certificate which is not compatible with Android 2.2, or Internet Explorer on Windows XP SP2 or below. You may receive warnings that your connection to Inkbunny is insecure until you upgrade.

For the wiki, the details are different:

  • Verified by: StartCom Ltd.
  • Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
  • Serial Number: 13:57:2A
  • SHA-256 Fingerprint: 92:96:1D:CD:42:AD:DE:D1:D9:8E:DC:60:54:93:91:B4:1E:C7:67:BF:C0:1C:81:42:A7:4D:22:6A:CA:2D:B3:94
  • SHA-1 Fingerprint: 49:8D:95:B1:EB:BB:7F:07:62:B3:42:33:9F:A1:0D:F7:34:DE:24:F4

HTTPS Everywhere - Firefox Add-on

HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation.

It works for sites like Inkbunny that have an "always encrypted" mode. If you follow unencrypted links (ones that start with "http" instead of "https"), or your browser is tricked in to connecting unencrypted by a hacker on your network, HTTPS Everywhere will rewrite the link to the encrypted version before allowing your browser to connect.

This add-on is not required to get the benefit of full page encryption on Inkbunny, but it can further enhance your privacy and security.

Even though most encrypted sites (including Inkbunny) will redirect you to the encrypted version of any unencrypted link you click by accident, the brief moment this redirection takes will expose the full URL and any data you send as a result of that click (such as any unprotected site cookies). This is also the moment a hacker on your network can trick your browser into staying on an unencrypted link to the site.

HTTPS Everywhere ensures the data is sent encrypted the first time, every time, even if you click an unencrypted version of a link or a hacker is trying to force your browser to misbehave.

Inkbunny has requested that its HSTS instruction be preloaded, which means HTTPS Everywhere will have no extra benefit on Inkbunny for versions of Chrome, Firefox and Safari built in 2015 onwards.

Configuring HTTPS Everywhere for Inkbunny

After installing HTTPS Everywhere, you must install the Inkbunny Ruleset.

Download the Inkbunny Ruleset and place the file in the directory "HTTPSEverywhereUserRules" that you will find in your your Firefox profile directory.

You may need to restart Firefox for HTTPS Everywhere to see the new Inkbunny ruleset.

Then go to the Firefox Add-on manager and configure the HTTPS Everywhere Add-on. Make sure the "Inkbunny" option is ticked on the HTTPS Everywhere preferences page.