CAA Test Results

As promised, I’ve been testing Certification Authority Authorization (CAA) with some Certificate Authorities and here’s what I found so far:

Amazon Certificate Manager (ACM)

Amazon Certificate Manager

It does not appear they honor the IODEF since I didn’t receive an email.

Let’s Encrypt appears to also block issuance:

Let’s Encrypt (using lego)

2018/12/29 16:44:30 Could not obtain certificates acme: Error -> One or more domains had a problem:
[www.niem.es] acme: Error 403 - urn:ietf:params:acme:error:caa - Error finalizing order :: Rechecking CAA: While processing CAA for niem.es: CAA record for niem.es prevents issuance, While processing CAA for www.niem.es: CAA record for www.niem.es prevents issuance

Alas, no email received from them either.

If you own a domain, you should certainly configure CAA. It appears to work and is another preventive control against phishing.

Getting to A+ with Qualys

One of the things I do when examining a website is to run it through Qualys’s SSL Labs Server Test. It does not provide a ‘security’ score per-se, but can be a good first step in making sure sessions are end-to-end encrypted between your users & your website.

As of 5:23PM on 28 Dec 2018 I have an A:

How do I get to A+?

How did I achieve this score?

  1. Disabled old / weak SSL / TLS protocols
  2. Enabled CAA policy

Here’s the relevant httpd.conf lines:

<...>
Listen 443
#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol TLSv1.2

And for CAA, I followed the guide here.

Why are these items important?

  1. TLS v1.1 and greater have known vulnerabilities, so it’s important to disallow them and prevent eavesdropping
  2. As for CAA, I originally thought this was to prevent man-in-the-middle (MitM) attacks, but reading the RFC says otherwise:
The Certification Authority Authorization (CAA) DNS Resource Record
   allows a DNS domain name holder to specify the Certification
   Authorities (CAs) authorized to issue certificates for that domain.
   Publication of CAA Resource Records allows a public Certification
   Authority to implement additional controls to reduce the risk of
   unintended certificate mis-issue.

Digging a bit deeper, it appears the CAA RFC supports something interesting called IODEF. So of course, I had to see if I could activate it.

That’s something I’ll be testing in a future post.

Update: I’m now at A+:

29 Dec 2019

How? I looked at other sites that were receiving A+ ratings and didn’t find many differences – key exchange was the same (rsa 2048) and they had ciphers that were 128 bits as well (similar to my site). HSTS was the big difference, and so I added this to my httpd.conf under the :443 virtual server:

Header always set Strict-Transport-Security "max-age=31536000;   includeSubDomains"

How I Read Kindle Books (for free)

A few years ago I read a medium post where the author describes how she reads so much. A big part of her strategy was to use her Amazon Kindle Paperwhite. The device is dedicated to reading (no other apps to distract you), has a great backlit screen, and can be held in almost any direction while continuing to read. One of the issues with this approach was how to get books to read on the device without breaking the bank. Here’s my technique which has allowed me to read almost anything I want.

  • Get as many library cards as you can
    • In California, this requires you to show up physically at library locations and present your ID
  • Get the libby app (iOS or Android)
    • Alternatively / in addition use the overdrive app on your computer
  • Register each library card with the libby app
  • Search for and place holds on any eBooks you want
  • When they’re available, simply choose the option to check out to Kindle, which will bring up a window for amazon and allow you to check out the library book

Using this method I’ve managed to read almost everything I want for free.

Privacy in the Digital Age

I decided that before 2018 was out, I’d try to tackle my online presence and remove any unused accounts. I started by opening lastpass and running through the security challenge and let me tell you, it was pretty pathetic. I don’t recall my exact score but it was dismal. It took a while but I did manage to raise my score quite a bit and I learned some tips along the way.

In short: I wanted to reduce my ‘attack surface’. With all the data breaches we had in 2018 (and earlier) I knew that the best way to protect myself online was to simply remove (or sometimes change) any of my personal information that sites had. Not to pick on any site in particular let’s take groupon. I am not a user of groupon although I have / had an account. It had my personal address on it, my phone number, and other identifying information. Since I had not used groupon in quite a while, I logged on, changed my password, changed my address and phone number, and emailed customer service to delete my account.

I basically repeated this process about 100 times.

What I learned is that most sites do not have an easy way to delete accounts. You wind up having to contact customer service which is fine but does take more time than a simle click. The other thing is – how do you actually know they’ve removed your account? I know from working at a large Enterprise that customer data gets everywhere and it’s hard to truly delete it from all systems / especially backups and maybe the loose Excel spreadsheet that someone in marketing has.

Pro tip: don’t create new accounts, or if you do, use throwaway information like an email that doesn’t have any PII in the address. In other words, use something like “lastunicorn2018@gmail.com” instead of “joe.smith@gmail.com”