From f45ca4e2dbc73cf9451804392a5152aad4af92ce Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 8 Feb 2014 09:57:04 +0000 Subject: [PATCH] HTTPS --- beaglebone.txt | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/beaglebone.txt b/beaglebone.txt index 3d49f866..2dfb96bd 100644 --- a/beaglebone.txt +++ b/beaglebone.txt @@ -132,7 +132,12 @@ ssh-keygen -R #+END_SRC *** Passwords It's highly recommended that you use a password manager, such as KeepassX, and make all your passwords long random strings. It's also a good idea to use different passwords for different pieces of software, instead of one or two passwords for the whole system. That compartmentalises the security such that even if an attacker gains access to one system they can't necessarily get access to others. +*** HTTPS +Throughout these instructions self signed SSL certificates are used to implement access to web pages via HTTPS. The whole HTTPS security model upon which much of the internet currently rests seems broken in that it usually depends upon "trusted certificate authorities" who are not really trusted, except perhaps by the maintainers of certain web browser software. So all that HTTPS really guarantees is that you have an encrypted connection, but an encrypted connection /to who/ can be subject to doubt. As was seen in 2013 with the [[https://www.schneier.com/essay-455.html][information coming from Edward Snowden]], and also the [[http://en.wikipedia.org/wiki/Lavabit][Lavabit email service]], it's possible for companies/organisations to be compromised or bribed and SSL private keys for all users can be demanded using gagging orders or secret laws without any individual user ever being able to know that their communications is no longer secure.. + +Not knowing who you're really connecting to is especially true for self-signed certificates, so it is in principle possible that when logging into a site with a username and password a system such as [[http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/][Quantum Insert]], or a compromised [[http://en.wikipedia.org/wiki/Domain_Name_System][DNS service]], could be used to direct the user to a fake copy of the login screen for the purposes of obtaining their login details. While this doesn't seem to be a major problem at the time of writing it's something to keep in mind. So if you can't log in or if you log in and what you see doesn't look like your site then it's possible that such a compromise could have taken place. Using a password manager with different login details for each site is one way to ensure that if one system is compromised then the attacker can't necessarily get access to all your other stuff. ** Initial + Plug the microSD card into the BBB and Connect the USB cable to your laptop/desktop, then login via ssh. #+BEGIN_SRC: bash @@ -906,7 +911,7 @@ service dovecot restart ** Setting up a web site #+BEGIN_VERSE -/I hope we will use the Net to cross barriers and connect cultures./ +/It's important to have the geek community as a whole think about its responsibility and what it can do. We need various alternative voices pushing back on conventional government sometimes./ -- Tim Berners-Lee #+END_VERSE