Quick thoughts about Let’s Encrypt

So I just switched over from StartSSL to Let’s Encrypt for all of Syn Fin dot Net’s SSL needs and wanted to give a few thoughts about the process:

It’s a very different experience getting up and started. I’ve used a variety of SSL CA’s for work and personal use and Let’s Encrypt is the first I’ve seen to so fully automate things. This has some pros and cons, but overall it’s much quicker and easier to get up and running with Let’s Encrypt then StartSSL (which honestly isn’t saying much) or most other CA’s. The downside of this is that the process is so different that you actually have to read the docs rather then just following the prompts, but having to RTFM is a small price to pay for a free SSL cert IMHO.

Let’s Encrypt (just LE for short) is also the first CA that limits their certs to 90 days. They claim that 90 day certs are becoming more common, but none of the CA’s I’ve ever used in the past even offer that as an option. Kinda annoying, but not a deal breaker considering how automated renewing certs are.

LE only offers domain validated certs (ie: no extended validation) which is fine for personal use, but it’s a little odd that there’s no requirement for any ownership information other then an email for contact purposes. For some use cases this makes a lot of sense, but I’d actually like people to know I own this domain (as long as they don’t spam/junk mail me).

LE’s automation makes it easy to get up and running quickly- if your needs adhere to their tool’s limitations. I ended up having to tell Nginx to serve up http://mail.synfin.net so I could get an SSL cert for Postfix. Lucky for me, my mail & web server are the same box so this was easy, but for most organizations this becomes a real pain.

My biggest feature request right now would allow the the letsencrypt-auto script listen on arbitrary ports and not just TCP/80 and TCP/443 to make it even easier to setup.


LGA: Security Theater

So I was flying out of LaGuardia, NY (LGA) this morning on my way home to San Jose, Ca (SJC). After checking in, I was directed by the nice woman at American Airlines to take my checkin bags to the x-ray machine.

There were a lot of bags piling up at the machine and 2-4 TSA agents processing the bags thru the x-ray machine and loading them onto the conveyer belt to the plane. What struck me odd though was that none of the TSA agents actually sat at the x-ray machine console to examine the x-ray images of the bags!

I watched for about 10 minutes as the rest of my party went through the long lines to get their boarding passes. Every few minutes one of the TSA agents would press a button on the computer to restart the x-ray machine and/or check off a form on a piece of paper. He or she would sometimes look at the computer screens for a few seconds, but anywhere from 5-15 bags would be processed in between… hardly enough time for the TSA agent to be able to examine the bags for any dangerous items or contraband.


mytreo.net hacked or selling email addresses?

So just about every website/company I do business with that requires an email address, I use a unique email address. The email address takes a very simple form: <company name>@synfin.net. The most important rules is that these email address are never used anywhere. So when I noticed I started getting spam to the email address for www.mytreo.net (no I still won’t post it so that spam harvesters can get it, but you can probably guess what it is), it would appear one of two things have happend:

  1. The people behind www.mytreo.net sold my email address to someone and at some point it was given/sold to a spammer
  2. Someone hacked the www.mytreo.net servers and dumped all the email addresses for all the registered users

If someone has a 3rd idea why, I’d love to hear it.


Voting 2006

So I just finished voting here in San Jose using one of those Sequoia machines (same as last year). My in person impression hasn’t improved any.

1. Having to check all your votes twice (once on the screen and again on the paper printer) is a pain in the ass. Between state, county and city offices, bonds and measures it’s not only tedious to check, but error prone- especially since I don’t memorize whom I’m going to vote for in each race.

Ironically, the sample ballot that they mailed me was much simpler to use (just connect the arrow next to what/who you want to vote for), easy to verify, count and recount. And it takes a lot less time to vote since you don’t need to double and triple check that the machine didn’t screw up.

2. More importantly though, while the poll workers try to be helpful, they’re just not trained well enough. I was appalled to over hear one worker tell another how she removed the security sticker to open up the machine to “fix it”. Now, while she probably is honest and didn’t tamper with the machine (no way for me to prove otherwise), she now has violated the trust model of the election for that machine. The issue is that by breaking the security sticker, nobody can detect if anyone else tampers with the machine.

Unsurprisingly, the poll worker thought it was perfectly OK for her to break the seal and put it back in service, because she didn’t tamper with the machine. Aren’t there enough voting machine irregularities without the poll workers contributing to the problem?

