Tag Archives: web site

More secure than my bank’s web site?

Someone once said – and I got this quote from the computer game Sid Meier’s Alpha Centauri, so I’m not sure if they got it from elsewhere – “The pinnacle of military deployment approaches the formless, for if it is formless, then even the deepest spy cannot discern it nor the wise make plans against it.”. I would modify that wisdom to apply to information security: The pinnacle of secure information is the nonexistent, for if it is nonexistent, then even the deepest spy cannot leak it nor the most talented cracker steal it.

I mentioned in a previous post that I was setting up a new web site, dragonsmoke. I set it up because I want to run my own web server at home. Like much of what I create, the final product (the content being served) is less important than the process of creating it (setting up a secure server).

I have been using various automated testing tools to harden my server’s security. The first one I discovered, and the one that has been most helpful so far, is Qualys SSL Labs’ SSL Server Test. I have taken a repetetive-testing approach to web site security: first I got the site running with a Let’s Encrypt HTTPS certificate, then I ran the test, then I fixed whatever it told me to fix, then I ran the test again, and so on. Now I have an A+ rating on that test. A+ is great, but I want perfect.

Out of curiosity, I also ran the SSL Server Test against my bank’s web site: its overall score was identical to mine, A+ but could be better. I did notice one small area where my site did better: On the advice of security expert Steve Gibson, I use OCSP Must Staple. I can see no reason not to; it’s so easy to set up.

I think my score will improve slightly when dragonsmoke gets added to the HSTS preload list. I’ve submitted it for inclusion, now I just have to wait.

The second automated test I discovered was Observatory by Mozilla. It recommended some HTTP headers that I’d never heard of before, which I could configure my web server to send. So that’s a plus. Now dragonsmoke has an A+ rating here too, but again not a perfect score.

I’ve put all this effort into encrypting connections to my web site, making it really hard for any MITM to see or modify any of the data sent between client and server. The most important step in creating information security is not the encryption, though: it is the data itself. The less data there is, the less likely it is for important data to leak. I know that a bank may need to send and receive lots of potentially interesting data: credit card details, names, passwords, PINs, phone numbers, you name it. Dragonsmoke does not need that info, so it provides no means for users to enter that info. No data is collected at all. That is how I know that my site is more secure against data theft than my bank’s site.

I still want perfect scores though. Just because my site is small and niche does not mean I will settle for less.

Setting up a new web site

so I’ve been looking for a new programming project to work on in my spare time. I know, Cybrinth isn’t finished and Mines-Perfect-Linux never really got started, and AcrylicPaint could always use my help. I’ve just temporarily lost interest in those projects. It happens – I can go several months between commits on Cybrinth, for example, but I’ll never forget it. The same is true for the others.

The other day, I decided on a whim to buy a new domain. Something involving dragons, because dragons. I initially thought I’d just use it for music streaming and file synchronization between my own devices. I am still going to do those things. But I want to do other stuff too.

Recently, the gang over at alt.fan.dragons have been the disappearance of documentation regarding the Dragon Code, a method by which dragons can be described using a minimal number of text characters. That’s what I’ll do with the new domain: set up a simple, low-bandwidth site serving up whatever info I can find about the DC. I’ll code all the pages by hand, and I’ll serve them up from my home server (which I’m in the process of setting up now). That way I can avoid paying hosting costs – even the electricity is essentially free because the physical server I’m using is my router, an essential part of my home network which stays online regardless of whether it’s serving up web pages. Other services, such as NNTP or MUCK servers, can be added later if I feel like they won’t interfere with my neighbors’ internet connections. Or I might set up subdomains with paid hosting.

The downside of hosting at home is that it is a violation of Comcast’s Acceptable Use Policy. Comcast could rate-limit, or even shut down completely, my internet connection. It’s risky, I’ll admit that. But I don’t think they’re going to. For one thing, I’ve been violating their AUP in another way for over a decade and never even received so much as a warning letter: file sharing. BitTorrent, specifically, is what I use now but I’ve used other protocols in the past. Comcast’s network is more than capable of handling all the traffic my family generates now, and I really don’t expect much traffic going to my new HTTPS server. The impression I get from reading various forum posts is that Comcast doesn’t care about small little servers generating virtually undetectable levels of traffic; it’s only when the traffic is enough to cause problems that they step in.