Julien Savoie has written a brilliant post explaining how you can enable https on your intranet. This is useful for several reasons. It means your employees aren't constantly fighting browser warnings when trying to submit stuff internally. All your http traffic is encrypted. You don't need to install a self-generated root certificate on devices. Lovely! But there's a downside. Every TLS certificate created by Let's Encrypt is recorded in a Certificate Transparency log. These CT logs are…
Continue reading →
I'm the sort of hip cat who frequents Internet Bulletin Boards. Recently I found myself needing to verify the email address associated with my Reddit account. The email I received from Reddit was charmingly lo-fi and eschewed those bourgeois capital letters. Notice the (teensy tiny) flaw? Yup, it's using vanilla "http" rather than the super secure "https". Earlier this year, Reddit switched on SSL for their entire site. Somewhat annoyingly though, they do not force SSL for the site. If…
Continue reading →
Right, that's enough keyword stuffing! I've been trying to mount an OwnCloud instance via WebDAV. I kept receiving the error Mounting failed. SSL handshake failed: SSL error: sslv3 alert handshake failure Or SSL handshake failed: SSL alert received: Handshake failed The route of this problem seems to be that the version of libneon (the WebDAVS connector library) shipped with Ubuntu 12.04 doesn't play nicely with the SSL certificates issued by CloudFlare. Here's the solution I…
Continue reading →
I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling... Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is a good thing. Apart from images. If your friends are posting images, they are sent over http. No…
Continue reading →
Quick Summary Twitter's secure API hides the contents of the tweets you are reading. But it doesn't hide the images of those you converse with. Raised as Issue 2175. A Bit More Detail Twitter has a secure (HTTPS) and insecure (HTTP) API. When calling the secure API, all the content of the returned message (tweets) are encrypted. Eavesdroppers only see the cipher-text - essentially garbage. However, within that cipher-text are links to insecure resources. For example, a user requesting…
Continue reading →
