<html><head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Hi Lewis,<br>
<br>
Thanks for reaching out.<br>
<br>
I feel terrible about security and data integrity in America, but also
in the world as a whole.<br>
<br>
We have thoroughly explored Canada and Europe as options for our HQ and
infrastructure. Problem is, my research shows that very few first-world
countries are even remotely outside the reach of the USG.<span> Sure
America has the Patriot Act and National Securtiy Letters to worry
about, but I don't think a lack of
these options will stop the USG from obtaining data they want. </span><br>
<br>
What we've done is bring extreme awareness of InfoSec to the table.
Every step of the way we work to find the best solution using readily
available technology. Is it perfect or ideal? Hardly. But we think it
better to do our best than to throw our hands up in the air.<br>
<br>
Here are 10 quick examples of measures we take that I could think up for
you on the spot:<br>
<br>
1) Isolation testing for shared/virtualized environments<br>
2) Very minimalistic logging, and for very minimalistic period of time<br>
3) "Scorched earth" prepared (whether it be a natural disaster or an
overreaching NSL, we have plans on how to make our infrastructure
disappear and reappear... elsewhere -- in far off jurisdictions if
necessary.)<br>
4) An International staff that won't come to a halt even if my US staff
was "compromised".<br>
5) PGP email, private XMPP, SilentDesktop, TextSecure and RedPhone
contact support for customers with severe privacy concerns (at no extra
cost, just ask)<br>
6) Privatized IPMI for servers (on a private VLAN and IP restricted --
not public, which would be a clear hole for the USG)<br>
7) An owner who isn't afraid to stand up for what's right, even if it
means personal sacrifices.<br>
8) Every member of our staff is trained and tested regularly on social
engineering awareness and resilience<br>
9) Internally we avoid "the cloud" or at least always have a secure
alternative and the awareness/diligence of knowing when to use which.<br>
10) We pen test our own software and infrastructure regularly and have
rigorous daily routines regarding the update of software and reviewing
the latest vulnerabilities.<br>
<br>
In short, we work to be very vigilant about privacy and security, it is
at the core of our business. That said, it is not our goal to harbor
criminals. In the case of a valid warrant (one that doesn't violate
rights and has gone through the proper transparent process -- e.g. not
an NSL) for a specific user who is clearly breaking laws, we will turn
over relevant information. In these cases, we notify the client before
turning over the information. It's mass surveillance and/or a lack of
due (and fair) process which we will not participate. We see sensitive
things like anonymous journalism, human rights activists, etc. as
perfect use cases for our infrastructure. <br>
<br>
We think that having trust in the people in charge of the infrastructure
is more important than the jurisdiction.<br>
<br>
Of course, our upstream providers (PEER1 [a Canadian company fwiw] or
their upstream providers) could potentially cooperate with tapping of
the pipes without us knowing. Our attempt at mitigation is making SSL
extremely affordable to our customers (we have the lowest consumer rates
in the world on trusted EV certs, at least that I know of), managing
the private keys with extreme paranoia and offering managed
implementation of PFS for clients who need it.<br>
<br>
Could we provide more security/privacy? We perpetually believe so, and
we're always working to make it happen. <br>
<br>
Kind regards,<br>
Alex<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:CAHWD2r+xZNq=4rYVZ8L5mxTAgo6konCuZqdwo4PtrSXRrj+jDQ@mail.gmail.com"
type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="l@odewijk.nl" photoname="Lodewijk andré de la porte"
src="cid:part1.01060703.04020007@gmail.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:l@odewijk.nl"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Lodewijk andré de la porte</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Wednesday,
November 13, 2013 1:32 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div
class="gmail_extra"><br></div><div class="gmail_extra">How do you feel
about security and data integrity as an American company? I'm quite
sorry but I cannot deal with any company connected to America regarding
hosting, although I really do love the mentality presented on your
website. The patriot and related acts make it simply impossible to
achieve the level of security that my business needs. If it is possible,
please convince me!<br>
<br></div><div class="gmail_extra">All the best,<br></div><div
class="gmail_extra">Lewis<br></div></div>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ahstanford@gmail.com" photoname="Alex Stanford"
src="cid:part1.01060703.04020007@gmail.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:ahstanford@gmail.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Alex Stanford</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Wednesday,
November 13, 2013 9:21 AM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
HTTPS can be a problem for
CDNs for a couple of reasons:<br>
<br>
1) In order to truly cache from the edge all the way back to origin over
HTTPS you have to juggle certs at each PoP and track which certs are
valid, at least in the CDN architectures I am familiar with. One trick
we've used is to allow HTTP or HTTPS for static files on origin, but
force dynamic pages to HTTPS - then the CDN caches via HTTP but serves
via HTTPS. This implementation works quite well for us.<br>
<br>
2) Certs are generally tied to an IP or set of IPs and applying multiple
certs to one IP can prove difficult. So, CDNs assign IPs at each node
specifically for a particular hostname in order to provide a custom SSL
cert to a customer. So, a customer requiring custom SSL may thereby
require dozens of dedicated IPs.<br>
<br>
At my business (fullambit.net) we're working to overcome these issues.
