Cover the choices and considerations in choosing a specific Rented Server (VPS, VDS, etc).
Cover choices in choosing a domain name registrar, and different types of services
Proposal
Create a new topic in the Advanced Section named something like Hosting Software through Rented Servers
Create a new topic in the Advanced Section named something like Choosing a Domain Name Registrar
[OPTIONAL] Create a new topic in the Advanced Section named something like Hosting Software through your own Server [SELF-HOSTING]
Context
At this time, PG is quite focused on technology that can be directly used to mitigate privacy issues. However, PG doesn’t seem to have focus on those who deploy applications. This topic is typically reserved for developers who are deploying applications.
This is useful as users may wish to deploy privacy front ends, but may end up not choosing technologies that conceal their own privacy while assisting others. Specifically, this applies to me wanting to deploy services, but I don’t know where I should rent from and what registrars would be good to choose, along with their pros/cons and what choices to consider.
Good criteria, these should be the minimum. I think the .onion service is more a “nice to have”, but at least the provider shouldn’t block Tor and VPN users.
I think the hardest one will be the domain registration, because normally you have to register it in your name. Then there’s some providers like Njalla who register your domain in their name to keep your anonymity, but that one in particular is unprofessional and against free speech so I wouldn’t trust them to not steal the domain and shut it down.
There’s IncogNET as an alternative to Njalla for anonymous proxy domain registration.
I would also like to see some known attack vectors mentioned in the guide when using VPSs. For example, when using disk encryption, they can pull the encryption key while in RAM and decrypt your VM instance.
This is getting into security. I think this information is only important to include if it’s tied to different privacy choices. If the security considerations apply to all VPS servers, it’s outside of scope of a privacy guide. Not to say it isn’t important, but the scope of OpSec is a lot longer than what a privacy guide may have.
For sake of argument, let’s assume we should have an OpSec guide for hardening a server. That is still an entirely separate discussion from choosing a privacy respecting VPS vendor and domain name registrar, which is what I’m proposing in this thread.
If we wish to have an OpSec guide on hardening servers (VPS or otherwise), that belongs to its own dedicated guide. I would suggest making that a separate request from this one so PG can prioritize each differently. If you make the thread I’ll probably vote for it too
@jonah if I were to make a Draft PR, would this help in getting this suggestion up and running? I’d like to help out, but I also don’t want to write up a whole GitHub PR if it would be discarded.
No specific recommendations, perhaps just listing criteria to look for and maybe some “gotchas” for a first draft. I’d say PG is better suited to evaluate specific vendors on a case by case basis.
Then it should be fine. A PR is typically more helpful than a discussion yes.
The guide has to be clear and logical, and it should explain why you are suggesting all the things you are suggesting. The discussion going on here doesn’t really have many details about even what’s going to be suggested, or why the suggestions make sense, so it’s really hard for me to say whether a PR is going to be successful just because I have no data
But if you have ideas and know what you want this to look like and can back those ideas up, then a PR would be great.
I’m just saying that it obviously goes a lot quicker the more you help reviewers and try to preemptively answer our questions. If it’s just a list of stuff that we have to do original research on ourselves to see whether it makes sense, it’s probably going to take a long time. If it’s filled with factual information from the get-go that we only have to double-check, it goes a lot quicker
I would say these three things should be three separate PRs, and probably worth doing one at a time to make sure things are on the right track:
It should also go without saying that we are here to assist with the writing process at any point!
I think recommending VPS providers and domain registrars on a platform like PG is non-trivial, mainly because the selection criteria almost always boil down to the political stance of an individual. It always turns into a debate between free-speech purists and people who don’t believe in free-speech.
The goal of this thread was to garner interest in the general topic. Had I done everything already, I probably would have just opened a PR directly. I just wasn’t sure the right protocol to execute this in a way PG prefers.
It sounds like these threads are to request PG to do the lift, while at any point of time any user can open a PR for review, is that correct?
But with this, I’ll do some more research. I’ll probably need to triage vendors to gain a general idea of what’s best to write for a general article. Thanks again for the clarification.
We do want these threads to exist regardless of who authors the PR, even if I’m going to make a change myself I am still going to create a Site Development post first. So they are not just to request someone on the team to create the PR.
Often times they will get picked up by a team member anyways, yeah, but they can also be picked up by anyone. And on the flip side, there’s no guarantee that a PG team member will open a PR based on forum posts either. Basically everything is done at the discretion of volunteers
This would be a great topic and perfect timing for me. We are about to make decisions around self-hosting some apps in our small business. I would like to have privacy and security focused criteria to make sure the developer implements even if we host with a 3rd party.
I would rather receive a reply like the one from Njalla:
Yeah you should probably find somewhere else. We don’t want racist shit on our services.
Than receive something like this:
We highly recommend that you consider utilizing other service providers, as our organization is dedicated to upholding a culture of inclusivity and respect. We unequivocally disavow any content that may perpetuate discriminatory ideologies or behaviors, as it does not align with our core values and commitment to a positive user experience. Thank you for your understanding as we strive to maintain a welcoming and equitable digital ecosystem.
It seems to be like being professional means shoving as much corporate bullshit word salad into consumers mouths as possible, which to me is just distasteful. I would prefer to feel like I’m communicating with a person and not a souless corporation or company.
Also, if Njalla is against free speech, then I guess this forum is also against free speech because racism is not allowed in here.
A guide to deploying servers securely and privately would range from fairly simplistic to not so easy depending on what you’re trying to do. It would be nice to do, but it’s kinda hard to know where to start because people have different needs. Something like, spinning up Tor relays or Monero nodes would be a lot easier than deploying a server for an anonymous website, for example. The former would require really only basic security measures like disabling password authentication, root login, and firewall protection. Added to the obvious fact you purchased the server with monero. The latter is much much more technically sophisticated (if you want to do it right anyways). Like making sure your server isn’t leaking any information about the website you’re hosting. Also simply deploying a website over Tor wouldn’t remove any direct connections to you personally. You’ll need to setup a separate private hidden service for your SSH access. A more advanced firewall configuration would be needed, and, ideally, the host should know how to pen test their setup to probe for weaknesses. Unless you trust someone to do that for you.
The requested guide is more-so about choosing a hosting provider and domain registar. How to secure at the application and OS level is a different story, and as you said very application specific.
EDIT: it would be worth mentioned which hosting providers are more TOR friendly or hostile, depending on your needs.
Word salad is not the only alternative to cursing at your customers. They could have simply said “your content is against our TOS”. Don’t curse at customers is customer service 101. Yes, they decided to drop the purportedly racist customer, but it gives pause to other potential (desired) customers when the insulted customer shares the unprofessional response. If they can’t be bothered to provide polite customer service (a very easy win), what else can they not be bothered with?
That’s fair, and pretty good. I would think finding domain registration would be the hardest part frankly. Many many require enough information upon signing up that makes it non-private in my opinion. There is a few standout providers, but they typically unfortunately never have the cheapest prices.
