Ensuring encrypted web traffic with Strict Transport Security headers (HSTS)

When you’re ready to ensure that no one visits your site over an insecure connection, the Strict Transport Security header is key.

Continue reading Ensuring encrypted web traffic with Strict Transport Security headers (HSTS)

Creating Public Key Pinning headers (HPKP)

In my post two weeks about setting consistent headers in nginx, one of the headers I was concerned with was the Public Key Pinning header (HPKP). This, and the Strict Transport Security header (HSTS) are both defensive mechanisms meant to increase the reliability of secure connections to a given site.

Continue reading Creating Public Key Pinning headers (HPKP)

Assuaging my paranoia with redundancy and many, many backups

Along with the joy and burden of running my own servers comes a great deal of paranoia. Are my machines secured against unauthorized access? Is my mailserver an open relay? Will DNS for ethitter.com keep working if my primary machine is down? What happens if something crashes? Do I have all of my configurations tracked should I need to rebuild one of the boxes?

These, and many similar questions, are so frequently thoughts of mine that I had no choice but to establish many layers of redundancy and backups, lest I be unable to focus on anything else.

Continue reading Assuaging my paranoia with redundancy and many, many backups

Economically monitoring SSL certificate expiration

As noted previously, I’ve opted to serve all of my sites securely. I even went to far as to get ethitter.com on Chrome’s preload list, meaning no major browser even attempts an insecure connection to my site. Try loading http://ethitter.com/ in Chrome, Firefox, or Safari, and the browser will redirect to https://ethitter.com/ before my nginx configuration ever tells it to.

That vaguely-entertaining detail aside, this means that I’ve reason to be concerned about how soon my SSL certificates expire. The HPKP headers I set have 60-day lives, which I need to account for any time I renew the certificate for a pinned domain.

Continue reading Economically monitoring SSL certificate expiration

nginx header inconsistency, aka setting headers all the way down

For the three visitors I attract in a month, I’ve had an outsized interest in making this the most secure WordPress site that I can. My focus of late has been primarily on the security-related headers I can set. In particular, ensuring that HSTS and HPKP were present on all requests became a priority.

Why?

A few weeks ago, I noticed that certain assets served from my CDN host lacked the Strict Transport Security headers (HSTS) I’d expected. To the best of my knowledge, I’d configured nginx to set these headers on every request.

Continue reading nginx header inconsistency, aka setting headers all the way down

Updating all the plugins!

As part of checking that that the plugins I maintain are ready for WordPress 3.6, I took the opportunity to fix a number of bugs, patch a few content disclosure vulnerabilities, and refactor some things I wasn’t pleased with.

Below is a rundown of all that changed. It’s worth noting that all of the plugins I actively maintain are compatible with WordPress 3.6, which will be released in the coming weeks.
Continue reading Updating all the plugins!

Windows 7 Advertising Misses The Point; Features, Not Security, Microsoft’s Focus

In Microsoft’s recent advertisements promoting Windows 7, the company focuses on the various user-initiated features the new operating system includes. As far as I’ve seen, however, the company has not addressed the dual concerns of virus and spyware vulnerabilities. Similarly, the October 26 issue of Fortune Magazine, which declares “Microsoft Is Cool Again,” highlights various improvements Microsoft made to Windows 7 in response to the myriad problems that plagued Vista, but author Jeffrey O’Brien completely overlooked the securities vulnerabilities that malicious software poses. While I have no doubt that Windows 7 is a substantial improvement over Vista (my former employer upgraded to Vista, much to its chagrin), the risks arising from viruses and malware emphasize why, for security and other reasons, Mac OS X is my choice of operating system. As it turns out, though, Microsoft may not be showcasing its efforts to address these security risks because only certain editions of Windows 7 include a feature to deal with these problems.

Continue reading Windows 7 Advertising Misses The Point; Features, Not Security, Microsoft’s Focus