Our shared hosting accounts come with a dedicated IP, a trusted SSL
cert, anycast DNS and CDN service included by default. However, this
default CDN service is limited to a shared CDN hostname. This is usually
not a concern for customers, and other CDNs offer the same type of deal
(cdn77.com for example). It's when we come to custom SSL certs on the
CDN that we start to stand apart. We only charge $27.99/yr for a Thawte
123 DV certificate or $109.99 for a Thawte Web Server EV certificate.
The only caveat is that we ask customers to commit to at least 1TB/mo
for the entirety of the year, at a rate of $39.99 per TB. We're also
flexible in offering other certificates. ($8.79 /yr for RapidSSL, and we
can do Wildcards too, for example)<br>
<br>
My point being that while it is a challenge to offer SSL as a CDN, it is
also entirely possible, and I would assume even more so for big
companies like Akamai. CDN's and caching really shouldn't be part of the
equation when it comes to HTTPSing the Internet.<br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="eric@konklone.com" photoname="Eric Mill"
src="cid:part3.05050903.06000306@gmail.com" name="postbox-contact.jpg"
height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:eric@konklone.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Eric Mill</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Monday, November
04, 2013 2:01 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><span
style="font-family:arial,sans-serif;font-size:13px">I'm very pro-HTTPS
for as many places as possible, switched to use it on my own site, and </span><a
moz-do-not-send="true" target="_blank"
style="font-family:arial,sans-serif;font-size:13px"
href="https://konklone.com/post/switch-to-https-now-for-free">documented
how to do it</a><span
style="font-family:arial,sans-serif;font-size:13px"> in detail.</span><div
style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">But
I'm also very pro-"it should be easy to publish things on the Internet",
and key management *is* a pain in the ass. Requiring it Internet-wide
would raise the barrier for people new to web publishing to get started,
and/or make more people just use a *.<a moz-do-not-send="true"
target="_blank" href="http://wordpress.com/">wordpress.com</a> or *.<a
moz-do-not-send="true" target="_blank" href="http://whatever.com/">whatever.com</a> domain,
rather than bother getting their own.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div
style="font-family:arial,sans-serif;font-size:13px">Instead, we should
establish very clear norms about HTTPS for services and web applications
of all kinds. If you have the ability to add HTTPS support, you should,
and the mandate is especially clear for hosting services.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div
style="font-family:arial,sans-serif;font-size:13px">For example, one
glaring gap for me is Github Pages. It's impossible to use HTTPS if you
host something via Github Pages, whether or not you use your own domain
name (unless you do something expensive like put CloudFront in front of
it).</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div
style="font-family:arial,sans-serif;font-size:13px">Caching with HTTPS
is a problem. One source of reluctance for major platforms to support
HTTPS is because CDNs like Akamai raise their prices drastically if you
want HTTPS. That's a major market force that guides the decision
companies make, and it's one we should commit ourselves to changing.</div>
