SSL Enabled for the blog
October 14, 2009
I’ve been crazy busy with work, writing other things, and life in general, but I finally got to work a little bit on the blog.
As I wrote, I’m going to LISA in Baltimore this November. While I’m there, I really want to be able to update the blog (when I get a spare 15 seconds or so). There’s going to be plenty of wifi, but I’m nearly certain that it’s going to be plain unencrypted wifi.
I’m not of a nefarious sort of nature, but as a sysadmin, I’ve got to think like someone who is, and what would a more delicious target be for a sniffer than an entire conference of sysadmins all communicating over unencrypted wifi? I can’t think of much.
I’d very much like not to have my blog password sent over normal HTTP, so I’ve spent some time configuring Standalone Sysadmin to listen over HTTPS. If you click that link, you’ll undoubtedly get a certificate error, because I created my own certificate authority (using instructions very similar to these) and signed my own certificate.
The end result is that, although I haven’t paid a couple hundred bucks for a “trusted” certificate, the traffic sent over the https link will be encrypted, and thus when I sign in, my password won’t be send in plaintext to any joker running a wireless sniffer.
If you’re going to a conference (or out in public wifi in general), you need to be cognizant of the fact that you packets travel freely available through the ether, at least if you’re using unencrypted wifi.
Posted in General
Email me
content rss
October 14th, 2009 at 11:32 pm
If you’re prepared to spend a few dollars, RapidSSL is fairly cheap ($79) for SSL certs:
http://www.rapidssl.com/index_ssl.htm
That said, you’re not using the site for commercial purposes and the fact it’s ‘just a blog’ means you don’t really need anything other than a self-signed cert :)
October 14th, 2009 at 11:42 pm
@Twirrim
Nice link! Thanks! Didn’t know about that. I’ll see how it goes, but hey, $80 is much better than what Thawte is charging!
October 15th, 2009 at 12:53 am
I heard about StartSSL with free certs and at least Firefox trusts the CA cert https://www.startssl.com/?app=1
October 15th, 2009 at 12:57 am
You could just setup an ssh tunnel to the host your blog is running on. Quick proxy is a great firefox plugin for using any ssh tunnels you have setup.
October 15th, 2009 at 5:12 am
http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-ssl-certificate.php
13.30 UK =~ $21.50 US (according to xe.com)
Whilst I’d not heard of them before, they seemed competent and really unbelievably cheap for SSL certs!
October 15th, 2009 at 5:21 am
You can get valid certificates for less than $10 per year if you look around. Usually means you have to look around each time you renew as the prices tend to rise a bit once these SSL resellers have a few customers, but if you’re willing to switch around it can be fairly cheap. That’s assuming you really want your site with an SSL certificate which validates for other users.
Personally I’d use a proxy of some sort instead of just protecting a single site with SSL if I was on an untrusted network.
October 15th, 2009 at 8:42 am
I would also recommend using GoDaddy for your SSL Certificates.
3 Years @ $27.49 per year!
This is the only place I buy SSL certificates…..
October 15th, 2009 at 9:55 am
I use Certificates for Exchange, https://certificatesforexchange.com/. $19.99 per year.
October 15th, 2009 at 10:03 am
I came in here to let you know that many places sell really cheap SSL certs with trusted roots.
I was late to the party.
Another good option for folks who have a lot of machines they would like to secure on a single domain is the Wildcard Cert from GoDaddy. $200 per year (and you can find coupon codes to get it lower than that) and you can basically secure every web service in your organization.
October 15th, 2009 at 1:00 pm
I guess I’m the only one who blogs using SSH. :-)
October 15th, 2009 at 1:07 pm
@saint aardvark
For a fair while my site was a generated using a custom written perl script that read the contents of a subfolder, sanity checked to ensure it was plain text files, and displayed the ten most recent in date order.
Didn’t look anything fancy, if anything I specifically went for minimal/retro but it worked very effectively. Updating the site was as simple as SSHing in and writing a new entry in vi :)
October 15th, 2009 at 3:14 pm
Ah yes. Conferences. Especially conferences where they’re teaching network analysis. BrainShare was famous for having Laura Chappel sniff unencrypted pop3/imap passwords out of the air. Live. During sessions. People came out of those sessions and immediately launched sniffers to see what THEY could see on the airwaves. It wasn’t as hostile as, say, BlackHat, but I didn’t trust that network AT ALL for privacy. At first I did all of my web-browsing over an SSH tunnel to a network I trusted far more, then came the full-blown VPN.
October 15th, 2009 at 4:18 pm
It’s interesting that nobody has mentioned the fact that even if the WIFI was encrypted – everyone who is being given access to participate on that WIFI network has the encryption key and can sniff traffic.
Encrypted WIFI only prevents people who shouldn’t be allowed to participate on the network from getting access. In the environment you are going to there would really be no point to that since they want everyone who comes to the event to have access. (Well.. unless they are going to be charging for access or something.)
Encrypted WIFI wouldn’t protect you from anyone else on that Encrypted WIFI network, nor from anyone else sniffing traffic on any of the networks between the conference and the network where your blog server is hosted. It’s really no different than if you had wired ethernet at the conference. Everyone on that wired network could sniff your traffic.
The only way to protect your password is ‘end-to-end’ encyption between the blog server application and the blog client application on your computer.
Encrypted WIFI would have made no difference.
A
February 21st, 2010 at 8:00 pm
http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm
The Cheapest SSL Certificates — “I evaluated nearly 50 different SSL certificate services from 15 different certificate authorities (CA). These are the cheapest certificates you can get and my estimation as to whether they are worth the price or not.“
November 17th, 2010 at 10:30 pm
[...] there. I was thinking about getting a certificate for my blog and here’s the ensuing thread: http://www.standalone-sysadmin.com/blog/2009/10/ssl-enabled-for-the-blog/ December 11, 2009 2:12 am John oh ok, thanks. I just added an edit to my question [...]
August 21st, 2011 at 5:03 am
[...] Get a commercially signed certificate from someone cheaper. There are lots of companies out there. I was thinking about getting a certificate for my blog and here’s the ensuing thread: http://www.standalone-sysadmin.com/blog/2009/10/ssl-enabled-for-the-blog/ [...]