2014/UK/indiesecurity

From IndieWeb

Security was a session at IndieWebCamp UK 2014.

Notes archived from: https://etherpad.mozilla.org/indiewebcamp-security


When: 2014-09-06 15:30

Participants

  • ...

Notes

  • Letโ€™s at least not get embarrassingly hacked
  • For HTTPS: need a cert signed by a commonly-trusted authority
    • StartSSL are free
    • Globalsign will give out free wildcard certs to open source projects
  • Which certificate?
    • Basic SSL cert will cover bare domain and www. (tom: http://no-www.org/ because who wants to type www all the time)
    • Generate at least 2048 bit key
    • Donโ€™t get a SHA1 cert, itโ€™s being phased โ€” get a SHA2

Process:

  • you generate a key (.key file) โ€” this never leaves your server
  • you generate a certificate signing request (.csr)
  • you send the CSR to the authority (NOT the .key)
  • you get a certificate (either .crt or .pem) which is signed by the authority

Jeremy: this stuff isnโ€™t easy, esp. for people whoโ€™ve just learnt HTML+CSS โ€” why isnโ€™t there a GUI where you can press a button and itโ€™s done? Tim: With StartSSL thereโ€™s no need to use the CLI, you can do it all in the browser [ed: how? need docs!]

First: get HTTPS working Then, make sure all that effort wasnโ€™t wasted:

  • redirect HTTP -> HTTPS
    • some web application frameworks give you hooks to ensure URLs are protected
  • add HSTS header
  • make sure your cookies are secure (only served over HTTPS) and HTTP-only (XSS attacks canโ€™t access them via JS)
  • avoid mixed content warning

Intermediate certificates: when a root authority gives someone else the ability to sign, and they sign you, you need to provide both your cert and any intermediate certs, concatenated in the same file [in what order?]