2014/UK/indiesecurity
Security was a session at IndieWebCamp UK 2014.
Notes archived from: https://etherpad.mozilla.org/indiewebcamp-security
When: 2014-09-06 15:30
Participants
- ...
Notes
- Letโs at least not get embarrassingly hacked
- For HTTPS: need a cert signed by a commonly-trusted authority
- StartSSL are free
- Globalsign will give out free wildcard certs to open source projects
- Which certificate?
- Basic SSL cert will cover bare domain and www. (tom: http://no-www.org/ because who wants to type www all the time)
- Generate at least 2048 bit key
- Donโt get a SHA1 cert, itโs being phased โ get a SHA2
Process:
- you generate a key (.key file) โ this never leaves your server
- you generate a certificate signing request (.csr)
- you send the CSR to the authority (NOT the .key)
- you get a certificate (either .crt or .pem) which is signed by the authority
Jeremy: this stuff isnโt easy, esp. for people whoโve just learnt HTML+CSS โ why isnโt there a GUI where you can press a button and itโs done? Tim: With StartSSL thereโs no need to use the CLI, you can do it all in the browser [ed: how? need docs!]
First: get HTTPS working Then, make sure all that effort wasnโt wasted:
- redirect HTTP -> HTTPS
- some web application frameworks give you hooks to ensure URLs are protected
- add HSTS header
- make sure your cookies are secure (only served over HTTPS) and HTTP-only (XSS attacks canโt access them via JS)
- avoid mixed content warning
Intermediate certificates: when a root authority gives someone else the ability to sign, and they sign you, you need to provide both your cert and any intermediate certs, concatenated in the same file [in what order?]