Policies

How All inter-data center network traffic between Calyx Institute's server infrastructure is encrypted using either IPsec or OpenVPN

Why By employing strong encryption while data is in transit across the public networks from one data center location to another, we intend to provide countermeasures against casual interception.

How We strongly encourage the use of protocol level encryption whenever possible. Some of the ways we accomplish this are Secure Socket Layers (SSL), and Transport Layer Security. We also strongly encourage the use of cryptographic algorithms which are capable of Forward Secrecy

Some examples include:

Only allowing SSL-encrypted HTTPS connections on our web sites
Offering Forward Secrecy enabled cryptography algorithms on our web sites
Only allowing SSL-encrypted XMPP / Jabber connections to our public messaging server
Offering Forward Secrecy enabled cryptography algorithms on our public messaging server
Only allowing SSL-encrypted IMAP for email reading
Offering SSL-encryption via StartTLS on our public SMTP mail server
Offering SSL encryption on our public OpenPGP key server

Why Strong encryption and authentication of data serves several purposes. It is a countermeasure against interception. It also tries to authenticate the data - to provide assurance that data really originates from who you think it does.

Caveats Authoritative sources have pointed out flaws in the system of certificate authorities that underpins the trust network. We recognize these short comings and also hope for technical solutions to overcome the weaknesses that have been identified. However in the mean time there aren't a lot of alternatives.

How The Institute maintain a number of high speed Tor exit servers to enable Internet users from around the world to obtain a level of privacy, anonymity and security in their online communications. ( See Status of Calyx Institute Tor servers here )

In addition, we also encourage users to access our network with enhanced levels of privacy, anonymity and security by making many of our network service available as Tor hidden services and by making sure that we strive to make all of our public facing servers compatible with being accessed over Tor.

Some of the service we currently have available as Tor hidden services include:

Description	Hostname	Tor hidden service address
XMPP Jabber Server	jabber.calyxinstitute.org	ijeeynrc6x2uy5ob.onion
OpenPGP key Server	keys.calyxinstitute.org	tsc64wi45alh6rkq.onion
AroundBlocks.info website	www.aroundblocks.info	jaeyypqt6sejckus.onion

( more to be added as time allows)

Why We encourage the use of Tor software as a countermeasure against content interception, geo-tracking and relationship mapping.

How We use a number of different encryption schemes including LUKS, Softraid crypto or GEOM based disk encryption.

Why Data on hard drives or other mass storage devices needs to be secured against unauthorized access by third parties.

How All DNS domains must be signed with DNSSEC.

Why The DNSSEC standard adds new important security features to DNS while maintaining backwards compatibility. The new features are: origin authentication of DNS data, authenticated denial of existence, and data integrity.

DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.

Notably, DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.