I’ve updated my old notes on managing a certificate authority and turned my current usage into a GitLab project. If you are looking at using TLS certificates on a private network, this is a good starting point to learn more about the process and best practices.
I’ve been doing a bit of research for a small project to update project management practices and to refresh my knowledge of 2019’s best practices.
This is a pretty decent high level summary of how to approach password strength.
The EFF has just published an article about why nobody should be using ETS. This is particularly timely given the recent finalization of TLS 1.3.
If you’re loooking for a bit of light reading before bed, this might be just the answer: An Advanced Introduction to GnuPG.
On a mostly related note, I’m going to move all of my (admittedly trivial) secure e-mail to my ProtonMail account. If you have any reason to contact me securely, I advise you e-mail with GPG at gmobrien at protonmail dot com as of December 2018.
I received notification that the Let’s Encrypt closed beta has started yesterday. As of this morning this domain is now running using the beta version of the client and service.
It’s looking pretty good so far, it’s a bit wonky to integrate with a site that is already running with HSTS since I don’t have a web server listening on port 80. (This is required for the verification step of certificate generation.) But thankfully the client comes bundled with a standalone webserver you can run to complete the setup.
The certs only last for 90 days (by design) and I’ll be interested to see how painful or painless the cert regeneration will be when the time comes, but otherwise it was trivial to get all of the other features I use up and running.
So far, so good!
I have whatever the most minimal unit of Internet based notoriety might be for having originally been a bit of a naysayer on HTTP/2 due to my irrational bias against binary protocols! Well, I’m over it.
It’s good news to see that the future beginning to arrive. For a real Internet geek like me this is one of the biggest technological changes in my life!
I started to write a draft of an article about Let’s Encrypt back in November, but quite finished it to my satisfaction. In any case I would like to draw attention to the project as it gets closer to becoming live. They just posted the draft of their certificate management policy so things are starting to heat up a bit which is kind of exciting!
If you’re not familiar with the project, here’s an overview of how it works. But basically it’s an automated tool that web server administrators can install and use to generate, sign, manage, and revoke TLS certificates for sites they host. It takes most of the human factor out of things and also helps implement some of the more esoteric features of modern TLS for HTTP.
In light of the news over the past couple of years and the complete ubiquity of the Internet and WWW at this point it’s fairly obvious that proper encryption of All The Things is long overdue. There are a number of steps in that direction taking place right now (HTTP/2 standard is more or less final, 1024-bit roots have been widely superseded, OCSP stapling and HSTS are becoming much more widely deployed), but the biggest challenge I see is that, particularly for small website owners and businesses, properly implementing X.509 certificates for TLS is still enough of a pain that it’s largely avoided unless you’re somewhat savvy or paranoid.
I’ve read a few good blog posts and articles on the Let’s Encrypt project but for some reason it doesn’t seem to be getting that much mainstream coverage. At first I was a bit leery of the idea that I hand certificate management over to a 3rd party system, but the more I’ve looked at it the more the idea seems solid. Basically their assumption is that their tooling can handle certificate management better than the average web administrator can. Combined with the fact that the project has major backing from folks like Cisco, Akamai, the EFF, and Mozilla I’m hoping that it gets major traction. I know that I’m planning on adopting it early even though I have a couple of years left on the RapidSSL certs I’m currently using.
Oh and did I mention that it will be entirely free?