Fun Stuff > CLIKC
Shellshock and other assorted computer security stuff
pwhodges:
There must be a setting I've turned off, because I don't get that warning.
Nor do I have a secure web server to hand; I guess the time is coming to think about that. I think there was a reason I didn't set one up ages ago... Ah, I remember, something to do with having a reverse proxy and multiple web sites - I have multiple URLs on the same port, and SSL negotiation precedes the exchange of headers, so the site name is unknown and the certificate can't be identified - something like that. Plus my port 443 is already dedicated to the mail server's web mail.
I may be out of date about the restrictions, so I'll investigate that.
pwhodges:
I'll look at the avatar code in the forum software; the problem may be similar to that which I've just fixed to get YouTube back (SoundCloud will follow tomorrow).
ev4n:
Fwiw, my home PC has been unable to browse to forums.questionablecontent.net since the patch, in either chrome or IE.
I'm patching and scanning to try to find a problem on my side.
ankhtahr:
So let's bring back some life into this thread with more general computer security and crypto stuff!
I'm currently working on finally getting some order and safety into my data security.
I've rented a lock box in a bank, where I store paper copies and a USB stick containing encrypted digital copies of private keys and such things.
I've never really used GPG before, because I wanted to read some more about it to not do anything wrong. I've decided to use an additional subkey for signing, so I can leave my Master key in the lock box unless I want to sign other peoples keys.
I'll also keep a backup of the configuration of my Yubikey in there, so I can finally start using Keepass with OTP, without having to worry about losing my Yubikey and thus access to all my passwords. Oh. Fallback passwords for anything which is secured with the Yubikey are in the lockbox as well. Probably a backup of the LUKS headers of my encrypted hard drives as well.
What do you guys do to keep your data safe and secure?
pwhodges:
--- Quote from: pwhodges on 16 Oct 2014, 16:58 ---I'll look at the avatar code in the forum software; the problem may be similar to that which I've just fixed to get YouTube back (SoundCloud will follow tomorrow).
--- End quote ---
I never mentioned here that I spent time trying to make a patch to fix this, but it got too complex to finish. It's been sorted in the next major release of the forum, which has just entered public beta, but that will be at least a year away on past performance.
I've spent a lot of time in the past week on web security issues at work, getting the https security on three old websites up from an F on the tester I use to B, B and A-. The A- one (running Tomcat v6) could have been an A, but only by dropping support for browsing in Windows XP, and many of the users are still on XP (they're in the NHS, which is rather behind in that matter). The other two are running IIS6, which can't do better; but they are both due for replacement quite soon. My own website (Apache 2.4) has a straight A, of course.
I've been wondering about suggesting Yubikey and AuthLite for two-factor authentication in the IT services I run.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version