One deep dive with haproxy and I have handed it complete control of all my certificates.

* One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI
* It is handling dynamic conversion of http requests to https
* It has removed the need for https on any webserver on the secured LAN
* It allows incredibly flexible load balancing via host, port, url, etc etc
* It is easy to set up to use ssl best practices, so every one of your websites instantly gets A+ ratings on ssl labs

Unbelievable, I’m stunned.

Here’s all I needed to get ssl labs A+ ratings:


global

    # MDM NO SSLv3!  Good ciphers!
    ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
    ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

frontend ....

  # MDM We need to provide an HSTS header to get A+ at ssllabs!
  http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
      
  reqadd X-Forwarded-Proto:\ https

Also needed this in wordpress wp-config.php:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
       $_SERVER['HTTPS']='on';

BAH THEY DONE FUCKED UP

  • StartCom sold out and let WoSign buy them up
  • WoSign backdated certs to get them grandfathered for some dumb reason
  • Mozilla and Google and Apple caught them and dropped support for them
  • alternativeto.net/software/startssl pointed me to Let’s Encrypt – LOOKS GOOD
  • there is also https://www.sslforfree.com/ which is a layer around Let’s Encrypt (no need? we’ll see…)

The king is dead, long live the king!

  • Whoa… it uses a BOT… from EFF.  Yay!
  • Whoa… certs are only good for 90 days!  Time to automate renewal!

Let’s take this to the wiki

 

My domains just got a little more life in them. As in, an A rating from ssllabs, at least for the moment!

ssl_A

Highlights:

  • Problem: Time Warner has a monopoly on broadband here; they gouge you if you want a static IP; and they do thorough reporting of all IP ranges as dynamic to spamhaus, so no email servers from home folks
  • Problem: 1and1 has a horrible interface to maintain even a handful of domains, as you have to use a useless separate “packages” layer to get enough subdomains; they charge for email
  • Solution: Switched all domains to Google Registrar, which has a much better UI, supports subdomains, and allows domain name email forwarding for free
  • Solution: Once you have control over your domain email, StartSSL provides amazing easy free SSL certs; they have the BEST completely automated service and the best docs; my Apache site configs are now better organized, SNI-based, and the sites are getting great scores on ssllabs, thanks to using Mozilla’s “modern” recommendations
  • Solution: phabricator needs to run on its own domain, and with this new level of control, I can easily get that going; although curl and arcanist are picky about the CA store – I could NOT get them to work with the agile.bitpost.com subdomain, at all, and I really tried – so I went with https://abettersoftware.org

A brave new world.  I love it when a plan comes together.

I love my websites and servers and applications. I expose a lot of my toys on the internet, because it’s FUN and USEFUL. I try to apply the 80/20 rule in getting things done, doing 20% of the security I should to achieve an 80% benefit. I don’t have time to “do it right”, if that’s even possible. I know this is a terrible approach to network security, but it is my conscious choice. There is fun to be had.

The approach burns me on occassion, but I get by. I’ve been hacked twice in 10 years, not a bad record considering my approach. The second hack occurred recently. Some poor bastard in backwoods Russia or God-knows-where has been scanning and hacking WordPress sites with a backdoor approach to adding admin accounts. Once the admin account is set up, they inject redirection scripts into the php template code.

I have not taken the time to install all the WordPress updates the moment they come out – classic example of my slacker approach to security. So at some point in time, I got hacked. The sad part is that I did not even notice it until much later, when Firefox’s automatic malware detection kicked in and Google and StopBadware.org started denying me access to my own site.

Apparently the injected code had the capacity to install malware – not that I would know, being a linux user. The cleanup involved purging all the injected php code, which was obfuscated with “eval(base64)” wrappers, and removing the hacked WordPress admin accounts.

The fact that I was potentially adding malware to the computers of people visiting my websites is enough to make me physically ill. Some of that paranoia and obsession required to achieve a moderate level of security has surfaced. My WordPress and Mediawiki sites are too rich and chock full of functionality for me to personally do any real level of guarantee of security – I have to rely on the popularity of their code base and assume issues get caught quickly. But the least I can do is upgrade them whenever a new stable release is available. Generally speaking, this is what keeps me on the internet, and it is no longer an optional activity.

The only other flaw in my setup of which I am painfully aware is due to virtual hosting restrictions. I do a LOT with my one little IP and my one little server (including truly free truly legit SSL), but I cannot host more than one SSL virtual site on port 443. Just “the way things are”. I need to be diligent about redirecting secure traffic through the one configured SSL domain. But this is never easy.

The silver lining: the WordPress iPhone app now works! The pace of blogging should now improve from glacial to very infrequently. :>

Peace out.

There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).

UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…

Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…

  • Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ:
    Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.
  • Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
  • Request to renew your domain certificate; provide a password; an ssl.key is generated
  • Use openssl to create a no-password key:
    openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase
  • Grab the official StartCom certificates from https://www.startssl.com/certs/
    sub.class1.server.ca.pem
    ca.pem
  • WAIT for confirmation of your certificate (you’ll get an email)
  • Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
  • Set up apache to use ’em!
    
        SSLEngine on
        SSLCertificateFile /path_to_certs/2009-2010/ssl.crt
        SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key
        SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem
        SSLCACertificateFile /path_to_certs/2009-2010/ca.pem
    

That’s the basics but it should be enough to help me through annual renewal. *sigh*…