forked from cypht-org/cypht-website
-
Notifications
You must be signed in to change notification settings - Fork 0
/
security.html
171 lines (169 loc) · 8.79 KB
/
security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
<!DOCTYPE html>
<html class="no-js">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Security</title>
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" href="img/icon.ico">
<link rel="stylesheet" href="site.css">
</head>
<body>
<header>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark fixed-top">
<div class="container">
<a class="navbar-brand" href="index.html">
<img src="img/logo.svg" width="120" height="60" alt="">
</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span onclick="document.getElementsByClassName('navbar-collapse')[0].style.display = 'block';" class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse " id="navbarSupportedContent">
<ul class="navbar-nav ml-lg-auto">
<li class="nav-item ">
<a class="nav-link" href="index.html">Home </a>
</li>
<li class="nav-item ">
<a class="nav-link " href="features.html">Features<span class="sr-only">(current)</span></a>
</li>
<li class="nav-item active">
<a class="nav-link" href="security.html">Security</a>
</li>
<li class="nav-item">
<a class="nav-link" href="modules.html">Mods</a>
</li>
<li class="nav-item">
<a class="nav-link" href="license.html">License</a>
</li>
<li class="nav-item">
<a class="nav-link" href="tests.html">Test</a>
</li>
<li class="nav-item">
<a class="nav-link" href="https://unencumberedbyfacts.com/">Blog</a>
</li>
<li class="nav-item">
<a class="nav-link" href="index.html#contact">Contact</a>
</li>
</ul>
</div>
</div>
</nav>
</header>
<section class="content-section container">
<h2>Have a question about security?</h2>
<h3>Found a flaw in Cypht? We want to hear from you!</h3>
<p> Drop by the #hastymail IRC channel on freenode, or send me an E-mail at jason <span class="e_hl">[at]</span>
cypht <span class="e_hl">[dot]</span> org. We take security seriously. Cypht is an entirely volunteer effort, so
we can't afford a bounty program. We can however promise that any security issue reported to us before release
will receive a quick response, a thorough review, a sincere thanks, and an honorable mention on this page</p>
<hr>
<h3 class="top">In the browser</h3>
<ul>
<li>
By default all cookies are session level, HTTP only, and have the secure flag, path, and domain values set
(except one cookie used to pass user notices to the javascript)
</li>
<li>
HTTP request header fingerprinting, CSRF token protection, and target/source origin mismatch blocking
</li>
<li>
Security related HTTP headers like X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, and
Content-Security-Policy
</li>
<li>
Subresource Integrity for the 2 primary includes (site.js and site.css)
</li>
<li>
Configurable idle timeout module set that ends a session after a predetermined amount of time
</li>
<li>
Support for 2 factor authentication with any TOTP compatible authentication application
</li>
<li>
Optional AES encrypted AJAX responses
</li>
<li>
Optional AES encrypted local session storage cache
</li>
<li>
<a href="https://www.google.com/recaptcha/intro/index.html">reCAPTCHA</a> support for the login form
</li>
</ul>
<hr>
<h3>On the server</h3>
<ul>
<li>
TLS/STARTTLS support for IMAP, POP3, LDAP, and SMTP connections
</li>
<li>
Oauth2 over IMAP/SMTP supported (currently only Gmail and Outlook support this feature)
</li>
<li>
Session level data is encrypted with a long random string generated on login. Data is stored server side,
and the key is stored in a session level secure cookie
</li>
<li>
Persistent data stored between logins is encrypted with a key derived from your clear text password, which
is obviously not stored anywhere
</li>
<li>
All encryption is done with libsodium if available, otherwise with AES-256-CBC, encrypt-then-MAC, and PBKDF2
key derivation using OpenSSL (NOT Mcrypt)
</li>
<li>
PHP ini settings are tightened up at runtime for extra security, including open basedir and session best
practices (ones writable at runtime)
</li>
<li>
No writable files or directories are used inside the web-server document root, and only 3 files need to be
inside the document root to run the program. Module sets may include additional assets, such as the HTML
editor for outbound mail
</li>
<li>
Optional local DB based authentication using a salt and PBKDF2 (or libsodium using Argon2 if available)
</li>
<li>
HTML formatted E-Mail is filtered through HTMLPurifier with all external resources removed before being
rendered
</li>
<li>
Perfect score from the "Email Privacy Tester" at <a
href="https://emailprivacytester.com/">https://emailprivacytester.com/</a>
</ul>
<hr>
<h3> During development</h3>
<ul>
<li>
Easy output escaping inside modules for potentially dangerous content
</li>
<li>
Development is done with PHP's "E_ALL" and "E_STRICT" error reporting
</li>
<li>
Module design enforces a separation of input processing and output formatting, and encourages concise
methods, which makes the code easier to debug and audit
</li>
<li>
Only white-listed and typed/sanitized input is allowed. Modules must pre-define input in order to have
access
</li>
<li>
Modules can't reference PHP super-globals, and there are no globally scoped variables at all (there are a
few static class instances with private data structures that use getter/setter methods)
</li>
<li>
<a href="http://cypht.org/docs/test_coverage/index.html">100% unit test coverage with PHPUnit</a> for the
application framework and core module set
</li>
<li>
UI tests using Selenium with python bindings (currently at 64 tests)
<li>
Continuous Integration for UI tests, unit tests, and static code analysis done with <a
href="https://travis-ci.org">Travis CI</a>. You can read more info about our testing process at the <a
href="tests.html">testing page</a>
</li>
</ul>
</section>
</body>
</html>