Free SSL certs with StartSSL
StartSSL™ Certificates & Public Key Infrastructure - How to Install.
I've always been frustrated by the fact that SSL certs for a website run in the $70/year and up range, which sets https (without having to deal with annoying untrusted certificate warnings and errors) beyond my limited, hobbyist budget. However, I recently heard about StartSSL offering free basic certs, so I set it up today.
After a bit of fiddling (the SSL way of doing things is new to me), it's all up and working! At first only Chromium was calling my site verified, Firefox wasn't giving a bad cert error but was not convinced of the site's authenticity, and Fennec & the Android browser were giving me unknown cert errors. It turned out I hadn't installed the chain certs (a new concept to me), but once I got those in, everything was golden.
StopSpying.ca – Harper Gov’t Trying to Push Unethical Online Surveillence Measures
Go to stopspying.ca to sign the petition to have this legislation scrapped.
sshuttle – really, really simple ssh-based VPN
I discovered sshuttle today, which is a really simple VPN over SSH, which works on Linux, BSD and MacOS clients. It requires no set-up on the server, just an unprivileged ssh account and python. Once you've downloaded it, which is as simple as using apt-get (in a Debian-based OS) or a git command, all you need to do to tunnel all your traffic over SSH to a remote server is:
sshuttle --dns -vvr username@sshserver 0/0
And voila, instant security. I will definitely be using this when I'm on public wifi in the future.
Michael Geist – Web Surveillance Legislation Requires Study, Not Speed
Michael Geist - Web Surveillance Legislation Requires Study, Not Speed.
Michael Geist posted Friday about a new series of crime bills that the Harper Government are pushing through. Among these is a bill to force all Canadian ISPs to implement measures to intercept and examine the communications of their users, and will allow police access to these data without court oversight. This means that the police or other government security agencies will be able to access all of your communications (email, chat, Facebook use, and anything else you do online) without a warrant. It will also enable large-scale monitoring of all of our internet activities. An excerpt from the article:
Lawful access raises genuine privacy and free speech concerns, particularly given the fact that the government has never provided adequate evidence on the need for it, it has never been subject to committee review, and it would cost millions to implement yet there has been no disclosure on who would actually pay for it. Given these problems, it is not surprising that every privacy commissioner in Canada has signed a joint letter expressing their concerns.
Mr Harper, when every privacy commissioner in Canada (the 10 provincial and one federal commissioners) think your bill is broken, you probably need to take it back to the drawing board.
Encryped mailbox on mailserver
I've been playing with a bunch of security/crypto software lately and am considering migrating my mail server off of Google Apps to my own server. In considering potential setups, I thought it would be nice to be able to have my mail server encrypt all incoming mail before storing it. That way, if ever the server is compromised, there is no way that an attacker could read my email. The flow I wanted was to have Postfix deliver to Procmail, which would encrypt the message with GPG to me, then store it in the server-side maildir. The encryption is done asymmetrically, so only my public key is stored on the server -- the messages cannot be decrypted until I have downloaded them onto my machine.
Before implementing all this, I decided to Google whether anyone else had done it before, and I found this wiki page that laid it all out like child's play. I guess I'm not quite as original as I had thought. That's ok, though -- it was simple, it works, and it's effective.