All dates are UTC+00:00.




- Enabled TLS 1.2.

TLS 1.2 has been enabled due to Pleroma not yet supporting TLS 1.3.
This should fix the incoming federation with Pleroma instances.

- Enabled AES-128 + GCM ciphers for TLS 1.2 and TLS 1.3.

Due to many instances using AES-128 + GCM, these cipher suites have been
enabled to provide support for receiving data from them.



- Enabled X-Frame-Options HTTP header.

X-Frame-Options HTTP header prevents clickjacking attacks, by ensuring
that website content is not embedded into other sites.

- Enabled X-Content-Type-Options HTTP header.

X-Content-Type-Options response HTTP header is a marker used by the
server to indicate that the MIME types advertised in the Content-Type
headers should be followed and not be changed. The header allows prevention
of MIME type sniffing by stating that the MIME types are deliberately configured.

- Enabled Referrer-Policy HTTP header.

Referrer-Policy HTTP header controls how much referrer information (sent
with the Referer header) should be included with requests. Referrer-Policy
is set to send referrer information only to same origin.



- Forced X25519 key exchange mechanism.

X25519 is a secure and safe key exchange mechanism which is unrelated to
the possibly backdoored P curves. It has 128-bit strength, and its source
code is in public domain.



- Removed AES-128 from TLS 1.3 ciphers.

TLS 1.3 can no longer connect to Inferencium Network using AES 128-bit
(AES_128_GCM_SHA256); this protects TLS connections against quantum
computer attacks via Grover's Algorithm halving the key space to only

Updated order of ciphers:
1. ChaCha20 with Poly1305 (TLS_CHACHA20_POLY1305_SHA256).
2. AES 256-bit with GCM (TLS_AES_256_GCM_SHA384).

- Created Pleroma Tor hidden service.

Tor hidden services (.onion domains) are censorship resistant and
provide very high privacy for both users and domains.

Inferencium Network - Pleroma Tor hidden service:

- Hardened server internal filesystem discretionary access control
(DAC) permissions.

Inferencium Network's social server filesystem permissions have been
hardened against unauthorised access.

- Disabled HSTS.

HSTS is not compatible with Tor hidden services and prevents the hidden
service from loading correctly. This poses a security threat to clearweb
users; in order to mitigate this threat, manually enter `https://` into the
address bar of your web browser of choice when connecting to Inferencium
Network's clearweb instance; failure to do so may result in your connection
being victim to an SSL stripping attack.



- Fixed federation issues.

Federation now works as intended.

- Fixed media uploads.

Media uploads work as intended and no longer throw an error.



- Increased HSTS maximum age from 1 year to 5 years.

Increasing the HSTS maximum age from 1 year (31,536,000 seconds) to 5
years (157,680,000 seconds) forces the user's browser to accept connections
only over HTTPS, without negotiating over HTTP before upgrading to HTTPS,
after the initial connection to the website; this prevents SSL stripping
attacks after the initial connection to the website due to an insecure HTTP
connection occuring only to negotiate upgrading to HTTPS on the initial


- Addressed issue of avatars not loading.

User avatars now appear as intended.



- Configured TLS 1.3 to prefer ChaCha20 cipher with Poly1305 message
authentication code (TLS_CHACHA20_POLY1305_SHA256).

ChaCha20 is a 256-bit stream cipher which prevents encryption key
leakage via cache timing on systems which do not support AES hardware
acceleration (including AES-NI). Although most modern PC systems do support
AES hardware acceleration, it cannot be confirmed that every user of
Inferencium Network will have such hardware, and some implementations and
browsers may not provide the same levels of security mandated by
Inferencium Network. There may be a slight performance penalty when using
ChaCha20 over AES, but it guarantees high security, which is the focus of
Inferencium Network. AES 256-bit with GCM and AES 128-bit with GCM are used
as fallbacks.

The order of the ciphers is:
1. ChaCha20 with Poly1305 (TLS_CHACHA20_POLY1305_SHA256).
2. AES 256-bit with GCM (TLS_AES_256_GCM_SHA384).
3. AES 128-bit with GCM (TLS_AES_128_GCM_SHA256).

Advantages of ChaCha20 over AES include, but are not limited to:
1. AES cannot be computed efficiently in software without timing
side-channels. ChaCha20 was designed for fast software implementation
without timing side-channels.
2. AES is worse at approximating one-time pads than ChaCha20, due to the
birthday paradox.
3. AES has a substantial key setup cost. ChaCha20 has zero key setup cost.
4. AES-128 has 10 rounds, AES-256 has 14 rounds, and ChaCha20 has 20



- Switched from Ubuntu 20.04 to Alpine Linux 3.14.

Alpine Linux is a security focused Linux operating system which has an
extremely small attack surface due to using packages designed for embedded
systems. It has a smaller codebase which mitigates security vulnerabilities
and makes it easier to audit.

- Switched from systemd to OpenRC.

OpenRC is a classic style Linux init system which has a much smaller
attack surface and retains UNIX philosophy of modular components. It does
one thing, and it does it well. systemd's development team is not trusted
by Inferencium Network after comments made by its lead developer and the
poorly designed implementation of a bloated and insecure init system which
does much more than it should be able to do. OpenRC allows Inferencium
Network to run an init system which keeps attack surface to a minimum.

- Switched from glibc to musl.

musl is a much smaller and cleaner libc implementation which has had
many less security vulnerablilities than glibc, which is bloated and has
had many severe security vulnerabilities.

- Enabled HSTS connections.

HTTP Strict Transport Security (HSTS) is a feature which forces web
browsers to connect directly using HTTPS when trying to connect via HTTP.

- Enabled secure cookies.

Cookies will be accepted only on HTTPS connections.

- Forced TLS 1.3 connections.

Forcing TLS 1.3 ensures all connections have forward secrecy and utilise
the newest and most secure TLS version.



- Intitial release.