A script to simplify HPKP

HPKP, or HTTP Public Key Pinning, is one of the very few ways to deal with fraudulent or impersonated certificates. Unfortunately it’s considered too risky by most to deploy publicly, and those who do choose to employ it often do so incorrectly. In fact, a recent Netcraft article points out that of all web servers surveyed, a paltry 0.09% of them utilized HPKP. Of those, a further ~25% didn’t configure their header correctly, leaving the mechanism totally ineffective for its intended purpose. It’s hard to blame those who got it wrong. After all, there are a plethora of minor details involved with setting up HPKP that are easy to overlook. It just so happens that I’ve written a script to make the process a whole lot easier to get right.
Continue reading

RamNode Debian primer script

The out-of-the-box Debian experience on RamNode has improved drastically in recent days, but it can still be quite a chore to get your vanilla VPS to the point where it’s ready for the challenges of the hostile, wild west climate of the Internet. That’s why I wrote a script that will get your RamNode hosted Debian VPS tuned, hardened and fit for production use in the fastest possible time.
Continue reading

Let’s Encrypt with Hiawatha

Let’s Encrypt is a popular, free certificate authority provided by the Internet Security Research Group (ISRG). It is 100% automated, open source, and the results of each signing or revocation are transparent to the public. Let’s Encrypt makes it easy for admins to not only utilize HTTPS everyplace, but its emphasis on automation allows us to do so in a hassle-free manner. Recent versions of the security-oriented Hiawatha webserver ship with a script that makes this process even easier.
Continue reading

Hiawatha as a reverse proxy for Nessus

Nessus is a popular vulnerability scanner by Tenable Network Security. According to Tenable, it’s the most widely used of its kind worldwide. There are several license flavors available, including a free basic edition for home users. Unfortunately, Nessus requires root permissions to run correctly. This means that ironically, not unlike its namesake, the vulnerability scanner itself may be vulnerable to attack. Enter the security-aware Hiawatha webserver and its reverse proxy capabilities.
Continue reading

Hiawatha & Public Key Pinning (HPKP)

In light of the recent spate of certificate authority controversies, the next entry in my series of Hiawatha tutorials will focus on one particular countermeasure: HTTP Public Key Pinning, or HPKP for short. In a nutshell, HPKP helps to avoid the scenario where an antagonist issues an SSL certificate for your domain which is signed by a rogue CA. Normally the client browser will implicitly trust any cert which is signed by a valid certificate authority, even if that CA happens to be, say the Hong Kong Post Office or the China Certification Authority, for example.

To avoid this, HPKP tells a capable client via an HTTP header that, for your particular domain, it should trust only certs signed by a particular set of keys. After the first time they’ve visited your site, even if an adversary issues a certificate for your domain which isn’t signed by one of the keys in your HPKP list, the browser will behave as if the certificate is untrusted and issue the appropriate warning to the user. While imperfect, this method can at least present a fairly effective hurdle to would-be attackers looking to harass your users.
Continue reading

Hosting WordPress with Hiawatha

As of this writing, WordPress is the most ubiquitous CMS and/or blogging platform in the world. WordPress 4.1 alone has been downloaded over 23 million times. It is actively developed, frequently updated, and boasts a vast ecosystem of themes, plugins, books, services, even conferences. And though WordPress’ security track record did improve substantially in 2010 over previous years, its popularity and accessibility has nevertheless left it among the most often targeted web software out there today. If you’re going to self-host WordPress, what better webserver to accommodate this than the secure, lean and high-performance Hiawatha?
Continue reading

A Technical Pro’s Home Network

I’m a career operations guy with some background in security and network engineering. This means my home network is something some people might call “over-engineered” (or even “completely overkill” if they were feeling particularly ungenerous). That said, I often work from my home office, so my network is more important to me than many home networks might be. I’ve also┬ánever had a single service outage or security compromise. If any of this sounds interesting, please read on.

Continue reading