Vixrapedia:Security

From Vixrapedia
Jump to navigation Jump to search

This page details the security settings used by Vixrapedia.

SSL/TLS

All Vixrapedia web pages are served via HTTPS, and all unencrypted HTTP requests are redirected to HTTPS. All information transmitted to and from Vixrapedia is always encrypted.

Vixrapedia enables HTTP Strict Transport Security (HSTS), and so compliant browsers (including Chrome, Firefox, Opera, Safari, IE 11 and Edge) should never send unencrypted requests. We are also on the preload list, so all communication to vixrapedia, at least by browsers that use the preload list (including Chrome, Firefox, Opera, Safari, IE 11 and Edge), cannot be hijacked. See: https://hstspreload.org.

Vixrapedia uses Let's Encrypt for its SSL certificates. The cipher suites currently accepted are:

TLS 1.3

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256

TLS 1.2

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Only TLS versions 1.2 and 1.3 are supported, and all the cipher suites listed support perfect forward secrecy.

Qualys SSL Report

Qualys SSL Labs Summary Qualys SSL Labs

Accounts

If you have registered an account on this wiki, your password is hashed with Argon2 (Argon2id with 15 rounds of time cost and 64 MiB of memory cost) and is stored on an access-restricted server. If an attacker were to gain access to this server, only a secure hash of your password would be exposed to them, which would take a prohibitively long time to crack if your password is good. If you use a weak password, no amount of protection can protect your password from being cracked: please, always use strong passwords, everywhere.

The move to Argon2 was concluded on 2 February 2020. Prior to this, PBKDF2 was used (with a salt length of 64 bits and 1,000,000 rounds). If you registered an account before the switch date you need only to re-login with your password to update to using Argon2.

More information on password storage and the hashing algorithms can be found here: