ssl - Dave's Blog

Search

Let's Encrypt NearlyFreeSpeech.net Update

2016 Nov 5, 8:59

Since I had last posted about using Let's Encrypt with NearlyFreeSpeech, NFS has changed their process for setting TLS info. Instead of putting the various files in /home/protected/ssl and submitting an assistance request, now there is a command to submit the certificate info and a webpage for submitting the certificate info.

The webpage is https://members.nearlyfreespeech.net/{username}/sites/{sitename}/add_tls and has a textbox for you to paste in all the cert info in PEM form into the textbox. The domain key, the domain certificate, and the Let's Encrypt intermediate cert must be pasted into the textbox and submitted.

Alternatively, that same info may be provided as standard input to nfsn -i set-tls

To renew my certificate with the updated NFS process I followed the commands from Andrei Damian-Fekete's script which depends on acme_tiny.py:

python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/public/.well-known/acme-challenge/ > signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat domain.key signed.crt intermediate.pem > chained.pem
nfsn -i set-tls < chained.pem
Because my certificate had already expired I needed to comment out the section in acme_tiny.py that validates the challenge file. The filenames in the above map to the following:
  • signed.crt is the Let's Encrypt provided certificate
  • account.key is the user private key registered with LE
  • domain.csr is the cert request
  • domain.key is the key for the domain cert
PermalinkCommentscertificate lets-encrypt nearlyfreespeech.net

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Retweet of shaver

2015 Feb 20, 4:19
Facebook Security published a note with some info on Superfish: https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339 …
PermalinkComments

Retweet of __apf__

2015 Feb 11, 7:44
want to live the experience of a non-technical user? watch someone narrate what they think an ssl warning is: https://www.youtube.com/watch?v=ngCIU7b5j-M …
PermalinkComments

location.hash and location.search are bad and they should feel bad

2014 May 22, 9:25
The DOM location interface exposes the HTML document's URI parsed into its properties. However, it is ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
  • The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
    • The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
    • The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
    • The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
  • The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content. Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or hash.
But like complaining about the number of minutes in an hour none of this can ever change without huge compat issues on the web. Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the URL standard moving towards a more sane (but still working practically within the constraints of compat) location object and URI parsing in the browser.
PermalinkComments

CodePlex - Virtual Router - Wifi Hot Spot for Windows 8, Windows 7 and 2008 R2

2014 May 21, 2:30

The original open source Wifi Hotpot for Windows 7, Windows 8 and Windows Server 2012!

Free open source software based router you can run on Windows to wirelessly share your Internet connection with other devices

PermalinkCommentstechnical tool wifi router free open-source windows

Hijacking user sessions with the Heartbleed vulnerability · Matt's Life Bytes

2014 Apr 8, 6:36

Just a quick tutorial on exploiting heartbleed for session hijacking. Is it worse to use https than http today?

PermalinkCommentstechnical security ssl heartbleed session-hijack

Serious Sam’s DRM Is A Giant Pink Scorpion

2011 Dec 7, 12:48

“Serious Sam 3′s DRM is brilliantly cruel, punishing only those who pirated it. By relentlessly pursuing them with a giant invincible armoured scorpion.”

PermalinkCommentsgame video-game scorpion serious-sam

Malware Signed With a Governmental Signing Key - F-Secure Weblog : News from the Lab

2011 Nov 16, 12:19

“It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.”

PermalinkCommentstechnical ssl

Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

2011 Sep 23, 4:37PermalinkCommentstechnical

Chromium Blog: SSL FalseStart Performance Results

2011 May 22, 10:44Links to the IETF draft document of and describes the perf benefits of SSL False Start.PermalinkCommentssecurity google browser web webbrowser https performance ssl tls technical

Google Prediction API - Google Code

2010 Aug 13, 11:46RESTful machine learning API from Google... "The Prediction API implements supervised learning algorithms as a RESTful web service to let you leverage patterns in your data, providing more relevant information to your users. Run your predictions on Google's infrastructure and scale effortlessly as your data grows in size and complexity."PermalinkCommentsrest ai google programming analysis machine-learning development technical

RFC 1951 - DEFLATE Compressed Data Format Specification version 1.3

2009 Sep 3, 7:17"This specification defines a lossless compressed data format that compresses data using a combination of the LZ77 algorithm and Huffman coding." Also see RFC 1950 zlib, a wrapper compression format that can use deflate, and RFC 1952 gzip, a compressed file format that can use deflate.PermalinkCommentstechnical rfc ietf compression http deflate gzip zlib

Anyone can write this crap (Phil Gyford’s website)

2009 Jul 31, 5:57"Is it worth the sensationalism and scaremongering? The endlessly inaccurate and dangerous science reporting? The pointless and news-free lifestyle articles? Do newspapers that prioritise stories based on celebrities and spectacle rather than importance to the world deserve to exist?"PermalinkCommentsvia:sambrook internet news journalism media

Simon Pegg on why the undead should never be allowed to run | Film | The Guardian

2009 Jul 14, 8:26"...the zombie trumps all by personifying our deepest fear: death. Zombies are our destiny writ large. Slow and steady in their approach, weak, clumsy, often absurd, the zombie relentlessly closes in, unstoppable, intractable."PermalinkCommentshumor tv zombie horror film simon-pegg essay culture

Justin Frankel's blog

2009 Mar 10, 9:22Justin Frankel (Previously Winamp/Nullsoft guy) makes a designated graffiti box on his garage with the note: "All are welcome to express themselves in the box below. Printing within the above box is hereby expressly permitted and shall not be considered 'graffiti' in accordance with article #23 of the San Francico Municipal Code." Before graffiti: , And with graffiti:PermalinkCommentsgraffiti cultural-disobediance legal san-francisco nullsoft justin-frankel blog

Evil Mad Scientist Laboratories - Binary Birthday

2008 Nov 19, 4:28"A binary birthday candle. It consists of a single candle with seven wicks, where the wicks that are lit represent the birthday individual's age in binary. This single candle design works flawlessly to represent any age from 1 to 127, never requiring anyone below the age of 127 to blow out more than a mere six candles at a time."PermalinkCommentsvia:swannman birthday geek math humor howto cake birthday-cake candle binary

Language Log - Nerdview

2008 Oct 23, 10:34Geoffrey K. Pullum of Language Log defines 'nerdview': "It is a simple problem that afflicts us all: people with any kind of technical knowledge of a domain tend to get hopelessly (and unwittingly) stuck in a frame of reference that relates to their view of the issue, and their trade's technical parlance, not that of the ordinary humans with whom they so signally fail to engage... The phenomenon - we could call it nerdview - is widespread." Woo, go year-month-day, go!PermalinkCommentsnerdview language date programming nerd writing

obstcp - Google Code

2008 Oct 14, 11:14Similar in concept to the Pirate Bay suggestion of encrypting all TCP/IP connections if both server and client support it: "Obfuscated TCP is a transport layer protocol that adds opportunistic encryption. It's designed to hamper and detect large-scale wiretapping and corruption of TCP traffic on the Internet."PermalinkCommentsinternet tcp encryption security google privacy opensource cryptography network ssl

Network notary system thwarts man-in-the-middle attacks

2008 Aug 26, 10:03"A new system devised by Carnegie Mellon University researchers aims to thwart man-in-the-middle (MitM) attacks by providing a way to verify the authenticity of self-signed certificates. The system, which is called Perspectives, uses a distributed network of "notary" servers to evaluate the public key of a target destination so that its validity can be ascertained."PermalinkCommentssecurity ssl pki certificate man-in-the-middle
Older Entries Creative Commons License Some rights reserved.