Securing your site with nginx

This week in the Netherlands the news hit again that some secure websites where vulnerable to a downgrade attack. This attack is not new, but for the average user it is hard to detect. You have to be careful that you see the lock when you are entering your credentials.

Fortunately, most new web servers and browsers have a setting for it, called HTTPs Strict Transport Security (HSTS). With that feature enabled, if your browser has ever contacted a website over a secure link (HTTPS), then it will not allow a downgrade to plain HTTP for that host. This of course means that you are more secure, at least as long as you watch out for certificate warnings. I use the nginx webserver, and use some other things for security, which I’ll share with you below. The SSLLabs test will give this configuration an A+ currently.

Edit 26/3: @okoeroo gave me a better list of ciphers which scores even higher with SSLabs:

    ssl_ciphers  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA:CAMELLIA256-SHA:AES256-SHA;

Continue reading

Playing with TinySSH on FreeBSD and OS X

TinySSH is a new small SSH server using state-of-the-art encryption using the TweetNaCL cryptographic library. It piqued my interest as it claims to be an easily configured and auditable SSH server with new cryptographic primitives and has no dependency on OpenSSL. Its development target is Debian, but since it has limited dependencies it is not hard to get it to run on other systems. This post has some notes on how to get things up and running on a FreeBSD server and an OS X client.

Continue reading

[Dutch] Opvragen van persoonsgegevens

Met behulp van de Privacy Inzage Machine (PIM) heb ik bij een aantal organisaties aangeschreven. Met de PIM genereer je makkelijk een brief om bedrijven te kunnen vragen wat ze precies over je weten. In principe hebben bedrijven en instanties daar vier weken voor, maar in de praktijk wil dat nog wel eens mislopen. Eind januari heb ik (bijna) willekeurig drie instanties aangeschreven: Holland Casino, Albert Heijn en de Gemeente Utrecht. Hieronder mijn ervaringen. Continue reading

Trying out Keybase.io

I’ve joined Keybase this week: keybase.io/jeroenh. This is a new service which hosts a directory of public keys together with a verifiable list of usernames.

Continue reading

What you expose when downloading a torrent

Some time ago I did some research on the effectiveness of the PirateBay website blockade. I tried to measure this by looking at the intended effect: are there less Dutch people downloading torrents published on ThePirateBay? It turned out that this is very easily measurable, and in this post I am explaining what kind of information you expose when you are downloading a torrent.

Continue reading

Making DNSSEC More Accessible

I have previously written about DNSSECs “failure”. I tried to draw attention to the absence of simple documentation for implementing DNSSEC properly using simple tools. The steps to implement it are not that difficult, but without proper tools and documentation, nobody is going to find out. My previous post became subject of heated debates, and I have also been invited by NLNetLabs to discuss how we can improve the situation. The post below is meant to shed some light on the matter.

Continue reading

[Dutch] Reactie Internetconsultatie Gegevensdeling

De overheid heeft op dit moment een internetconsultatie uit staan voor Beleidsvisie gegevensdeling en privacy in het sociaal domein. PrivacyBarometer.nl heeft al een zeer goeie samenvatting van hun reactie gegeven. Mijn eigen reactie staat hieronder. Neem vooral de tijd om je te informeren en te reageren!

Continue reading

Improving Dnsmasq

Besides having critique on DNS I also try to improve things, both for DNS as well as for the Internet as a whole. Just a few weeks ago I contacted the Dnsmasq community to improve it. The new release is available now for testing and hopefully released soon.

Continue reading

DNSSEC Has Failed (Update 26/3)

The original specification of DNSSEC is from 1997: RFC 2065. This means that it is now over 17 years ago since its initial appearance. Sure, it has a turbulent history, and has undergone some big changes. Even the ‘final’ specification (RFC 4033) is over 9 years old. Yet I am going to argue that it has failed.

Continue reading

Security Awareness Should be a Public Service

Cory Doctorow argues that security engineering should be public, like public health:

I think there’s a good case to be made for security as an exercise in public health. It sounds weird at first, but the parallels are fascinating and deep and instructive.

Last year, when I finished that talk in Seattle, a talk about all the ways that insecure computers put us all at risk, a woman in the audience put up her hand and said, “Well, you’ve scared the hell out of me. Now what do I do? How do I make my computers secure?”

And I had to answer: “You can’t. No one of us can. I was a systems administrator 15 years ago. That means that I’m barely qualified to plug in a WiFi router today. I can’t make my devices secure and neither can you. Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies. Not when it is illegal to tell people if there are flaws in their computers, where such a disclosure might compromise someone’s anti-copying strategy.

I agree that security these days is harder than ever. The Internet has become a hostile environment and there are many actors actively trying to break anything connected to it.

Public health is a service because it is in everybody’s general interest, and there is not much else we can do about it. Making security a public service creates exactly the wrong kind of incentive. Companies release broken products, and rely on consumers not knowing or caring about it. We have to create more awareness and public outrage, so that consumers actually care about this and can make an informed decision.

Informing the public about security related issues, now that I can agree with as a public service.