And ditch insecure and weak TLS ciphers or risk attack

SSL, or TLS as it should be called these days, is THE de rigueur of modern web site hosting. Well, not so much de rigueur, but more of a necessity. It’s not just about security (encryption between your web browser and the webserver), but SEO (search engine optimisation) requires an SSL/TLS certificate as search engines such as Google are prioritising SSL/TLS protected sites above non-secure sites (see http://www.bafta.org, an example of a web site which could – and indeed should – be using an encryption connection throughout, but doesn’t).

And it’s not just all about encryption. With the HTTP/2 protocol – assuming your web server supports it – can provide a number of improvements that can significantly boost the performance of your site as well.

SSL/TLS certificates used to cost a fortune and were difficult to manage. Every year or so, you’d have to create a new certificate signing request (and private key, if necessary) and then submit the CSR to an SSL vendor. You’d then have to verify you own the domain either by placing a text file on your website, or an entry in DNS. And you’d be paying a pretty penny in the process. And that’s just to protect one URL (or, in the case of most SSL vendors – actually two – one for a subdomain (such as ‘www’), and the other for the bare domain (such as ‘drake.org.uk’). If you wanted to protect a whole bunch of subdomains, you could buy a wildcard SSL certificate. These are even more expensive (though the cheapest I found was $45 per year), but can be deployed across multiple servers and hostnames under the same domain.

Then came along Let’s Encrypt. It’s a free certificate authority that issues free single hostname and wildcard SSL certificates. It’s easily automated and requires very little effort. Wildcard SSL certificates are relatively new – and most people end up issuing single domain certificates through the “certbot” utility.

But it’s just as easy to get a wildcard cert which can be renewed automatically. Usually, like me, you’d run certbot with the –nginx command which sorts out your nginx configuration for you. But if you wanted a wildcard certificate instead, it requires a bit extra work:

certbot-auto certonly --manual --preferred-challenges=dns \
--email [email protected] \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -d *.wombats-are-cool.com

You’ll then be prompted by certbot to add a DNS entry to your domain (in this example, wombats-are-cool.com) and then it’ll go off and verify it exists and issue the certificate. Keep your DNS TTL record for a quick resolution.

Once issued, you’d just alter your nginx server block with:

ssl_certificate /etc/letsencrypt/live/wombats-are-cool.com/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/wombats-are-cool.com/privkey.pem; # managed by Certbot

Then shove the following in /etc/crontab:

0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew

(add > /dev/null 2>&1 to taste)

A free wildcard SSL certificate which will automatically renew itself. An alternative to Let’s Encrypt is to use a WAF or CDN such as Cloudflare or Sucuri – both will offer to install a certificate at the edge (e.g. their servers – all traffic will go through their datacentres before being passed to your origin server). This requires a bit more set-up, especially if you want to the WAF/CDN to connect over HTTPS to the origin server. There are a number of approaches to this – including, ironically, using Let’s Encrypt.

Now, don’t forget to disable SSLv3, TLS v1.0 and v1.1 and use strong ciphers. Don’t do what many web site owners do, and accept any old nonsense.

In the following example (from a well known UK multi-media facility), the highlighted protocols are terribly insecure and will fail you in any vulnerability scan, and a temptation for intruders and automated bots. TLS v1.1 isn’t worth keeping around – I’ve been looking at the stats of a very high volume e-commerce web site shows that barely anybody uses it. I’ve configured many web sites to use TLS v1.2 at a minimum and it has had absolutely no impact on browser compatibility.

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
|
SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
|
TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
|
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
|_ least strength: C

Or a more visual representation of the above:

Exposing the versions of your server’s web server, OpenSSL and PHP is also a Bad Thing(tm). Which of course, our poor saps absolutely do:

Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.6.30

Don’t do what these people do. Pay attention to your SSL/TLS settings as well as your certificate.

Meanwhile, I’m happy with this:

I was going to post about the state of Apple Music in 2019 after its appalling launch which was besieged with technical problems. I tried to find some images from a previous version of this blog, but instead found these odd photos:

Former newsreader, journalist and reality TV barge passenger Michael Buerk has suggested that the NHS could save money by not treating obese people. This is a bit like saying that the NHS shouldn’t be treating drug addicts, smokers, or alcoholism. Or people who cause accidents and end up injured themselves. Or rich people. Or Tories.

(I kid because I care..)

Obesity, while generally associated with overeating and a less active lifestyle, has many causes. Some medical. Others not. Mental health, work (inactive at work due to pressures of deadlines/long hours/long commutes could all lead to poor diets), food prices, injury, etc.

Regardless of whatever the cause – shaming is a terrible thing to do, best left to people who lack empathy for others (alas, empathy treatment is not available on the NHS or private healthcare). The NHS is available for everybody, regardless of whatever the problem may be.

I consider overpopulation, tax dodgers (individuals and corporate), and the likes of Brexit to be a far bigger danger to the NHS than overweight people.

The purpose of life? Allegedly (for us blokes) it’s: grow up, get a job, get married, have kids, become a grandad, retire, and then die peacefully.

I’ve achieved three of those things. Growing up, getting a job and I was once married. I did want kids at some point, though if I am to be honest with myself, my desire to actually have them was maybe a little less than that of my ex-wife. My attitude at the time was that if they turned up, great. If not, it’s not the end of the world (though I was concerned about ending the family lineage and not being able to give my parents grandkids).

My ex-wife really wanted kids, and as soon as we were able to do so, we started trying. Unfortunately there were a number of stumbling blocks, and ultimately we turned to IVF treatment which got us further than we had ever been. But disaster struck there too, and I nearly lost her and the baby as a result of complications.

