2019/08/14: Some Internet service providers and corporate companies might have blocked most of the ports, and allowed only a few specific ports such as port 80 and 443 to tighten their security. In such cases, we have no choice, but use a same port for multiple programs, say the HTTPS Port 443, which is rarely blocked. Here is where SSLH, a SSL/SSH multiplexer, comes in help. It will listen for incoming connections on a port 443. To put this more simply, SSLH allows us to run several programs/services on port 443 on a Linux system. So, you can use both SSL and SSH using a same port at the same time. If you ever been in a situation where most ports are blocked by the firewalls, you can use SSLH to access your remote server. This brief tutorial describes how to share a same port for https, ssh using SSLH in Unix-like operating systems.
2018/11/28: In cryptography, trust is mathematically provable. Everything else is just faith.
The world of the HTTPS introduction makes no claims to reality. It exists only to highlight how incredible it is that an attacker can capture every single packet of HTTPS data that your browser exchanges with Facebook, and yet still have no idea what your password is. It shows just how powerful a system can be when you combine computers with incorruptible treefolk who live in the mountains, and how even just a tiny bit of total, no-questions-asked faith in a central authority can go a long way.
In the real world there’s no such thing as incorruptible treefolk, and there’s no such thing as no-questions-asked faith in a central authority that doesn’t also quickly wreck civilization. But the real world has still managed to piece together a very serviceable public-key cryptography system by patching over the holes and omissions and naivety of the introductory world with a tartan of secondary systems known collectively as “Public Key Infrastructure” (PKI).
2018/11/26: Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
And this is what we get for browsers forcing websites to adopt HTTPS or else they try to scare people with warnings about pages not being secure. I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
Nieman Lab has a piece about HTTPS, and how 2015 wasn't the year it happened across the web. They hope it will happen in 2016, but it won't happen then either, because the web is too big and HTTPS is fraught with difficulty.As an experiment I looked at all that I would have to do to support it on just one of my sites, and found the cost to be much higher than any potential benefit.Let's say I wanted to do it for my main site, scripting.com. First I'd have to move it off Amazon S3. But I like having it there. It took a lot of iteration to get it there in the first place. It's a huge site for a blog. It's been around since 1994 -- over 20 years. A few years ago I put all that static content in a bucket on S3 and forgot about it. It's just there. Served very cheaply. And I don't have to worry about scale. My RSS feed is there. God knows how many bots are reading it every five seconds. I don't know and I don't (have to) care. Amazon just takes care of it. For very low cost. Second, if it were easy or even possible (I suspect it's not possible) Amazon would have already offered me the option to switch. For another $5 a month I could turn http://scripting.com/
. But they have not made that offer. Every time I've looked into it, the cost was prohibitive, the amount of time I'd have to put into it was also prohibitive, and the benefit, insignificant. Frankly if the Chinese want to add or remove stuff from my blog, go ahead, have a party. I'm sure they don't care. Honestly, I don't care either. No money changes hands on any of my sites. I don't ask for credit card numbers or any information anyone could conceivably think of requiring security. When you log on to one of my sites, you're using Twitter's identity system, and they use HTTPS so if it's secure, then so am I.But apparently HTTPS is not secure. Apparently there are holes in it. So please tell me this is more than security theater? I think the proponents of HTTPS are being as honest with us as the TSA, which is to say not very honest. My net take -- it's a pointless fire drill. We're meant to prove that we're really here taking care of our sites. But I have a couple dozen sites that are just archives of projects that were completed a long time ago. I'm one person. I don't need make-work projects, I like to create new stuff, I don't need to make Google or Mozilla or the EFF or Nieman Lab happy. Let's have a discussion about this, but a realistic and respectful one. HTTPS is not the answer to a problem that I have. So I don't have any intention of adapting my sites to support it. PS: Yes, I've heard about all the things that supposedly make it easy to support. They all have missing pieces. They may get you closer to supporting it, in certain situations, but none of them could take me all the way there without major work on my sites. See above for reasons why I'm not going to undertake that work.PPS: A discussion on this emerged on Facebook.
Forget expired TLS certificates; the lightweight Caddy web server handles Let's Encrypt certificates and redirects HTTP traffic by default
I make network architectures private and secure (without giving up everything else).
When you access a Web site over an encrypted connection, you're using a protocol called HTTPS. But not all HTTPS connections are created equal. In the first few milliseconds after a browser connects securely to a server, an important choice is made: the browser sends a list of preferences for what...
Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions.
Convinced from spending hours reading rave reviews, Bob eagerly clicked "Proceed to Checkout" for his gallon of Tuscan Whole Milk and
Creating a HTTPS secured site is simple even for virtual domains, it only requires a small change to your Apache configuration and the creation of a SSL certificate. You can always buy a certificate but for our simple solution we will create our own.