Much (more) ado about SSL
October 15, 2009
So, my recent entry on SSL-enabled Standalone Sysadmin was pretty popular…if consider “pretty popular” being over a dozen comments on the thread, plus another half a dozen on twitter, all pretty much telling me that I was doing it wrong 
OK, so they weren’t necessarily critical of my plan as much as reminding me of the short-sighted nature of my plan Semantics! In any event, everyone brought up some very good points. Before I continue, I should say…I do feel like I was being a bit…disingenuous when I explained my reasoning for the SSL. Securely logging in from the conference (and other places) was, in fact a big reason, but there were others, too, that will also be explained in time, but that’s not the point.
The point is that merely logging in over SSL is a small band-aid for a gaping wound. Unsecure wifi (and as Anthony reminded us, even secured wifi) can’t be thought of as private, by any means.
As many people have suggested, the ideal solution would be to tunnel all of my traffic through a VPN (or even just an SSL tunnel to a known-secure location). At one point in time, Google provided Google Secure Access, which established a secure tunnel to Google servers, allowing you to use the internet via encrypted session. It looks like the download link is dead now, however.
Where that leaves us is to fend for ourselves. Many people suggested tunneling with SSH to make a socks proxy. stunnel is also an option.
In the end, we’re left with a medium who’s very transmission is insecure, and as many of you reminded me, it’s important to protect ourselves as completely as possible. Thanks everyone who wrote or commented. Also, thanks everyone who mentioned cheap SSL certificates. While SSL for the blog isn’t the end-all-be-all of securing my communications, it’s an important part of my plan, so I thank you all.
Posted in General
Email me
content rss
October 15th, 2009 at 11:36 pm
OpenVPN and a good certificate have always worked pretty well for me, especially since you can masquerade it inside a normal HTTPS session. Easy to set up, key based, so you can easily revoke logins, software available for many, many platforms (we supported 5 or 6, including 3 different flavors of Linux, at my last job), total win.
October 16th, 2009 at 12:01 am
@dagard
Thanks for mentioning OpenVPN, a quick Google shows there is even a maemo client out there so I can secure my N810 when on public wireless, with a lot less hassle than other methods I was using.
October 16th, 2009 at 12:37 am
Since I didn’t see it mentioned:
CACert is another great free cert provider. It’s noncommercial, offers various chain of trust options through volunteers and a very easy setup for basic cert needs.
October 16th, 2009 at 9:44 am
Something else people often forget about when trying to protect their data – is it really worth protecting?
In this case, your password to log in and make changes to the blog is of course worth protecting. As a good sysadmin you don’t use that same password on anything else (of course (heh heh,)) however you certainly don’t want anyone to be able to hack into your blog and screw around with it.
At the same time the data you are pushing out to your blog is meant for public consumption anyway. Why protect something that you’re trying to make available to everyone?