Security

I take the security and privacy of my visitors very seriously. This website is secured via SSL with certificates issued by Let's Encrypt, with an A+ rating from the Qualys SSL Labs report. My web server is configured to use HTTP Strict Transport Security (HSTS) with a long-duration header, as well as OCSP stapling.

This website does not handle any personally-identifiable information. It does not load any external resources from Content Delivery Networks (CDNs). Instead all assets are hosted at the static s.hong.io subdomain, with subresource integrity (SRI) enabled. This way, information about my visitors will not be leaked to third parties. Likewise, there are no tracking cookies, or analytic scripts of any kind. For further details, see my privacy page.

PGP Public Key

This is my current PGP public key. It is available as a direct download from my website at the following link (PGP Key). Likewise, it is available for download via the OpenPGP.org keyserver, at the following link (PGP Key). I also maintain a regularly updated PGP canary (Link) which demonstrates that I still maintain possession of my PGP key.

  • Update 2022-05-06: I have added additional User IDs to my existing PGP key. The key and signature are still the same, but this changes the public key slightly. You can verify that the PGP key has not changed by checking signatures against both the old public key, and the new public key– they will both verify correctly, since they correspond to the same underlying private key.
  • Update 2023-04-04: I have updated the expiry date on my PGP keys.

PGP Key Fingerprint

0799 5BED 3B7E A796 DDC0  5F3B 62CA C451 B0B4 5597

Shen's PGP Key Fingerprint

PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYkRpchYJKwYBBAHaRw8BAQdAE7cVadPHSEJE5VGgxRb017RXdRap/6w2o4NV
QdZXUq+0HVNoZW4gWmhvdSBIb25nIDxzaGVuQGhvbmcuaW8+iJgEExYKAEACGwEE
CwkKBAUVCgkIAwUWAgMBAAIeAQIXgAIZARYhBAeZW+07fqeW3cBfO2LKxFGwtFWX
BQJkLASJBQkD6cQXAAoJEGLKxFGwtFWXk+kA/2rGHisy5Xu+hQfmTKQttDcA7mac
oYBw/C3BxTBchO7NAP9tnrIk4M3p0vUoyOx8E5eLSNRqSv6WvWCWixjzm8EcDLQ+
U2hlbiBaaG91IEhvbmcgPDU4OTI0MjctU2hlblpob3VIb25nQHVzZXJzLm5vcmVw
bHkuZ2l0bGFiLmNvbT6IlQQTFgoAPQIbAQQLCQoEBRUKCQgDBRYCAwEAAh4BAheA
FiEEB5lb7Tt+p5bdwF87YsrEUbC0VZcFAmQsBIkFCQPpxBcACgkQYsrEUbC0VZcr
HQD7B60ocqtskhUt9258ltRwL3tuKqwSDLg2FFudqesvG+MA/RVe3T6IPaHs2iCP
lV10q+DK6SgvqCQbnrDIY88zkYwPtDZTaGVuIFpob3UgSG9uZyA8U2hlblpob3VI
b25nQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbT6IlQQTFgoAPQIbAQQLCQoEBRUK
CQgDBRYCAwEAAh4BAheAFiEEB5lb7Tt+p5bdwF87YsrEUbC0VZcFAmQsBIkFCQPp
xBcACgkQYsrEUbC0VZedhgD+NAYkx8fczA93ez8daalWv4KVWhVejQP8fERIkQ28
QfgA/3v1kaS8nPEyYfhaIp/V+xikGyiCZ1cqZ64LEnkwfgsBuDMEYkRqLRYJKwYB
BAHaRw8BAQdAn4P6sPB3jHU74pItDRXNcvJVPhbhAnLgtG5+gQDS+36I9QQYFgoA
JgIbAhYhBAeZW+07fqeW3cBfO2LKxFGwtFWXBQJkLASjBQkD6cN2AIF2IAQZFgoA
HRYhBOfXoviJlgtmGw1Vda9WRfc8qnqwBQJiRGotAAoJEK9WRfc8qnqwXgIA/RTO
A+WJYk6g2LmGNEekz/4mBz1UIJ9rfs2bVGV7s2M6AP9ypV1CtKV3Ei7SGl2l5xAL
LwFEPo8wn+ojcF92O2VRBQkQYsrEUbC0VZc8yQEA9FzAuZGk4Fn9slBRwpwEPGE+
sSdbhqNviIbgN/1VKpYBANYNgyAKPh0vyskbe+ZnhXjARv/+Askv3xwakiGCBiEF
uDgEYkRqlBIKKwYBBAGXVQEFAQEHQPO0qLHs66z2glxywcx1X/k2GMEGkfzw61rj
nW03lZQHAwEIB4h+BBgWCgAmAhsMFiEEB5lb7Tt+p5bdwF87YsrEUbC0VZcFAmQs
BKMFCQPpww8ACgkQYsrEUbC0VZdHHQEAshgCzuyfta2VQjWJ/K/baVTCWwwHGmPT
SnfeNKruApgBAJRs0lwD+jwa2tcbLwoySBDy+R2An6R7jsbNKyX8b3kDuDMEYkRr
oBYJKwYBBAHaRw8BAQdA0aJoVkyWmg88z0V2FSGhCyc4ry7Ik94/rQOG37bCg9+I
fgQYFgoAJgIbIBYhBAeZW+07fqeW3cBfO2LKxFGwtFWXBQJkLASkBQkD6cIDAAoJ
EGLKxFGwtFWXl5oBALApgZDFkzrS8imVDCS1hSfDv8m4/rl5pflcN6trwrDOAP9C
gp1wblXNnIv8qtL0bAAsAXag7o88jCiA8faDrkV/Bg==
=Mp93
-----END PGP PUBLIC KEY BLOCK-----

