2016-04-15 Michael BoelenWeb One comment

How the web changes with HTTP/2: Performance and Security

Changes to the web: HTTP/2 Performance and Security On invitation by the Dutch consultancy firm Snow, I attended their Snow Unix Event (SUE). It was the third time in a row, with again an impressive lineup of speakers. As I worked previously for the company, I expected no less than that. The theme was about knowledge sharing. That sounds like an invitation to also share some of the biggest insights I learned. Let’s start with the HTTP/2 insights by Daniel […]

2015-03-12 (last updated at October 9th, 2016) Michael BoelenPerformance, System Administration, Web 4 comments

Optimize SSL/TLS for Maximum Security and Speed

Optimize SSL/TLS for Maximum Security and Speed High Goal Setting Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all. Additionally, we believe that we doing everything we can on our website, practicing security […]

2015-03-05 Michael BoelenWeb Leave a comment

Securing nginx configurations: implementing OCSP stapling

Securing nginx configurations Implementing OCSP stapling in nginx OCSP stapling is a logical follow-up on Online Certificate Status Protocol. OCSP itselfs just checks if certificate is still valid by determining if it is on a revocation list. The original OCSP protocol forces the client to check for the status of a certificate. This results in a lot of traffic for the CA behind the certificate. OCSP stapling moves the check to the owner of the certificate. On a regular basis […]

2014-08-27 (last updated at April 5th, 2017) Michael BoelenHardening, Software 3 comments

Protect against the BEAST attack in Nginx

Protect against the BEAST attack in Nginx What is this BEAST? BEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. The weakness was discovered in 2002, but finally proven in 2011 by security researchers Thai Duong and Juliano Rizzo. With real proof of concept code, they showed it was no longer a theoretical attack. To successfully perform the BEAST attack, there are some conditions which needs to be met: Vulnerable version of […]

2014-08-12 (last updated at February 12th, 2019) Michael BoelenHardening, Software, Web 2 comments

Configure HSTS (HTTP Strict Transport Security) for Apache and Nginx

HSTS configuration for Apache and Nginx HTTP Strict Transport Security (or HSTS) is a security capability to force web clients using HTTPS. The idea behind HSTS is that clients which always should communicate as safely as possible. At achieve this, the web server and web browser will prefer the HTTPS protocol instead of HTTP. Benefits The clear benefit of “forcing” a client to use HTTPS directly, is decreasing the risk of sharing any sensitive information via a protocol which can […]

2014-07-03 (last updated at January 30th, 2016) Michael BoelenWeb Leave a comment

Hiding the Nginx version number

Hiding the Nginx version number If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon. […]