Tag Archives: HTTPS

More secure than my bank’s web site?

Someone once said – and I got this quote from the computer game Sid Meier’s Alpha Centauri, so I’m not sure if they got it from elsewhere – “The pinnacle of military deployment approaches the formless, for if it is formless, then even the deepest spy cannot discern it nor the wise make plans against it.”. I would modify that wisdom to apply to information security: The pinnacle of secure information is the nonexistent, for if it is nonexistent, then even the deepest spy cannot leak it nor the most talented cracker steal it.

I mentioned in a previous post that I was setting up a new web site, dragonsmoke. I set it up because I want to run my own web server at home. Like much of what I create, the final product (the content being served) is less important than the process of creating it (setting up a secure server).

I have been using various automated testing tools to harden my server’s security. The first one I discovered, and the one that has been most helpful so far, is Qualys SSL Labs’ SSL Server Test. I have taken a repetetive-testing approach to web site security: first I got the site running with a Let’s Encrypt HTTPS certificate, then I ran the test, then I fixed whatever it told me to fix, then I ran the test again, and so on. Now I have an A+ rating on that test. A+ is great, but I want perfect.

Out of curiosity, I also ran the SSL Server Test against my bank’s web site: its overall score was identical to mine, A+ but could be better. I did notice one small area where my site did better: On the advice of security expert Steve Gibson, I use OCSP Must Staple. I can see no reason not to; it’s so easy to set up.

I think my score will improve slightly when dragonsmoke gets added to the HSTS preload list. I’ve submitted it for inclusion, now I just have to wait.

The second automated test I discovered was Observatory by Mozilla. It recommended some HTTP headers that I’d never heard of before, which I could configure my web server to send. So that’s a plus. Now dragonsmoke has an A+ rating here too, but again not a perfect score.

I’ve put all this effort into encrypting connections to my web site, making it really hard for any MITM to see or modify any of the data sent between client and server. The most important step in creating information security is not the encryption, though: it is the data itself. The less data there is, the less likely it is for important data to leak. I know that a bank may need to send and receive lots of potentially interesting data: credit card details, names, passwords, PINs, phone numbers, you name it. Dragonsmoke does not need that info, so it provides no means for users to enter that info. No data is collected at all. That is how I know that my site is more secure against data theft than my bank’s site.

I still want perfect scores though. Just because my site is small and niche does not mean I will settle for less.

Accepted into Let’s Encrypt beta!

so I’m a fan of encryption. Basically, I think that everything that gets transmitted across the Internet should be encrypted. You know how the NSA is spying on everyone in the hope of catching terrorist boogeymen? They’re looking for a needle in a haystack. I want to add more hay.

Let’s Encrypt, like the name suggests, is a project to enable HTTPS encryption on web sites everywhere. HTTPS has been around since forever, but until now has suffered from a limitation: the only way for a web site to get an HTTPS certificate for free was to generate one themselves – a self-signed certificate. That’s fine for encryption, but it doesn’t allow for identity verification, the other goal of HTTPS. Anybody using a self-signed certificate could claim to be, e.g., your bank. Thus browsers do not by default accept self-signed certificates.

This is where the Certificate Authority system comes in. CAs will sign others’ certificates, verifying the identity of that other server. If your browser trusts a particular CA, then your browser will accept any certificate signed by that CA. I’m greatly simplifying this, obviously. The problem is that existing CAs charge for their services, which makes it unreasonable for tiny little no-budget site owners like me to get HTTPS certificates. I’m not making any money off of this blog – I don’t even have ads – so I can’t justify any additional expenses.

Let’s Encrypt is a new CA. It’s free and automated. And I’m about to get a certificate.

Edit: I’ve gotten the certificate installed. I’ve tested it on three browsers so far (Firefox, Chromium, and some program that just calls itself Browser) all on my main computer. No problems so far! Now to test on other computers.

Edit 2: Let’s Encrypt has published a blog post which I think is relevant: The CA’s Role in Fighting Phishing and Malware