Yesterday I posted a guide to securing your nginx server with some good SSL settings. As I mentioned in that post, I am eager to get rid of RSA entirely, because it is going to be broken at some point in the not so distant future. So I spent part of the day researching the possibility of using Elliptic Curve Cryptography for my site, below are some of my findings.
This week in the Netherlands the news hit again that some secure websites where vulnerable to a downgrade attack. This attack is not new, but for the average user it is hard to detect. You have to be careful that you see the lock when you are entering your credentials.
Fortunately, most new web servers and browsers have a setting for it, called HTTPs Strict Transport Security (HSTS). With that feature enabled, if your browser has ever contacted a website over a secure link (HTTPS), then it will not allow a downgrade to plain HTTP for that host. This of course means that you are more secure, at least as long as you watch out for certificate warnings. I use the nginx webserver, and use some other things for security, which I’ll share with you below. The SSLLabs test will give this configuration an A+ currently.
Edit 26/3: @okoeroo gave me a better list of ciphers which scores even higher with SSLabs:
TinySSH is a new small SSH server using state-of-the-art encryption using the TweetNaCL cryptographic library. It piqued my interest as it claims to be an easily configured and auditable SSH server with new cryptographic primitives and has no dependency on OpenSSL. Its development target is Debian, but since it has limited dependencies it is not hard to get it to run on other systems. This post has some notes on how to get things up and running on a FreeBSD server and an OS X client.
Met behulp van de Privacy Inzage Machine (PIM) heb ik bij een aantal organisaties aangeschreven. Met de PIM genereer je makkelijk een brief om bedrijven te kunnen vragen wat ze precies over je weten. In principe hebben bedrijven en instanties daar vier weken voor, maar in de praktijk wil dat nog wel eens mislopen. Eind januari heb ik (bijna) willekeurig drie instanties aangeschreven: Holland Casino, Albert Heijn en de Gemeente Utrecht. Hieronder mijn ervaringen. Continue reading
Some time ago I did some research on the effectiveness of the PirateBay website blockade. I tried to measure this by looking at the intended effect: are there less Dutch people downloading torrents published on ThePirateBay? It turned out that this is very easily measurable, and in this post I am explaining what kind of information you expose when you are downloading a torrent.
I have previously written about DNSSECs “failure”. I tried to draw attention to the absence of simple documentation for implementing DNSSEC properly using simple tools. The steps to implement it are not that difficult, but without proper tools and documentation, nobody is going to find out. My previous post became subject of heated debates, and I have also been invited by NLNetLabs to discuss how we can improve the situation. The post below is meant to shed some light on the matter.
De overheid heeft op dit moment een internetconsultatie uit staan voor Beleidsvisie gegevensdeling en privacy in het sociaal domein. PrivacyBarometer.nl heeft al een zeer goeie samenvatting van hun reactie gegeven. Mijn eigen reactie staat hieronder. Neem vooral de tijd om je te informeren en te reageren!
The original specification of DNSSEC is from 1997: RFC 2065. This means that it is now over 17 years ago since its initial appearance. Sure, it has a turbulent history, and has undergone some big changes. Even the ‘final’ specification (RFC 4033) is over 9 years old. Yet I am going to argue that it has failed.