Shen's PGP Public Key

Tor Onion Service

This website is also available as a Tor Onion Service (Hidden Service) over the Tor Network. Users with advanced privacy and security requirements may opt to access my website via its Onion Service link via the Tor Browser. The Onion Service link is:

https://shen.hongio267dx4o2ofkn4ddsztu4ok2vq4euc7sxumbi7kcfd64ije62ad.onion/

Shen's Essays Onion Link

You may verify the provenance of the Onion Service link by visiting the mirrors.txt file located at this domain (Link Here). The linked file is signed with my PGP key, which you may verify. My Onion Service implements the Onion Mirror Guidelines specification.

The Onion Service is available over HTTPS. The TLS certificate is signed by the HARICA, the Hellenic Academic and Research Institutions Cert. Authority. The certificate is installed by default within the Tor Browser Trust Store. The certificate fingerprints are:

SHA-256

6A:94:F1:D5:AB:3A:CB:FF:37:18:6B:6C:6A:0E:82:28:4C:5A:FF:1D:CF:8D:3D:53:7C:74:B0:E6:81:4A:AE:29

SHA-256 Certificate Fingerprint

SHA-1

94:3C:5D:04:F3:57:3F:4B:80:08:FA:BB:1B:FA:EF:C2:3E:4C:72:C9

SHA-1 Certificate Fingerprint

Responsible Disclosure

If you believe you have found a security issue on my website, or any of my associated infrastructure, I encourage you to contact me and disclose it responsibly. I am happy to work with security researchers and hobbyists to rectify any bugs and issues that are found, and coordinate a disclosure. Discoverers of any security issues will be acknowledged in the Security Hall of Fame section below.

Be advised that I do not run a bug bounty program at this time.

Out-of-Scope Reports for Responsible Disclosure

The following categories of reports are not eligible for inclusion in the Security Hall of Fame. These reports are considered out-of-scope because they do not represent a practical security issue within the context of my website's threat profile:

  • Reports about Clickjacking and X-Frame-Options. The server for shen.hong.io already implements a Content Security Policy, which disables foreign iframe embedding. Furthermore, according to the latest W3 Consortium recommendations, the Content-Security-Policy header supersedes X-Frame-Options header.
  • Reports about Mail Spoofing and SPF Records. The shen.hong.io domain name does not have MX records, and does not send mail. Additionally, the root hong.io domain name (which sends mail) does have DNSSEC, DANE, SPF, and MTS-STS enabled.
  • Reports about broken links. While reports about broken links are appreciated, they are not a cybersecurity issue. Hence submissions regarding broken links are not eligible for inclusion in the Security Hall of Fame.

Please do not submit reports regarding out-of-scope categories. They will be ignored and not receive a response.

Security Hall of Fame

I give my thanks and gratitude to the following individuals, who have contacted me with security issues or concerns, and worked with me to rectify them.

2024 – 2025:

  • No submissions (so far).

2023 – 2024:

  • 2023-12-18: Security vulnerability due to outdated front-end JavaScript library. Reported by Penetration Testing Engineer Nikhil Rane, and fix deployed on the same day.
  • 2023-12-10: XSS vulnerability due to mis-configured Content Security Policy (CSP) Header. Reported by Security Researcher Sanath Vyas, and fix deployed on the same day.

2022 – 2023:

  • No submissions.

2021 - 2022:

  • No submissions.