Subscribe to the RSS feed: RSS feed icon

More secure than my bank’s web site?

Someone once said – and I got this quote from the computer game Sid Meier’s Alpha Centauri, so I’m not sure if they got it from elsewhere – “The pinnacle of military deployment approaches the formless, for if it is formless, then even the deepest spy cannot discern it nor the wise make plans against it.”. I would modify that wisdom to apply to information security: The pinnacle of secure information is the nonexistent, for if it is nonexistent, then even the deepest spy cannot leak it nor the most talented cracker steal it.

I mentioned in a previous post that I was setting up a new web site, dragonsmoke. I set it up because I want to run my own web server at home. Like much of what I create, the final product (the content being served) is less important than the process of creating it (setting up a secure server).

I have been using various automated testing tools to harden my server’s security. The first one I discovered, and the one that has been most helpful so far, is Qualys SSL Labs’ SSL Server Test. I have taken a repetetive-testing approach to web site security: first I got the site running with a Let’s Encrypt HTTPS certificate, then I ran the test, then I fixed whatever it told me to fix, then I ran the test again, and so on. Now I have an A+ rating on that test. A+ is great, but I want perfect.

Out of curiosity, I also ran the SSL Server Test against my bank’s web site: its overall score was identical to mine, A+ but could be better. I did notice one small area where my site did better: On the advice of security expert Steve Gibson, I use OCSP Must Staple. I can see no reason not to; it’s so easy to set up.

I think my score will improve slightly when dragonsmoke gets added to the HSTS preload list. I’ve submitted it for inclusion, now I just have to wait.

The second automated test I discovered was Observatory by Mozilla. It recommended some HTTP headers that I’d never heard of before, which I could configure my web server to send. So that’s a plus. Now dragonsmoke has an A+ rating here too, but again not a perfect score.

I’ve put all this effort into encrypting connections to my web site, making it really hard for any MITM to see or modify any of the data sent between client and server. The most important step in creating information security is not the encryption, though: it is the data itself. The less data there is, the less likely it is for important data to leak. I know that a bank may need to send and receive lots of potentially interesting data: credit card details, names, passwords, PINs, phone numbers, you name it. Dragonsmoke does not need that info, so it provides no means for users to enter that info. No data is collected at all. That is how I know that my site is more secure against data theft than my bank’s site.

I still want perfect scores though. Just because my site is small and niche does not mean I will settle for less.

Accepted into Let’s Encrypt beta!

so I’m a fan of encryption. Basically, I think that everything that gets transmitted across the Internet should be encrypted. You know how the NSA is spying on everyone in the hope of catching terrorist boogeymen? They’re looking for a needle in a haystack. I want to add more hay.

Let’s Encrypt, like the name suggests, is a project to enable HTTPS encryption on web sites everywhere. HTTPS has been around since forever, but until now has suffered from a limitation: the only way for a web site to get an HTTPS certificate for free was to generate one themselves – a self-signed certificate. That’s fine for encryption, but it doesn’t allow for identity verification, the other goal of HTTPS. Anybody using a self-signed certificate could claim to be, e.g., your bank. Thus browsers do not by default accept self-signed certificates.

This is where the Certificate Authority system comes in. CAs will sign others’ certificates, verifying the identity of that other server. If your browser trusts a particular CA, then your browser will accept any certificate signed by that CA. I’m greatly simplifying this, obviously. The problem is that existing CAs charge for their services, which makes it unreasonable for tiny little no-budget site owners like me to get HTTPS certificates. I’m not making any money off of this blog – I don’t even have ads – so I can’t justify any additional expenses.

Let’s Encrypt is a new CA. It’s free and automated. And I’m about to get a certificate.

Edit: I’ve gotten the certificate installed. I’ve tested it on three browsers so far (Firefox, Chromium, and some program that just calls itself Browser) all on my main computer. No problems so far! Now to test on other computers.

Edit 2: Let’s Encrypt has published a blog post which I think is relevant: The CA’s Role in Fighting Phishing and Malware

Thinking about moving to my own domain

[edit: In case it’s not obvious, I moved to theopensource.ninja]

So I’m planning on getting my own domain at the end of the month. There are certain advantages to having one’s own domain. One is that Java packages and Android apps are identified partly by the domain name belonging to the person who builds the app. I’m tired of always having to use “localhost.localdomain” or “fakedomain.invalid” or the like. Did I mention I’m working on an Android app? I am. See my GitHub.

This domain comes as part of a hosting package (you can buy domains from some registrars separately, but I’m choosing not to). This means I’ll be able to move some or all of my online social life onto a server controlled by me. I’ve always wanted to do that, though preferably with a server that I actually physically own. So, things like my email, this blog, and/or my Identi.ca account may soon be moved to this new hosted environment.

The trouble now is coming up with a domain that I like. The hosting/registration company I’m choosing (An Honest Host because they support one of my favorite podcasts) offers .ninja TLDs, so I want to find a domain that works with that. Maybe TheOpenSource.ninja. Or maybe go with my slightly more established online nickname, jdea: jdea.ninja. Except nobody would know how to pronounce that. Maybe use the nickname I earned while working for OSU’s student media, Tripod Guy? Tripod.ninja just sounds like I stuck two random words together. Or maybe my new domain should reflect one of my other interests: filmmaking, dragons. Dragon.ninja sounds kind of cool.

I’ve got some thinking to do.

This site is up again?!?

This server has been down for the longest time, since at least the 23rd. I haven’t seen any announcements/explanations/apologies from Oregon State University about this, but that could be because I’m no longer a student there. To be honest, I’m surprised I still have access to this web server.

I’ve been thinking about moving the blog to its own domain, with a new host, but those cost money. Using OSU’s server is free, so I’ll stay with it as long as they’ll let me.

Rebuilding blog

I’m in the process of rebuilding my blog, and am deciding whether to repost my old posts. I’m also planning to design my own theme, and am working on writing a WordPress plugin to use Libravatar rather than Gravatar (The plugin is functional and being used right now, but it’s missing some planned features). I’m also looking for a way to auto-post to and/or from my Identi.ca and Diaspora accounts.