Ssl

Postfix Hardening Guide for Security and Privacy

Learn how to secure the configuration of Postfix with this guide, and increase both security and privacy.

Summary

Postfix is a common software component on servers for receiving or sending email. It has a lot of configuration options available, including those to improve your Postfix security. This Postfix security and privacy guide will help with hardening your Postfix configuration.

After you are finished, your system will have improved defenses against spam, abuse, and leaking sensitive data.

Why Postfix hardening?

Every service that is connected to the internet is sooner or later to be abused by automated scripts. For example, an incorrectly Postfix might send messages to everyone, instead of just your network systems. This type of configuration is called an open relay. It will get your system ending up on multiple blacklists. If it is just a test system, then you are lucky. If your customers are depending on it, then you have something to explain.

Deleting Outdated HPKP Key Pins in Firefox

HPKP is a great technology to pin a certificate to a website. Unless it starts blocking access to a legitimate website.

Summary

HPKP Key Pins in Firefox

HPKP is a great technology to pin a certificate to a website. On first use of a domain, the browser of the client checks if key pinning is available. Upon a next visit, the browser applies an additional check if the certificate(s) provided is available in the previous list of white-listed sites.

HPKP error

Sometimes things go wrong with HPKP and you won’t be able to access a particular page.

Optimize SSL/TLS for Maximum Security and Speed

Everyone loves secure websites, as long as they are quick. Let's configure our website for maximum security and performance, at the same time.

Summary

Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all.

Additionally, we believe that we doing everything we can on our website, practicing security hardening ourselves. So that includes buying a SSL certificate, configure our web servers and finally tune it. In this article we share what we learned while doing so.

Disable SSLv3 in Lighttpd to protect against POODLE attack

Protecting against the POODLE attack with Lighttpd is easy by changing its configuration. Disable SSLv2 and SSLv3 to limit the attacks on the SSL protocol.

Summary

Protecting against the POODLE attack

The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols.

Disable SSLv2 and SSLv3

Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

Protect Linux systems against SSLv3 Poodle vulnerability

The Poodle vulnerability was discovered in October 2014, putting all systems using SSL 3.0 at risk.

Summary

What is the Poodle vulnerability ?

The “Poodle” vulnerability is basicly an attack on the SSL 3.0 protocol. It was discovered in October 2014. The flaw is in the protocol itself (not implementation), which makes the issue applicable for all products using SSL 3.0. TLS 1.0 and later are considered safe against the attack.

How does the attack work?

While we won’t go into too much depth of encryption and ciphers, we will share some basics. When SSL 3.0 is used in CBC mode, it uses a block cipher. Small blocks of data are being evaluated for further processing, opposed to encryption on bit level.

Protect against the BEAST attack in Nginx

The BEAST attack showed up in 2011 and some servers are still vulnerable to it. With the right protocols, ciphers and preference, we can keep the BEAST out.

Summary

What is this BEAST?

BEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. The weakness was discovered in 2002, but finally proven in 2011 by security researchers Thai Duong and Juliano Rizzo. With real proof of concept code, they showed it was no longer a theoretical attack.

To successfully perform the BEAST attack, there are some conditions which needs to be met: