2018/12/29 16:44:30 Could not obtain certificates acme: Error -> One or more domains had a problem: [www.niem.es] acme: Error 403 - urn:ietf:params:acme:error:caa - Error finalizing order :: Rechecking CAA: While processing CAA for niem.es: CAA record for niem.es prevents issuance, While processing CAA for www.niem.es: CAA record for www.niem.es prevents issuance
Alas, no email received from them either.
If you own a domain, you should certainly configure CAA. It appears to work and is another preventive control against phishing.
One of the things I do when examining a website is to run it through Qualys’s SSL Labs Server Test. It does not provide a ‘security’ score per-se, but can be a good first step in making sure sessions are end-to-end encrypted between your users & your website.
TLS v1.1 and greater have known vulnerabilities, so it’s important to disallow them and prevent eavesdropping
As for CAA, I originally thought this was to prevent man-in-the-middle (MitM) attacks, but reading the RFC says otherwise:
The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify the Certification
Authorities (CAs) authorized to issue certificates for that domain.
Publication of CAA Resource Records allows a public Certification
Authority to implement additional controls to reduce the risk of
unintended certificate mis-issue.
Digging a bit deeper, it appears the CAA RFC supports something interesting called IODEF. So of course, I had to see if I could activate it.
That’s something I’ll be testing in a future post.
Update: I’m now at A+:
How? I looked at other sites that were receiving A+ ratings and didn’t find many differences – key exchange was the same (rsa 2048) and they had ciphers that were 128 bits as well (similar to my site). HSTS was the big difference, and so I added this to my httpd.conf under the :443 virtual server:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
A few years ago I read a medium post where the author describes how she reads so much. A big part of her strategy was to use her Amazon Kindle Paperwhite. The device is dedicated to reading (no other apps to distract you), has a great backlit screen, and can be held in almost any direction while continuing to read. One of the issues with this approach was how to get books to read on the device without breaking the bank. Here’s my technique which has allowed me to read almost anything I want.
Get as many library cards as you can
In California, this requires you to show up physically at library locations and present your ID
I decided that before 2018 was out, I’d try to tackle my online presence and remove any unused accounts. I started by opening lastpass and running through the security challenge and let me tell you, it was pretty pathetic. I don’t recall my exact score but it was dismal. It took a while but I did manage to raise my score quite a bit and I learned some tips along the way.
In short: I wanted to reduce my ‘attack surface’. With all the data breaches we had in 2018 (and earlier) I knew that the best way to protect myself online was to simply remove (or sometimes change) any of my personal information that sites had. Not to pick on any site in particular let’s take groupon. I am not a user of groupon although I have / had an account. It had my personal address on it, my phone number, and other identifying information. Since I had not used groupon in quite a while, I logged on, changed my password, changed my address and phone number, and emailed customer service to delete my account.
I basically repeated this process about 100 times.
What I learned is that most sites do not have an easy way to delete accounts. You wind up having to contact customer service which is fine but does take more time than a simle click. The other thing is – how do you actually know they’ve removed your account? I know from working at a large Enterprise that customer data gets everywhere and it’s hard to truly delete it from all systems / especially backups and maybe the loose Excel spreadsheet that someone in marketing has.
Pro tip: don’t create new accounts, or if you do, use throwaway information like an email that doesn’t have any PII in the address. In other words, use something like “email@example.com” instead of “firstname.lastname@example.org”