But even this didn’t hold us back – we tried to adopt internationally (there are many reasons for doing so versus domestic adoption, one reason being the age of the child being adopted, which for for first time parents, matters a great deal), but the cost was substantial and even with our salaries, it was prohibitively expensive.

In the end we went our separate ways. It wasn’t just about having children, but there were a number of other factors too. I felt that maybe I had rushed things a little too much – I practically proposed to her a day or two after meeting her. I’m not known for my patience, it must be said.

Being single again for the past 5 years since the divorce, dating has been challenging. I’ve found that many women around my age on dating sites have already had families. One or two children. Either separated or divorced. Fewer women have no ties. And every time I’ve joined these dating sites I’ve always wondered about the question: “Do you want children?” I don’t think it’s an easy question to answer.

What really brought my around to being a dad was volunteering at an NGO in Beijing, China, around 2008, helping orphaned children heal. A young girl of around 5 or 6 came up to me and latched on. We played for a good while, and I noticed that on a couple of occasions she would bite me. Apparently this was common among children in this situation and was an attachment issue. But I didn’t mind. I really took to her, and her to me. Saying goodbye was extremely difficult, and thinking about it now brings me to tears. But the good news, and what’s makes my heart glad, is that she was adopted by a lovely American family. As far as I know, she is doing extremely well in that environment. But I cannot help but think she could have been with me and my ex-wife.

And this is why I’m very pro-adoption. If I were to date a woman that already has children, I wouldn’t have a problem with it. But would I biologically want my own? I still don’t know. I really don’t. Given the madness that’s going on in the world at the moment, I’m not sure I’d want to introduce a new born baby into the insanity that is Brexit, Trump or Putin (and the rest).

Having read about birthstrikers, it makes me think that perhaps not having children of my own helps my own community and even the whole planet. By assimilating into somebody else’s family seems a more sensible thing to do. You may not necessarily seen to be THE dad to those children, but at least you’d be A dad (though secretly you’d want to be the former).

Life goes on. I’ve no a clue what’s going to happen in the next 5-10 years. I may meet someone. I may not. Work keeps me extremely busy most of the time (with a possible detriment to my social life – I take work extremely seriously and if I were to lose my job, there goes the house and everything I’ve worked hard to achieve). But I do know I need to put myself more out there. I had a considered adopting a dog. But that’d go down well with my neighbours who also have dogs. I couldn’t leave a dog at home alone even if they have enough stimulus to keep them busy.

In any event, the answer to life, the universe and everything remains 42.

Apple is a strange company. It has come up with some rather lovely designs during its history. The Apple Magic Mouse 2 isn’t one of them. It’s a mish-mash of superb usability and horrible ergonomics combined with very decent battery life. I’ve been using them pretty much ever since I’ve had a Macintosh.

The Space Grey version of the Apple Magic Mouse 2 is very shiny!

I have been tempted by other Bluetooth mice before, and indeed earlier this year I bought a couple of Logitech MX Master 2S wireless mice. They’re ergonomic, chunky and feel great in the hand. My only complaint has been the scroll wheel has always felt either too loose in quiet mode, or when the ratchet mode is on, too noisy. Whereas the Apple Magic Mouse 2 has a surface area which acts like a touchpad which makes scrolling pretty much flawless. Plus the Apple mouse can scroll sideways much more easily.

The Logitech MX Master 2S – which can be used when charging

The MX Master 2S can also be charged whilst it’s being used, whereas with the Apple mouse you’ll need to turn it upside down in order to plug in the Lightning cable – thus it’s incapacitated whilst it is charging. This is made up, however, by a much better battery in the Magic Mouse. The Logitech MX Master 2S only seems to last 2 days before the battery runs out whereas the Magic Mouse lasts several weeks. Well, I’d say that my home MX Master 2S only lasts a couple of days – my work MX Master 2S does tend to last a couple of weeks, and both tend to get the same kind of use.

But I’ve had to go back to using a Magic Mouse 2 again because Apple do NOT make it easy if you ever need to reset your Mac’s PRAM, or go into recovery mode with non-standard Apple kit. The following image demonstrates:

Cables, dongles and non-Apple kit – oh my!

I wanted to reset my work 2018 Mac Mini’s PRAM as the USB-C (acting as a DisplayPort cable) to HDMI connected monitors tend to play Russian Roulette every time I switch the Mac on. Sometimes the Mac remembers the right order, and other days it doesn’t. Or sometimes the Mac doesn’t send the signal to the right monitor, necessitating cable fiddling. A PRAM reset might fix that, I thought.

First of all, the Magic Keyboard 2 wasn’t able to get the bloody Mac into PRAM reset mode wirelessly – not without physically attaching the keyboard to the machine via a Lightning to USB-A cable (thankfully the Mac Mini has two USB-A ports). That seemed to work. Then I needed to go into recovery mode to sort out something, but the MX Master 2S mouse wouldn’t work. As you can see above, the Mac’s firmware wanted me to connect an Apple wireless mouse. Any Bluetooth mouse that’s Bluetooth capable (and not an Apple mouse) and has been paired with the Mac beforehand will not work in recovery mode. I had to hook up the MX Master via a micro-USB cable to USB-A to get anything done.

So it’s a mix of battery life, being able to scroll properly on a Magic Mouse 2, and being able to move the mouse pointer effortlessly in Mac’s firmware/recovery mode that’s brought me back to the Magic Mouse.