Advertisements

If You Plan To Use SSL, Read This First2 keys

If you plan to use secure communications over the internet, then you will use SSL, either to encrypt some types of VPN traffic, encrypt WebDAV file transfers, or for HTTPS. SSL requires you to become familiar with certificates and several otherwise obscure and abstract concepts. Some people have a head for this and grasp SSL easily. I suspect most will find it difficult to keep all the bits and pieces straight and will have to go over this a few times. I will keep it as simple as possible. If you decide you are fascinated with SSL and have discovered a new career, Amazon has many books on PKI, SSL, and web encryption. Read More –>

Dynamic DNS (DDNS) And a Little Moretools

DNS is a look-up service that happens automatically and behind the scene. For the most part, it’s built into the internet. It converts the name you enter at the top of the browser to a numerical IP address. The IP address is used to get you where you want to go. It’s basically like the index at the back of a book.

The entire DNS process is reasonably complicated, but you can happily live a full and complete life without knowing or caring anything about it. The only exception would be if you install Windows Server 2012, in which case you will have to know something about maintaining your own network DNS server. Read More –>

certificateOpenSSL and Your Root Certificate

Your objective today is to create a private key and a root certificate using OpenSSL. Afterward, you’ll install the root certificate into the trusted root store of your PC, server, and / or browser. Optionally, you will download and install OpenSSL.

Spoiler alert … OpenSSL is not driven by a GUI. It’s command line software. You open an elevated command prompt to run it. You need administrator privileges. Command line software look a little old school, but it’s surprisingly common in a lot of environments. OpenSSL is also case sensitive. If you make a typing error, a screen with all available commands and their proper spelling appears automatically. Then just try it again. Read More –>

IIS and the Certificate Signing Requesthandshake

If you want SSL on your Microsoft Internet Information Services (IIS) web server (or any web server for that matter), you need to install an SSL certificate in the web server.

If you plan to make you web server available to anyone who enters your URL, and you expect to offer secure connections, then you will need to purchase an SSL certificate for your purchased internet address. A standard home internet connection won’t work because your ISP can and does change your IP address whenever it feels like it, and in general, you can’t get an SSL certificate for a site you don’t own. To the good, the Certificate Authority (the SSL certificate vendor) will certainly have its root certificate already installed everywhere it need to be, so you won’t need to worry about users getting an untrusted web site warning when they enter your HTTPS URL. Read More –>

Installing Root Certificatesbanyan-tree-bench

If you’re taking your advanced home server to new levels that require you to implement security and encryption technology such as HTTPS or SSL oriented VPNs, you will be introduced to a lot of obscure concepts that you now need to know more about. Some of them involve certificates. A certificate is basically just a little file that is used for identification and encryption. If you choose to build your own security, you will need to become handy and exporting and importing root certificates into your servers and personal computers.

Most normal and happy people have no idea about root certificates and they live long and productive lives without ever caring about them. With a little effort, you will remain normal and happy, but know a little more than you did yesterday. Read More –>

Port Forwarding Quick Referencetraffic-light

Your router is looking out for you. It does far more than connect devices in your house to the internet so you can browse, send email, or watch movies. It also keeps the bad guys out by blocking all inbound traffic that isn’t in response to something you did, such as request a web page. This doesn’t mean that the web page you received can’t infect you with a virus after you let in through the door. It just means that nobody can send you an incoming signal without you first requesting it or leaving a door open for it to enter. Read More –>

PPTP VPN Security Warning (and PC Configuration)pptp-pc-bridge

PPTP is not considered to be secure. It’s not as open as an old fashioned telephone party line, but anyone with a little know how and a few bucks can figure out your password. PPTP does not use SSL. VPN connections configured with SSL are as safe as your on-line connection to Amazon or your bank, if configured properly.

The most vulnerable part of PPTP is the authentication protocol, the part with the user id and password. It’s called MS-CHAP v2. MS-CHAP V1 was broken years earlier and MS-CHAP V2 was developed as a response. The encryption protocol associated with PPTP, MPPE, also has security issues. Read More –>

OpenSSL and Heartbleedhalloween-fright

Which one can’t you believe in anymore?

A. Santa Clause

B. The Tooth Fairy

C. OpenSSL

And, the correct answer is C, with a qualification. The recently discovered Heartbleed bug in OpenSSL has been repaired. Now, all you have to do is recreate all the certificates and keys you created with it and reinstall them  into servers that use OpenSSL cryptographic libraries that have also been updated. This probably includes all routers with an embedded OpenVPN server as well as any NAS device with one. Apache servers have been reported with OpenSSL vulnerabilities. So has my former platform from my IT consulting days, the AS/400. Some major vendors of commercial routers also have OpenSSL issues to repair.  Read More –>

 Common OpenSSL Commandsoldbooks

Spoiler Alert: Almost nobody remembers the arcane commands that make computers go unless they’re used all the time. When McGee on NCIS (or any other famous TV computer expert) uses a Commodore 64 and a modem to hack the NSA from memory in a couple of minutes, that’s acting. In real life, you would need nearly a half hour and a laptop made within the past 5 years. Naturally, real experts never look anything up so hacking the NSA from memory is pretty realistic if you use the correct equipment. Any expert can do it. (Just kidding.)

Seriously, computers are like anything else. The half-life of information you don’t use very often is pretty short, especially when it comes to the commands necessary to create certificates using OpenSSL. Few things are more cryptic to the average home network administrator. Read More –>

Advertisements