Improve Security with Mount Options

“Defense in Depth” is a key concept of information security; if an attacker can get through one security control, there should be others waiting to thwart him. Mount options are an oftentimes overlooked way to implement defense in depth which are easy to implement, simple to understand, and widely applicable to many situations. The directory … Continue reading Improve Security with Mount Options

Trusting AWS RDS Certificates in Docker and Beanstalk

To connect to AWS RDS databases using TLS/SSL, the client must trust the certificate provided by RDS; RDS doesn’t use certificates trusted by the CAs (Certificate Authorities) included by operating systems. Without TLS/SSL, the connection to the database isn’t secure, meaning an attacker on the network between the client (running in EC2) and the database … Continue reading Trusting AWS RDS Certificates in Docker and Beanstalk

End to End Encryption with Beanstalk

Beanstalk is often configured to terminate SSL at the load balancer then make the connection to the web server/application instances using unencrypted HTTP. That’s usually okay as the AWS network is designed to keep such traffic private, but under certain conditions, such as those requiring PCI compliance, DoD/government rules, or simply out of an abundance … Continue reading End to End Encryption with Beanstalk

DNSSEC on OpenWrt 18.06, 19.07, and 21.01

DNSSEC ensures that the results of DNS queries (for DNSSEC enabled domains) are authentic. For example, integralblue.com uses DNSSEC, so if an attacker (using a man in the middle or spoofing attack) changes the IP address that www.integralblue.com resolves to, then a DNS resolver supporting DNSSEC will be able to tell and return an error. … Continue reading DNSSEC on OpenWrt 18.06, 19.07, and 21.01

DNS Over TLS on OpenWrt 18.06, 19.07, and 21.01

DNS over TLS encrypts DNS queries so no one between you and the DNS server you’re using (which, by default using these steps, will be Cloudflare’s 1.1.1.1), can tell what DNS queries/responses are being exchanged. DNS over TLS provides confidentiality but not integrity or authenticity. For those, you need to setup DNSSEC which I’ve described … Continue reading DNS Over TLS on OpenWrt 18.06, 19.07, and 21.01

Spring Boot, HTTPS required, and Elastic Beanstalk health checks

Spring Boot can be very easily configured to require HTTPS for all requests. In application.properties, simply set security.require-ssl=true And that works great – until you’re running the Spring Boot application on AWS Elastic Beanstalk with both HTTP and HTTPS listeners: In that case, Elastic Beanstalk’s health check is always done over HTTP. The configuration page … Continue reading Spring Boot, HTTPS required, and Elastic Beanstalk health checks

One HTTPS site per IP address… or may be not?

I randomly ran across SNI (aka RFC 4366) tonight. It’s a technology that has been under development since before 2000 that allows the client to tell the server what domain it’s visiting before the server sends the certificate. The history is fascinating! The situation today is that SNI is not here yet. OpenSSL will support … Continue reading One HTTPS site per IP address… or may be not?