Interview on YouTube

At the National Cyber Security Center One Conference last week, Chris van ‘t Hof interviewed me in his TekTok studio. We briefly talked about the Ethical Committee at the University of Amsterdam’s System and Network Engineering master, about Responsible Disclosure and why this is a bad term.

Continue reading

Going down an elliptically curved rabbit hole

Yesterday I posted a guide to securing your nginx server with some good SSL settings. As I mentioned in that post, I am eager to get rid of RSA entirely, because it is going to be broken at some point in the not so distant future. So I spent part of the day researching the possibility of using Elliptic Curve Cryptography for my site, below are some of my findings.

Continue reading

Securing your site with nginx

This week in the Netherlands the news hit again that some secure websites where vulnerable to a downgrade attack. This attack is not new, but for the average user it is hard to detect. You have to be careful that you see the lock when you are entering your credentials.

Fortunately, most new web servers and browsers have a setting for it, called HTTPs Strict Transport Security (HSTS). With that feature enabled, if your browser has ever contacted a website over a secure link (HTTPS), then it will not allow a downgrade to plain HTTP for that host. This of course means that you are more secure, at least as long as you watch out for certificate warnings. I use the nginx webserver, and use some other things for security, which I’ll share with you below. The SSLLabs test will give this configuration an A+ currently.

Edit 26/3: @okoeroo gave me a better list of ciphers which scores even higher with SSLabs:

    ssl_ciphers  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA:CAMELLIA256-SHA:AES256-SHA;

Continue reading

Playing with TinySSH on FreeBSD and OS X

TinySSH is a new small SSH server using state-of-the-art encryption using the TweetNaCL cryptographic library. It piqued my interest as it claims to be an easily configured and auditable SSH server with new cryptographic primitives and has no dependency on OpenSSL. Its development target is Debian, but since it has limited dependencies it is not hard to get it to run on other systems. This post has some notes on how to get things up and running on a FreeBSD server and an OS X client.

Continue reading

[Dutch] Opvragen van persoonsgegevens

Met behulp van de Privacy Inzage Machine (PIM) heb ik bij een aantal organisaties aangeschreven. Met de PIM genereer je makkelijk een brief om bedrijven te kunnen vragen wat ze precies over je weten. In principe hebben bedrijven en instanties daar vier weken voor, maar in de praktijk wil dat nog wel eens mislopen. Eind januari heb ik (bijna) willekeurig drie instanties aangeschreven: Holland Casino, Albert Heijn en de Gemeente Utrecht. Hieronder mijn ervaringen. Continue reading

Trying out Keybase.io

I’ve joined Keybase this week: keybase.io/jeroenh. This is a new service which hosts a directory of public keys together with a verifiable list of usernames.

Continue reading

What you expose when downloading a torrent

Some time ago I did some research on the effectiveness of the PirateBay website blockade. I tried to measure this by looking at the intended effect: are there less Dutch people downloading torrents published on ThePirateBay? It turned out that this is very easily measurable, and in this post I am explaining what kind of information you expose when you are downloading a torrent.

Continue reading

Making DNSSEC More Accessible

I have previously written about DNSSECs “failure”. I tried to draw attention to the absence of simple documentation for implementing DNSSEC properly using simple tools. The steps to implement it are not that difficult, but without proper tools and documentation, nobody is going to find out. My previous post became subject of heated debates, and I have also been invited by NLNetLabs to discuss how we can improve the situation. The post below is meant to shed some light on the matter.

Continue reading

[Dutch] Reactie Internetconsultatie Gegevensdeling

De overheid heeft op dit moment een internetconsultatie uit staan voor Beleidsvisie gegevensdeling en privacy in het sociaal domein. PrivacyBarometer.nl heeft al een zeer goeie samenvatting van hun reactie gegeven. Mijn eigen reactie staat hieronder. Neem vooral de tijd om je te informeren en te reageren!

Continue reading

Improving Dnsmasq

Besides having critique on DNS I also try to improve things, both for DNS as well as for the Internet as a whole. Just a few weeks ago I contacted the Dnsmasq community to improve it. The new release is available now for testing and hopefully released soon.

Continue reading