security

Configuring HSTS & OCSP Stapling

There are a couple of new technologies that are becoming more widely used that you may what to think about using. I have written a couple of pages explaining what they are and how to use them. They are definitely worth a look if you are a web server administrator.

How to Configure OCSP Stapling on Apache HTTP Server

How to Configure HTTP Strict Transport Security on Apache & NGINX

Advertisements

David Cameron wants new laws to restrict terrorists communication

David Cameron the UK Prime Minister has stated in an event in the East Midlands that new online data laws are required to remove the safe places that Terrorists communicate with each other. He also stated that he would push this if re-elected as Prime Minister.

http://www.bbc.co.uk/news/uk-politics-30778424

One particular statement is of concern to me. David Cameron said, “There should be no means of communication which we cannot read”. This statement worries me. It implies that the use of encryption will be restricted in some way. Maybe by restricting the levels of encryption is use or by inserting backdoors into software or hardware. Can you imagine the notion of a backdoor? This means intentionally adding an alternative way of gaining access. What if the bad guys found this too.

On one hand I am patriotic and want to make sure that the police and security services can do their job. Mainly to protect me and my family from terrorists and other criminals. On the other hand I am a security professional and understand the continual and ongoing threat from criminals that try to attack and abscond with our data, or worse in some cases.

Because of this I want to make sure that my data and the services that I use are protected in the best ways possible. This is an ongoing struggle, and something that needs to evolve as time goes on.

An example of this is the recent issues with OpenSSL (Poodle & Heartbleed). I have had to make various changes to the security settings I use of the past year. If my Government had mandated that I need to use a maximum of SSLv3, then suddenly I would have a problem. I could not go to TLSv1.0 because I would be breaking the law, and I could not stay with SSLv3 because my data would be at risk. The nature of politics does not allow for law changes over night. Suddenly I am between a rock and a hard place. What do you do?

I would like to draw your attention to Moore’s Law, that stated “Computing performance doubles every 18 months”. Computing is by its very nature dynamic. Put simply… Things can change very quickly, in sometimes unpredictable ways. I truly hope that the people in power that make these kinds of laws recognise that.

The last thing I would like to draw your attention too, is Edward Snowden. He recognised that the American government had too much power and that this needed reigning in, so they are held accountable for their actions . We need the same in the UK. We need to make sure that our government is held responsible for their actions and that they are not allowed to do anything stupid.

In closing, terrorists and criminals are clever. What is to stop them from using services outside the UK without restricting our right to a free and open Internet?

*Update 14th January 2015 @ 07:55

Since I wrote this The European Union Agency for Network and Information Security (ENISA) has published a report stating at more security and encryption and privacy is needed, not less.

http://www.theregister.co.uk/2015/01/14/ensia_encryptions_great_but_privacy_still_sucks/

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design

 

How to secure SSH

I found this article today that goes into a lot of depth on how to properly secure SSH. It is definitely worth a read.

https://stribika.github.io/2015/01/04/secure-secure-shell.html

What is good about this article is that it covers all the various Cipher Suites available to SSH and which are secure and how to disable those that are of lower quality.

One thing to note. This article was written on 4th January 2015. This is great for now, but be aware that in 1 year, 6 months or even next week, things could have changed.

 

OpenSSL SHA256 Certificate Migration

Over the last week Google announced that they were going to stop supporting the SHA-1 algorithm for signing certificates.

Google’s SHA-1 deprecation announcement

Because of this I have created a couple of posts explaining how to migrate to SHA-256 based signatures.

Generate an OpenSSL Certificate Request with SHA-256 Signature

Change OpenSSL Default Signature algorithm

Since I wrote those pages other security companies have started to post their own migration strategies.

Qualys SHA1 Migration: What you need to know

In addition, all the major Certificate Authorities (CA) have started providing customers information specific to their services. So if you have certificates already, then contact your CA for further migration help.