[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Security - HTTPS

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Security - HTTPS
From: bad apple <mr.meowski@xxxxxxxx>
Date: Tue, 8 Apr 2014 15:47:16 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=ksJMAxTgVVc04MNwXwsC8BDvgvUU3/hxDgaYaEJgenk=; b=dFs5GlFTTO7j12RSP1pS5Ck85dB9PVM+DK+blSQHQysqtxbqxhtJaPS2mIYskNA7dtJyAmvjHugSyEl4jblWPlMh2lL7a74RbxcQ1bK/YIcJva7d4oPs36Ci76ItwBZzdlPWKEVvciJ0UuQq1HXDQm+bW8hrAUIzUA8GgfhxsAg=;

On 08/04/14 14:47, Neil Winchurst wrote:

> Today I noticed a warning message that I am using HTTP and not HTTPS
> for this and was told that it was not a good idea. I have my own website
> which I am using for this, but have never thought about HTTPS (sorry
> Bad Apple).

Look on the bright side - at least nobody has used today's announced
Heartbleed attack to steal your server's secrets!

I'm a little bit surprised that OwnCloud even lets you set it up using
HTTP, I thought I dimly remembered the required/recommended to be an
Apache/Nginx https virtual host (I tested it a while ago myself, didn't
like it).

Also as Phil said, this is an OpenSSL bug and not an OpenSSH bug (thank
god for small mercies, I couldn't stand a repeat of the Debian SSH
keygen debacle - that one nearly did finish me off).

To obtain your SSL cert, ignore anyone who might suggest using a
freebie, but recognised by most default browser CA stores, cert from
people such as startssl.com. These are all guaranteed to be escrowed to
agencies for your protection (google away if you like, startssl are an
Israeli outfit long suspected of Mossad/NSA collusion). They will also
probably not be recognised for long by most reputable browsers, will
require frequent updating and will come with a lot of upselling. You're
presumably already paying for your server instance from a provider, they
will most likely be very happy to issue you a 'proper' cert for little
money.

However, if this is purely a personal site for you, friends and family,
just go self-signed instead, it's much safer and much more secure.

If you're going to be playing around with SSL certs and the like for a
bit while you get it set up, do yourself a favour and presuming you're
using Firefox, install this excellent addon:

https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/

Cheers

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Security - HTTPS
- From: Neil Winchurst
Follow-up: Re: [LUG] Security - HTTPS
- From: Simon Waters

References:
- [LUG] Security - HTTPS
  - From: Neil Winchurst

Prev by Date: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Next by Date: [LUG] pppd follow up question
Previous by thread: Re: [LUG] Security - HTTPS
Next by thread: Re: [LUG] Security - HTTPS
Index(es):
- Date
- Thread