Saturday, September 10. 2011HTTP Strict Transport Security🔓
The observant amongst you will have noticed that this website has become entirely secured by HTTPS. If you didn't notice, then I've done my job correctly! By redirecting every page to its HTTPS counterpart, every page you see here will be secured. However, I'd prefer all traffic was secured and reduce the number of redirections from non-secure to secure pages, and that's where HSTS (HTTP Strict Transport Security) comes into play. In this article, I'll explain my motivations, and how to implement HSTS on your own site. Continue reading "HTTP Strict Transport Security"Saturday, January 15. 2011SSH key fingerprints in DNSSecure shell (SSH) is the workhorse of a UNIX system administrator. Due to its ability to secure connections, protect login details, provide authenticity and even tunnel traffic, SSH replaced telnet in the real world many years ago. Authenticity is not guaranteed, and for administrators working with a large farm of servers it's important to ensure you're talking to the server you really wanted, and not something that's moved into its place. SSH employs a private/public asymmetric keying system, keeping a private key closely guarded and using the public key to not only secure the connection but help prove that you're talking to the right server. Most SSH clients will allow you to remember the public key for a server after your first connection; ensuring subsequent connections are to the same server by revalidating a hash of this key, known as a “fingerprint”. To help validate the fingerprint on your first connection, you can store a fingerprint of the SSH server's public key in DNS for additional verification. Continue reading "SSH key fingerprints in DNS"Monday, November 16. 2009ARCserve agent for Linux on any distribution✇
Like it or lump it, our hands are tied at work to continue using ARCserve as our back-up software. It's horrible, but the alternatives are also horrible in their own ways. It's become a case of “better the devil you know” and to keep our auditors happy we need to use the ARCserve backup agent on our Linux boxen now too. That's all good and well if you're running major “corporate friendly” distributions like Red Hat or SuSE, but for the rest of you: Computer Associates will tell you that it won't work at all and you're just going to have to reinstall your server with something “not used by kids in their parents' basements”. Them's fightin' words! Continue reading "ARCserve agent for Linux on any distribution"Tuesday, August 18. 2009IPv6 is comingIt's taken its sweet time getting here, but IPv6 is quickly becoming not only a reality, but a technical necessity. After debates at work with the network administrators over whether it's really needed (they don't think so), I figured it's time to take my own (little) stand on the Internet and prove it's not the scary step into the big unknown that people think it is. My involvement with IPv6 goes back to 2002, after participating in the experimental 6bone network. As ISPs are still very slow to take up IPv6 support, I've ran a dual-stack IPv6 network with Internet connectivity through the free Hurricane Electric Tunnel Broker service on and off since. For those of you not willing to play too much, an alternative has popped up known as Teredo which essentially does the same thing, and support is built into Windows Vista (or you can do it under Linux using Miredo, which has proven to work well on our proxy servers at work). But this isn't enough. Continue reading "IPv6 is coming" |
Calendar
Creative Commons |