Anyways, here are two videos about what’s going on with electronic voting:
First, is the HBO documentary Hacking Democracy.
Second, is the Daily Show’s John Hodgman’s comedic take on the machines.


DHS: So glad they’re on our side!

Let’s see, a guy walks into the DHS HQ with a fake Mexican ID which even if it was real wasn’t considered valid identification. So what do the rocket scientists for security do? Why they let him in of course!

Now of course, the fake ID was really good. You’d have to be a real expert to pick up on subtle mistakes like stating Tijuana is in Brittish Columbia (B.C.), claiming to live on “123 Fraud Blvd.” and misspelling “Staton Island, N.Y.”. Yep, I can really understand how the crack DHS security force could let such an well forged ID through the front door.

The good news? “DHS is following up on these allegations and will take necessary actions to ensure there is not another occurrence of this type”. I know I’ll sure sleep better knowing they’re on the case!


RIAA puts profits over lives

I dunno, I should be shocked (shocked I say!), but I’m not…

Every so often, the US Copyright Office takes comments regarding the DMCA (the law which makes it a crime to use products you paid for in ways other then the creator intended). Most recently, Sony-BMG (a member of the RIAA) added DRM technology to music CD’s (actually, technically, they’re not a real music CD because of the DRM, hence they don’t carry the CD logo) which ended up creating a security hole on people’s computers. This security hole was then abused by other people (criminals to be precise) to break into those computers.

In response, people like Ed Felton requested the the USCO grant an exception to the DMCA which would allow users to remove DRM software which caused harm for the end users. Others asked for an excemption which covered DRM which, “employ access control measures which threaten critical infrastructure and potentially endanger lives.”

Sounds pretty reasonable right? Apparently though the RIAA doesn’t think so.


Will Tor have Extrusion Detection?

Richard Bejtlich wonders in light of Tor being able to be used to anonymously attack other systems, will Tor add extrusion detection capabilities?

I seriously doubt it. First, there are technical reasons for this, namely each exit node would need to have their own policy since some operators would want very strict polices and others more open policies. Pushing knowledge of that policy to the rest of the network to make routing decisions would be very complex and incurr high overhead on a system which is by it’s nature not very efficent.

Secondly, adding additional monitoring to an anonymity system is just ass-backwards. The whole point of Tor is to allow people to be untraceable and access content that they normally are unable to access (get around filters) or unwilling to access if it was known they were accessing it. Actively monitoring anonymity systems reduces the effectiveness of the primary purpose of the system.

Lastly, most attack monitoring systems are simply ineffective out of the box. They require extensive configuration and tuning, something that a Tor node operator either has no interest, time or expertise to do.


SSL on the cheap

Well I finally got a real SSL certificate, signed by a trusted CA for www.synfin.net. For less then $20/yr no more annoying popups in webbrowsers, mail clients or my Treo. Anyways, overall I’ve got to say that GoDaddy made the process pretty painless and quick. So far I’ve tested Firefox and Safari and both seem to be happy with the cert. Two thumbs up.

One thing to note, if you’re grabbing the tcpreplay source from SVN the SSL Certificate has changed. If anyone knows how to pass in a certificate chain file for svn let me know.


Moved to WordPress

Well I finally got sick of writing custom code/templates (I’ve used static files using templates/Makefiles as well as dynamic pages using Perl/HTML::Mason). While I’m quite proficent with Class::DBI and PostgreSQL, it just wasn’t worth the effort of writing all the administrator forms for managing content.

I had a few major requirements:

  1. Secure and actively maintained
  2. Themeable so I can make it look like I want to without too much work
  3. Decent admin forms for managing posts and comments
  4. Can be hosted on my personal server on synfin.net

Hence, I tried Blogger. But wtf? They support sftp (secure ftp over ssh) but their website doesn’t support SSL. So while they can login securely to my server, I have to send my username/password in clear text to them? You would think that now that Google has bought them, with all their PhD’s they could figure out how to purchase a SSL certificate and load it on their webserver…

Anyways, so then I started looking at code I could maintain myself. After much research, I ended up with WordPress. I’m not thrilled it’s written in PHP and uses MySQL; both of which I personally think suck from a developer perspective, but that doesn’t prevent people from writing decent apps it seems.