2016 Nov 5, 8:59
Since I had last posted about using Let's Encrypt with NearlyFreeSpeech, NFS has changed their process
for setting TLS info. Instead of putting the various files in /home/protected/ssl and submitting an assistance request, now there is a command to submit the certificate info and a webpage for
submitting the certificate info.
The webpage is https://members.nearlyfreespeech.net/{username}/sites/{sitename}/add_tls and has a textbox for you to paste in all the cert info in PEM form into the textbox. The
domain key, the domain certificate, and the Let's Encrypt intermediate cert must be pasted into the textbox and submitted.
Alternatively, that same info may be provided as standard input to nfsn -i set-tls
To renew my certificate with the updated NFS process I followed the commands from Andrei Damian-Fekete's script which depends on acme_tiny.py:
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/public/.well-known/acme-challenge/ > signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat domain.key signed.crt intermediate.pem > chained.pem
nfsn -i set-tls < chained.pem
Because
my certificate had already expired I needed to comment out the section in acme_tiny.py that validates the challenge file. The filenames in the above map to the following:
- signed.crt is the Let's Encrypt provided certificate
- account.key is the user private key registered with LE
- domain.csr is the cert request
- domain.key is the key for the domain cert
certificate lets-encrypt nearlyfreespeech.net 2016 Feb 4, 2:48
2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net
I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from
Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.
The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed.
So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing
the "--file-based" parameter to sign_csr.py.
One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers
how to obtain that:
curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit
an assistance request. For me it was only 15 minutes later that everything was setup.
After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in
"redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's
virtual hosting is setup.
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added
the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.
Header set Strict-Transport-Security "max-age=3600;"
Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP
rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP
rules.
After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through
these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and
do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.
certificate csp hsts https lets-encrypt nearlyfreespeech.net 2015 Feb 20, 4:19 2015 Feb 11, 7:44 2014 May 22, 9:25
The
DOM location interface exposes the HTML document's URI parsed into its properties. However, it is
ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
- The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
- The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
- The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
- The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is
the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
- The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the
empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content.
Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or
hash.
But like complaining about
the number of minutes in an hour none of this can ever change without huge compat issues on the web.
Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the
URL standard moving towards a more sane (but still working
practically within the constraints of compat) location object and URI parsing in the browser.
2014 May 21, 2:30
The original open source Wifi Hotpot for Windows 7, Windows 8 and Windows Server 2012!
Free open source software based router you can run on Windows to wirelessly share your Internet connection with other devices
technical tool wifi router free open-source windows 2014 Apr 8, 6:36
Just a quick tutorial on exploiting heartbleed for session hijacking. Is it worse to use https than http today?
technical security ssl heartbleed session-hijack 2011 Dec 7, 12:48
“Serious Sam 3′s DRM is brilliantly cruel, punishing only those who pirated it. By relentlessly pursuing them with a giant invincible armoured scorpion.”
game video-game scorpion serious-sam 2011 Nov 16, 12:19
“It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.”
technical ssl 2011 Sep 23, 4:37technical 2011 May 22, 10:44Links to the IETF draft document of and describes the perf benefits of SSL False Start.
security google browser web webbrowser https performance ssl tls technical 2010 Aug 13, 11:46RESTful machine learning API from Google... "The Prediction API implements supervised learning algorithms as a RESTful web service to let you leverage patterns in your data, providing more relevant
information to your users. Run your predictions on Google's infrastructure and scale effortlessly as your data grows in size and complexity."
rest ai google programming analysis machine-learning development technical 2009 Sep 3, 7:17"This specification defines a lossless compressed data format that compresses data using a combination of the LZ77 algorithm and Huffman coding." Also see RFC 1950 zlib, a wrapper compression format
that can use deflate, and RFC 1952 gzip, a compressed file format that can use deflate.
technical rfc ietf compression http deflate gzip zlib 2009 Jul 31, 5:57"Is it worth the sensationalism and scaremongering? The endlessly inaccurate and dangerous science reporting? The pointless and news-free lifestyle articles? Do newspapers that prioritise stories
based on celebrities and spectacle rather than importance to the world deserve to exist?"
via:sambrook internet news journalism media 2009 Jul 14, 8:26"...the zombie trumps all by personifying our deepest fear: death. Zombies are our destiny writ large. Slow and steady in their approach, weak, clumsy, often absurd, the zombie relentlessly closes
in, unstoppable, intractable."
humor tv zombie horror film simon-pegg essay culture 2009 Mar 10, 9:22Justin Frankel (Previously Winamp/Nullsoft guy) makes a designated graffiti box on his garage with the note: "All are welcome to express themselves in the box below. Printing within the above box is
hereby expressly permitted and shall not be considered 'graffiti' in accordance with article #23 of the San Francico Municipal Code." Before graffiti: , And with graffiti:
graffiti cultural-disobediance legal san-francisco nullsoft justin-frankel blog 2008 Nov 19, 4:28"A binary birthday candle. It consists of a single candle with seven wicks, where the wicks that are lit represent the birthday individual's age in binary. This single candle design works flawlessly
to represent any age from 1 to 127, never requiring anyone below the age of 127 to blow out more than a mere six candles at a time."
via:swannman birthday geek math humor howto cake birthday-cake candle binary 2008 Oct 23, 10:34Geoffrey K. Pullum of Language Log defines 'nerdview': "It is a simple problem that afflicts us all: people with any kind of technical knowledge of a domain tend to get hopelessly (and unwittingly)
stuck in a frame of reference that relates to their view of the issue, and their trade's technical parlance, not that of the ordinary humans with whom they so signally fail to engage... The
phenomenon - we could call it nerdview - is widespread." Woo, go year-month-day, go!
nerdview language date programming nerd writing 2008 Oct 14, 11:14Similar in concept to the Pirate Bay suggestion of encrypting all TCP/IP connections if both server and client support it: "Obfuscated TCP is a transport layer protocol that adds opportunistic
encryption. It's designed to hamper and detect large-scale wiretapping and corruption of TCP traffic on the Internet."
internet tcp encryption security google privacy opensource cryptography network ssl 2008 Aug 26, 10:03"A new system devised by Carnegie Mellon University researchers aims to thwart man-in-the-middle (MitM) attacks by providing a way to verify the authenticity of self-signed certificates. The system,
which is called Perspectives, uses a distributed network of "notary" servers to evaluate the public key of a target destination so that its validity can be ascertained."
security ssl pki certificate man-in-the-middle
Facebook Security published a note with some info on Superfish: https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339 …
want to live the experience of a non-technical user? watch someone narrate what they
think an ssl warning is: https://www.youtube.com/watch?v=ngCIU7b5j-M …
Some rights reserved