Securing your self-hosted website with Let’s Encrypt

Continue reading “Securing your self-hosted website with Let’s Encrypt”

Securing your self-hosted website with Let’s Encrypt, part 5: I have HTTPS, and now what?

In part 4, we looked at hardening default configurations and avoiding known vulnerabilities, but what other advantages are there to having our sites run HTTPS?

First, a recap of what we get by using HTTPS:

  • Privacy – no one knows what are your users accessing
  • Integrity – what is sent between you and your users is not tampered with at any point*

*unless the uses’ computers are infected with a virus or some kind of browser malware that modifies pages after the browser has decrypted them, or modifies the content before sending it back to the network via the browser–Remember I said that security is not 100% guaranteed? Sorry to scare you. You’re welcome 😎

So that’s cool, but there’s even more!
Continue reading “Securing your self-hosted website with Let’s Encrypt, part 5: I have HTTPS, and now what?”

Securing your self-hosted website with Let’s Encrypt, part 4: hardening default setups and avoiding known vulnerabilities

In part 3, we looked at how to finally use Let’s Encrypt to issue and renew certificates for our domains. But I also finished with a terrifying cliffhanger: basic HTTPS setups can be vulnerable to attacks! Gasp…!

Let me start by clarifying that I am not a security expert and if someone breaks into your system I will take no responsibility whatsoever, lalalala…

Continue reading “Securing your self-hosted website with Let’s Encrypt, part 4: hardening default setups and avoiding known vulnerabilities”

I finally moved this blog to https (with Let’s Encrypt)

soledadpenades.com is a secure connection, verified by let's encrypt

This was a long overdue task, but I finally dared moving this blog to https. I thought it would be overly complicated but… it was just fine, barring a couple of minor configuration updates in WordPress.

As a faithful blog reader, you should not notice any functional difference. An automatic http to https redirection is in place so your bookmarks will still work, but I advise you update them to https because otherwise people watching your net traffic can tell which /path/in/my/blog you’re visiting (with https, they can only tell you’re visiting my blog, but not what are you looking at).

Also, when you send a comment, your email address won’t travel unencrypted over the network. In the future I might even want to look at enabling http2, which will only work over https as well, and you’ll get my blog faster!

But probably the most attractive bit for me is that now I can log into the admin area from seedy open hotel wifis all over the world and not be afraid that someone might steal my credentials. And I can be certain that nothing is modifying my blog before it reaches you (unless you’re using a browser plugin or similar). Integrity!

I used Let’s Encrypt as the certificate authority. They’re free, and the process is mostly painless and easy to setup… once you understand it. It took me a bit, but now I know.

In fact, I learned to do this efficiently so I could also migrate a lot of other domains and subdomains I own, for example my portfolio 5013.es. It hosts a few JavaScript experiments that require access to the webcam, and browsers are converging into not allowing access to this kind of privacy-sensitive APIs unless executed under https. So there is a clear advantage for users in those cases: they can run my experiments and be sure no one is spying on them! In fact, most of the coolest APIs to land in JavaScriptlandia will require an https connection to work, so for example if you want to make your website work offline using a Service Worker, you’ll need to deliver the code with https.

Worry not, I will not be keeping the knowledge to myself! I will be writing about the move during this week, and also will be giving a talk at WordCamp London next Sunday: “Securing your self-hosted WordPress website using Let’s Encrypt”. Then a shorter version of the talk at WebProgressions in London too, later in May.

I wrote about http/https eight years ago. I concluded that people were not interested in encryption because it’s complicated, slower or hard to set up. I’m very glad that Let’s Encrypt can make this as easy as it can be, and I’m incredibly happy that we can all be finally using https!

Hashing passwords with Bcrypt and node.js

I have a little pet project that I’m using to learn Hapi.js.

Today I wanted to add authentication and since this is, as I said, a tiny little mini project, I want to only allow specific users (actually, just me) to log in, and not everyone+dog using bell or something of that sort. So I thought I’d go for hapi-auth-basic.

This module performs, not surprisingly, an HTTP basic authentication, and also wants a password hash generated with Bcrypt. I didn’t really find a command line thing that would generate the hash for me on this mac computer in a convenient fuss free way, and I also didn’t really spend hours looking because it’s Saturday, so in my most pragmatic move of today I decided I would just write a little snippet of code that would hash and verify the password using JavaScript.

So here it is, roughly based off this post of using Bcrypt with mongoose.
Continue reading “Hashing passwords with Bcrypt and node.js”