</div><div class="gmail_extra"><br><br><br><br clear="all"><div><br></div>--
<br><div dir="ltr"><div><a moz-do-not-send="true" target="_blank"
href="http://konklone.com">konklone.com</a> | <a moz-do-not-send="true"
target="_blank" href="https://twitter.com/konklone">@konklone</a><br>
</div></div>
</div>
<div>_______________________________________________<br>The cryptography
mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br><a class="moz-txt-link-freetext" href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="stpeter@stpeter.im" photoname="Peter Saint-Andre"
src="cid:part4.01000107.09060909@gmail.com" name="postbox-contact.jpg"
height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:stpeter@stpeter.im"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Peter Saint-Andre</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Monday, November
04, 2013 12:28 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>-----BEGIN PGP SIGNED
MESSAGE-----<br>Hash: SHA1<br></div><div><!----><br>Some of us are
working on that for some protocols:<br><br><a class="moz-txt-link-freetext" href="https://github.com/stpeter/manifesto">https://github.com/stpeter/manifesto</a><br><br>Peter<br><br>-
-- <br>Peter Saint-Andre<br><a class="moz-txt-link-freetext" href="https://stpeter.im/">https://stpeter.im/</a><br><br><br>-----BEGIN
PGP SIGNATURE-----<br>Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>Comment:
GPGTools - <a class="moz-txt-link-freetext" href="http://gpgtools.org">http://gpgtools.org</a><br>Comment: Using GnuPG with Thunderbird
- <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br><br>iQIcBAEBAgAGBQJSd9lbAAoJEOoGpJErxa2pzhIP/iAdZkNEdgWRrt9N/7Tc06IK<br>3U9zDSzve6BglycwKsCmB8e9+dOuXjw383PiiydbiMDkmUOj7uvkiI069TImfk4E<br>Q49WKlBX3rNeqSuk3OAE4CgsnQLxxKns52q4TqfunsDgQS4EJL0xb6VH/O62JxFO<br>vjX6N0l6XYS/VnjJJi4jsqAsFjwsx0sVHP30bpvNNqTr511RRSdIa3udUE3CY8mP<br>Hf/8V6x6kLQENXgW4lYNyLMG3r4Q3/BkHkurLuw33jdCxNu6Wx4RB5xFPCWKFQyS<br>XgrYUBDRfVFHB0OqiukFE0uBqVvuTB9UH47zZiFuN3GM55UJ4TE8gks4W2v7Ku/n<br>vby+u/vToqZGGLJYwd2AzyfUag629KhnCbMJ1arp+fd5hMx5O3mbvzB7sJu92Suj<br>ZYB3LIkWUc/F5EJXCZN73HhxiyFbkWi5kVfPLkd5UybpI9CNd9Kglh00TBryZ5Ws<br>dGF/cOuwtWVOoNn5VeJDFm9MRbDnICwkpguuIdWCZGC8e30A7e4cuR3OFrNVkkfg<br>2ZmFaiVPN93aKeWiXclCkdTwxCXHoRByfSO89Z6QHDhQqbSQ6WMKaidPPbphGyjl<br>yyPUG3EsleZQBWdSic+5dgV4TIu2EMzY9IAYGuuNZruFRvr/ZUDnNosIbdg3UnXH<br>yNFG+7eTIcVkax5Riqgz<br>=S+19<br>-----END
PGP SIGNATURE-----<br>_______________________________________________<br>The
cryptography mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br><a class="moz-txt-link-freetext" href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="greg@kinostudios.com" photoname="Greg"
src="cid:part1.01060703.04020007@gmail.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:greg@kinostudios.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Greg</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Monday, November
04, 2013 10:50 AM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Could someone please
forward this message to the Elders of the Internet™?<br><br>It's time to
make encryption mandatory in all communication protocols.<br><br>Thx,<br><br>-
Greg<br><br>--<br>Please do not email me anything that you are not
comfortable also sharing with the NSA.<br><br></div><div>_______________________________________________<br>The
cryptography mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br><a class="moz-txt-link-freetext" href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a></div></div>
</blockquote>
</body></html>