Sciencemadness Discussion Board
Not logged in [Login - Register]
Go To Bottom

Printable Version  
 Pages:  1  2
Author: Subject: Securing Sciencemadness: understanding the threat model
Marvin
International Hazard
*****




Posts: 982
Registered: 13-10-2002
Member Is Offline


[*] posted on 14-10-2013 at 11:33


I accepted the certificate but I still get warnings and hoops to jump in Chrome, it says "Server's certificate does not match the URL". I wasn't going to mention it but if the certificate is being fiddled with anyway ;)

SHA-256 Fingerprint 81 41 E0 45 57 2C 95 8A C4 34 3C 44 DC 38 2D 5D
BB A4 72 B9 3E E8 38 D2 7B 1C 21 55 30 D2 8C 3C
View user's profile View All Posts By User
bfesser
Resident Wikipedian
*****




Posts: 2114
Registered: 29-1-2008
Member Is Offline


[*] posted on 16-10-2013 at 09:47


I didn't want to start a new topic for this; but I wonder if anyone else has noticed that the server time appears to be off by maybe two or three minutes (ahead).

Compare my system time to the "posted on" timestamp above.
12:44:30 CST

[edit] I'm also CST, but have to set EST in my profile to get the correct hour...
[2nd edit] GMT? Seriously? This forum software is beyond hope.

[Edited on 16.10.13 by bfesser]




View user's profile View All Posts By User
Polverone
Now celebrating 14 years of madness
*********




Posts: 3121
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline


[*] posted on 16-10-2013 at 14:55


I will try to get a better matching certificate when I next regenerate it.

Quote: Originally posted by bfesser  
I didn't want to start a new topic for this; but I wonder if anyone else has noticed that the server time appears to be off by maybe two or three minutes (ahead).

Compare my system time to the "posted on" timestamp above.
12:44:30 CST

[edit] I'm also CST, but have to set EST in my profile to get the correct hour...
[2nd edit] GMT? Seriously? This forum software is beyond hope.

[Edited on 16.10.13 by bfesser]


The forum software does not appear to handle daylight savings time correctly. It shows non-DST times year round. I added a cron job for daily NTP synchronization. The server previously got the value once at boot time but would then drift until the next reboot, which could be many months.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
bfesser
Resident Wikipedian
*****




Posts: 2114
Registered: 29-1-2008
Member Is Offline


[*] posted on 16-10-2013 at 15:11


Alright, thanks for the clarification, Polverone. I noticed while posting earlier that my own computer's NTP synchronization doesn't seem to be working properly. I'm going to have to look into fixing it. Goddamn Linux Mint... it's 2013 and they can't even get the clock right‽ It's downright ridiculous. This is why Windows die-hards think Linux is a joke. Oh well, at least I don't have to fight with USB drivers.



View user's profile View All Posts By User
Crowbar
Harmless
*




Posts: 13
Registered: 13-3-2009
Member Is Offline


[*] posted on 26-5-2015 at 03:25


Hey Polverone,

First, your server still accepts some weak ciphers. See https://www.ssllabs.com/ssltest/analyze.html?d=sciencemadnes...
It's also reporting an issue with PFS.
Furthermore, there are other server settings that affect security. An ultra-concise reference that includes recommended configs for the common web servers: https://cipherli.st/

Second, when your next annual self-signed certificate reissue time rolls around, how does anyone of us know we're not being man-in-themiddled and that the new certificate actually comes from you?
Consider providing some out-of-band method for us to verifying the site's new certificates, such as publishing a hash of the key on multiple other channels.
Alternately, sign the site certificates with a root certificate you create, and publish the root (and revocation list) elsewhere. Setting up is just a few openssl commands, and it has the important benefit that the root key can be kept off the hosted site machine: you only use it on your own secure system to sign the site certificates.

In general, I don't see why you reissue your certificates annually. The only idea I have is if you intend to use this as a warrant canary in case you're gagged by a national security letter. Which also begs the question of why you'd use a US-based host in the first place. Numerous companies and organizations with far tamer content than this site have moved their data elsewhere. It may be the cautious thing to do to follow suit.
View user's profile View All Posts By User
 Pages:  1  2

  Go To Top