Exquisite Security

Protecting the Exquisite community is paramount to us, on every level. This document highlights the more technical measures we have taken to secure the Mastodon instance.

High-level

  • We regularly patch and install updates,
  • We work through the least priviledge model,
  • We use encryption wherever possible,
  • Processes are thoroughly isolated,
  • The security is continuously monitored.

Server

  • The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST),
  • The storage on the server is fully encrypted (using AES-XTS-256),
  • The server solely runs Mastodon and the required stack, thus preventing additional attack surface.

Web front-end

  • Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS),
  • TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and robust ciphers,
  • OCSP stapling is enabled,
  • TLS session tickets are disabled (at least until Nginx fixes this properly).

Networking

  • The server itself is strictly firewalled (using pf(8)), both egress and ingress - on a daemon/service level,
  • Internal service communication is encrypted (eg: Mastodon is configured to connect to the local PostgreSQL server using TLS).

Etc

  • Backups are made every 24 hours, using a 'pull mechanism'. The Mastodon server does NOT have access to the backup repository,
  • SSH is hardened (PKI authentication, MFA via hardware tokens),
  • SSH ciphers are hardened.

Account security

The security of your account is paramount to us. However, it is only as strong as the weakest link. In this article, we explain the basics of account security.
  • Use a strong and unique password, preferably by using a password manager
  • Enable multifactor authentication
  • Make sure your contact address is kept up to date

Passwords

Use a strong and unique password for your account. Mind you: this is not exclusive to Exquisite or Mastodon. We highly recommend use of a password manager - as this helps to create and securely store a larger number of credentials and sensitive information. If you are completely new to a password manager: a solid recommendation is either KeePassXC or Bitwarden. The latter has a selfhostable server implementation in Rust, dubbed Vaultwarden

MFA

MFA - or Multi-Factor Authentication - drastically limits the consequences of a stolen password. It adds a different and unique factor to the authentication process. TOTP is the most often seen second factor; it generates a time limited token of six characters.

Mastodon supports both TOTP and FIDO2 / WebAuthn. The latter is more secure, but requires a hardward token. In order to setup TOTP or FIDO2, please follow this link.

Recommendations for TOTP

Direct messages

Direct messages on Mastodon are not end-to-end encrypted. Therefor, they should not be relied on to exchange sensitive communication.