Slash Boxes

SoylentNews is people

posted by NCommander on Monday August 15 2016, @07:01PM   Printer-friendly
from the fiddling-for-the-greater-good dept.

Since people seem to rather enjoy when I run articles on backend upgrades, here's another set of changes I made over the last week as I get back into the full swing working on the site.

The short list:

  • Migrated Beryllium (which hosts wiki+IRC+mail) to Apache 2.4
    • Upgraded said machine to PHP7
    • Needed to support OCSP stapling
    • Validating final checks before deploying HSTS to all public domains
    • Upgraded MediaWiki, SquirrelMail, and YOURLS to PHP7 compatible versions
  • Worked with TheMightyBuzzard and user comments to determine additional XSS protection headers we should deploy
  • Found (and removed) SSLv3 support on postfix and dovecot
  • Deployed DNSSEC on in preparation for signing (here's the test results)

Read past the fold for more information.

Beryllium Upgrades

Beryllium is our "misc" services box. It basically hosts everything that isn't related to site infrastructure such as the wiki, our IRC server, and mail. Last week, I went through and fixed our SSL configuration on this machine to make sure that we were serving properly validated certificates, and that we had strong encryption on this box. While I succeeded on that front, for performance reasons, Apache 2.4 needed to be upgraded to support a somewhat obscure feature of TLS known as OCSP stapling.

What is OCSP stapling you ask? Well, to answer that, I need to take a moment to go into how SSL certificates work. Whenever a CA generates a certificate, they're essentially saying "this site is who it is and we're attesting to it". In a perfect world, a CA would never make a mistake, private keys would never leak, and we could always assume that a certificate is good. We don't live in that world, as such certificate authorities sometimes need to void a certificate. OCSP (which stands for the Online Certificate Status Protocol) is one of two ways to do this, and is the only method Let's Encrypt supports for certificate revocation.

OCSP is a replacement for older certificate revocation lists (CRLs) which in real-life rarely if ever worked as advertised. It's meant to allow the browser to update in real-time knowledge if a certificate is good or bad and react accordingly. OCSP however requires that the browser checks with a certificate authority's OCSP server, leaking the fact that user X is connecting to site Y. It also means that if access to the OCSP server is blocked, a user might not be aware that a certificate has been revoked. OCSP stapling solves both problems by having our servers grab the OCSP reply (which is timestamped), and sending it as part of the initial connection to our site, both increasing performance, and preventing a privacy leak.

Unfortunately, OCSP stapling requiring Apache 2.4 which required me to build it from source, and then migrate sites over from the older Apache 2.2 install. At the same time, I went through and upgraded PHP 7, and updated the other web applications we were using. For the most part, this was rather painless though I'm still tinkering with MediaWiki to make it happy on the new setup.

Beside the usual Apache pain, I went through and scanned our other major services and disabled SSLv3 support on postfix (SMTP) and dovecot. I need to go through and replace our self-signed certs with real ones here but that's a 'one step at a time thing'

XSS Mitigation

During the last site status article, an AC pointed us at this handy site showing security headers. As such, TheMightyBuzzard and I will be going through and enabling these (with the exception of public key pinning) on production sometime this week. HPKP requires quite a bit of planning to deploy and we're not ready to take that step just yet.


I've talked about wanted to deploy DNSSEC before, but various other things kept cropping up. That, and combined with outdated and misleading documentation kept me from actually getting around to doing this for ages. Over the weekend, I finally dug down and figured out the current best practices for DNSSEC, and with the help of audioguy, configured BIND to do automatic signing of the domain and uploaded our keys to our register.

As such, now has a fully validated signature chain, and a green key when checked with the DNSSEC validator. We will be signing sometime in the near future, however, we ran into some DNS zone transfer issues between our nameservers and Linode which caused the RRSIG records to not properly upload. While this has been resolved for now, we're currently talking with Linode to understand why the transfer went pear-shapped and to prevent a second occurrence.

That's it for now. As always, post questions, comments below. I'll be reading!

~ NCommander

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by JNCF on Tuesday August 16 2016, @10:59PM

    by JNCF (4317) on Tuesday August 16 2016, @10:59PM (#388883) Journal

    For someone writing on a journalism-related website, my main conclusion is that you [JNCF] don't write very clearly.

    I have never been fond of most journalistic writing, but I see your point about subjects. To clarify, "he" meant NCommander. There are more reasons to choose words and phrasings than clarity alone. When my intention is strictly clarity, I am very clear. This is rarely the case on SoylentNews.

    I am not so rich that I can throw money at every good cause that wants more money.

    Me neither. I really like SoylentNews, even with all its nasty warts. It's certainly not for everyone, and donation is totally optional. You seem very concerned about funding, though.

    My primary suggestion is for an alternative funding mechanism that would allow small donors to see more about how their money is actually used. Perhaps the larger value of the approach is that the same mechanism would drive documentation of the features and services that the website is providing. The project proposals that get funded should become accurate descriptions of what exists (as long as the success criteria are satisfied).

    Maybe this is a good suggestion. Maybe not. It doesn't seem very fleshed out. Rereading your original posts in this discussion, the idea doesn't even seem to be present. It seems like a much more general complaint that touches on a number of other issues. For what it's worth, I modded you "underrated" -- not because I agreed with anything you said, but because I didn't think you were trolling.

    By the way, your example from the original article was an example of poor writing. How do you interpret your selection to indicate a security problem on SN? Of course XSS is a hint, but even the replacement with "cross-site scripting mitigation" would be ambiguous. (And no, I did not have to look that up. I even edited some technical papers for security experts who were working on related problems.)

    The emphasis was original. I felt that the heading added context to the sentence that came after it, and I wanted to clearly identify it as a heading without breaking it into a multi-line block quote as I was using for your text. If you go back and read the rest of the quote, it uses the word "security." That was the lingo you either couldn't interpret as being related to security, or didn't read.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by shanen on Wednesday August 17 2016, @12:33AM

    by shanen (6084) on Wednesday August 17 2016, @12:33AM (#388916) Journal

    I have to leave soon so I'm just going to focus on a few main points. The funding suggestion was much more fleshed out in some of my earlier comments on SN, after I had observed the system for a few weeks. It has also been fleshed out in various other venues, often modified for more specific purposes. The original form was called RACS (Reverse Auction Charity Shares) because of some viral marketing aspects involving discounted shares, but these days I usually start from the more generic perspective of "charity share brokerage", focusing on the key entity that is holding the money. They show up in some search engines, but I don't know of any so-called early adopters. (There's also some stuff I wrote about couch potatoes...)

    The reason I focus on the funding is not because I think money is important, but because it influences behavior. People tend to respond to clear incentives, and monetary incentives tend to quite clear. If an organization is getting its funding from certain stakeholders, then it will natural evolve to focus on the needs and preferences of those stakeholders over the others. The model I am suggesting would make "wannabe problem solvers" into key stakeholders and solving problems would be linked to the organization's success, including its success in funding itself.

    Getting diverted again, but I think economics sucks, to put it politely. Currently reading Seven Bad Ideas along those lines. My proposed solution is called ekronomics, perhaps a form of time-based economics.

    #1 Freedom = (Meaningful - Coerced) Choice{5} ≠ (Beer^4 | Speech) and your negative mods prove you are a narrow prick.