Thanks for these points. I've set the HTTP Strict Transport Security
header and session cookies are now HTTPS only, these are definitely
good very good ideas. While I do think that those services can
probably be trusted it's always good to reduce any dependencies on 3rd
parties so I'll definitely consider moving the stat logging server
side.
To answer your other questions:
* I used PyCrypto which certainly isn't as fool proof as I'd like but seems to be the best option available to me.
* Admins can decrypt the data by the nature of how the service works, Tarsnap requires you download and run an application yourself so is for very different types of users
* We use SSH certs and no admin is accessible to web users
* We do use Google Apps for email, and we do have two-factor set up
* tidy.io hasn't been up long enough to get vulnerability reports but if we do we will handle them responsibly and definitely give the finder thanks and credit. We do need a proper statement of this on the site though, I'll sort that out!
It is very easy to write bad crypto with PyCrypto (it is an interface on pretty much the same level as OpenSSL). As a Python developer, you have access to Keyczar, which is what you should use instead of PyCrypto. The number of questions you'd have to address about your PyCrypto cryptosystem to make that point an asset instead of a liability (to savvy readers) is too large for the page you're trying to write.
You've exposed SSH to the Internet? Your SSH endpoints have routable IP addresses? How many of them do you have? If you've deployed this on EC2, you'd be better off moving all your admin to a VPN connection, so that any server you'd SSH into has a 10-net address.
To answer your other questions:
* I used PyCrypto which certainly isn't as fool proof as I'd like but seems to be the best option available to me.
* Admins can decrypt the data by the nature of how the service works, Tarsnap requires you download and run an application yourself so is for very different types of users
* We use SSH certs and no admin is accessible to web users
* We do use Google Apps for email, and we do have two-factor set up
* tidy.io hasn't been up long enough to get vulnerability reports but if we do we will handle them responsibly and definitely give the finder thanks and credit. We do need a proper statement of this on the site though, I'll sort that out!