Posts tagged with 'ssl'


Securing boyet.com, part 2: secondboyet

Just a quick update after starting this series a couple of months ago: secondboyet.com is now secure and, even better, gets an A+ from securityheaders.com . Even, gasp, the Content Security Policy . I will fully admit here that, because secondboyet.com is a pure static site (to remind readers who are unfamiliar with this, the site is generated using CityDesk, a well-dead-and-pushing-up-the-daisies-but-still-working app for creating blogs and websites), all I had to do was a cycle of visiting the...

READ MORE

Securing boyet.com, part 1: static sites

Sounds simple, right? After all, I’ve babbled on about how to secure your web sites this past few months, both for AWS and Azure , so it should be a piece of cake for boyet.com. Right? Well, unfortunately, no. Thing is, I bought boyet.com 20 years ago in November, and, after using TDMWeb (which was owned by the publisher/editor of The Delphi Magazine , for which I wrote algorithm articles) as hosting for a while, I switched to GoDaddy . And then proceeded to mess things up by taking advantage of...

READ MORE

Content Security Policy is hard, and then there’s Pinterest and AddThis

Over the past month, I’ve embarked on an update of my blogging sites to make them secure. All told, I maintain three, all using GraffitiCMS as the backend: this site, 64SAINT.com , and my wife’s crafting site. This site? Well, yes, it’s going to be a complete bear to do, mainly because it’s in two parts: the current GraffitiCMS blog (which you’re reading now, hosted on blog.boyet.com) and my old static blog site (hosted on www.boyet.com). I’m still unsure as to how I’m going to do this, or even how...

READ MORE

Making an AWS static website EVEN MORE secure

OK, so we have a secure website, hosted on Amazon S3, and served up via HTTPS by CloudFront with an Amazon SSL Certificate. But, as we know from last time, we also have to express this security through our response headers. It was fairly easy with Azure – after all, it’s “just” IIS back there, and web.config is the answer to everything once you know the magic incantations – but how to do the same thing on AWS? For this one, I am indebted to an official Amazon blog post: Adding HTTP Security Headers...

READ MORE

Making an AWS static website secure

So there I was, patting myself on the back for making an Azure static website secure (with all the right headers , natch), when I gave myself a quick nod: yep, let’s do the same for this other static website, one that’s hosted on Amazon S3. Morceau de gâteau ! Please, please, please, can I go back in time to stop myself? What a lengthy ordeal, a flippin’ slog. Sisyphus had it easy. Let’s enumerate what you should do, in the right order (rather, than what I did, which was all messed up). Get your...

READ MORE

Making an Azure static website EVEN MORE secure

Remember how I was congratulating myself that I’d made my jmbucknall.com static website, that is hosted on Azure, secure? How I’d bought and uploaded an SSL certificate, and made the site only accessible via HTTPS? Well, HA! I say that, because Barry Dorrans (self-described as “Microsoft's .NET security person”) was ‘kind’ enough to point out that I hadn’t really finished the job. I hadn’t added the proper “security headers” (WTF are they?) via a web.config (wut? it’s a static site!) and that I should...

READ MORE

Making an Azure static website secure

One thing that’s been niggling at the back of my mind for a little while, is that of making my various domains secure. Getting and installing a certificate. Making HTTPS the default. Using SSL. All that jazz, mostly triggered by the news that Chrome and Firefox are going to start shaming – er, sorry, indicating in the address bar – those sites that are not secure. But, OK, I admit it, all the stuff I’ve read just seems to point out how deeply involved it all is, how expensive, and so on. This ain...

READ MORE

PCPlus 315: Safe online transactions

In which I talk about how to solve the problem of communication between two entities (I talk about the archetypal Alice and Bob) so that no one else (notably, Eve) can listen in, and no one (especially Mallory) can monkey around pretending to be Alice to Bob or vice versa. (For those not in the know why these names were chosen, Alice and Bob just designate A and B, Eve is the eavesdropper and Mallory the man-in-the-middle.) I start off with DES (Data Encryption Standard), an old fashioned encryption...

READ MORE