Client-Side Security Suggestions
- We HIGHLY recommend that you use a strong password, and make sure that you store it somewhere safe. If your password is not strong, it is possible that someone could guess it.
- For added security/privacy we recommend you route your connection through Tor and use OTR and/or OMEMO.
- Always verify the certificate fingerprints of our server. The certificates are used for everything but our status page. If you see anything but these, please contact us and provide details.
Server Access Policy
- Access to the server is only done over encrypted protocols and is available to one person. SSH keys are enforced. All admins encrypt their local computers and adhere to modern privacy & security standards.
- The entire hypervisor is full disk encrypted with LUKS and only one person has access to the key. Meaning that if a bad actor has physical access to the server, it would make it much harder for them to clone, copy, or retrieve any data from the hard drives.
- Our server forces TLS for C2S (client-to-server) + supports PFS and DNSSEC. S2S (server-to-server) connections are forcefully encrypted as well.
Server-Side Security & Privacy
- The logs kept only contain information about info, warnings and errors. The info log does not contain user’s IP addresses, however, it does log when a user authenticates. We don’t store anything else besides the user’s hashed password, mod_offline messages, mod_mam archives, vcards, rosters and other module data based on our configuration.
- Our XMPP daemon, Prosody only interacts with flat-files on the filesystem level. No databases. All data is stored in flat-files. This significantly lowers the potential of user data being stolen.
- Our configuration is fully open source, if you’re wondering how it all runs you can view it here.