#Security

With COVID-extra spring cleaning time, a PSA post on updating your security keys. We’re going to move your ssh and gpg keys from RSA algos to the more compact, efficient ECC (Elliptical Curve Cryptography) keys of ED59515. This is how you create them and how to swap them out on services and tools you use.

Most security experts now say to switch from RSA keys to using curves derived from the mathematical properties of elliptical curves, ECC (Elliptical Curve Cryptography). Increasing computing power, has made RSA style keys below 4096 bits vulnerable as well as their now being purpose-made tools around cracking passwords on those secret keys (there are countermeasures).

While I’ve been using passpie for some time as a CLI password manager, it lacked mobile and browser integration and an ecosystem for leveraging other tools. This is what I replaced it with duplicating the functionality range you’d see in commercial apps like 1Password and Dashlane, while being free, open source, cross platform, more portable, and developer-friendly.

Often, oldest solutions to problems are the best. They provide a common, battle-tested standard for everyone to work with. Pass, the standard unix password manager has been around for ages and follows the unix philosophy of a simple, robust tool which does one thing well and integrates with other tools for composable toolchains.

For those who followed my original post a year ago on how to get a site up with a static site generator, serverlessly, that is blazing fast, you’re going to need to renew your security certificate soon. This is how that’s done through Amazon Certificate Manager via Let’s Encrypt.

In truth, Amazon’s Certificate Manager (ACM) does a good job of taking something that used to be a painful, nail-biting, horrible experience around changing your web site’s SSL cert and makes it much easier. Especially if you’re running your own domain, ACM combined with the geniuses at Lets Encrypt , it’s now semi-painless (with a little knowledge) to secure your sites with SSL. It’s not obvious, however, how to change or renew once you’re set up, so we’ll doing the walkthrough.

Let’s Encrypt has done an amazing job of making https the new normal for web sites and helping create a more secure and private internet by giving away free, automatic ssl certificates to domain owners.

You should be encrypting your web traffic (and need to, to take advantage of new protocols like http/2. Some implementations have stated they will only support http/2 over an encrypted connection. And currently, no browser supports http/2 unencrypted afaik.). Add to this the fact Google will start penalizing non-secured sites in search results, and https is fast becoming the de facto standard.

Another absolutely fantastic infographic via Information is Beautiful from CXO magazine on both how strong your password is and a nice extra layer of sociological categorization.

Mind you, I don’t think the top one is strong enough IMHO. Mine’s better… ;-)

If, like me, you worked for an NGO under constant surveillance by large governments and an under-assault investment bank, you’ve tended to become a little paranoid about security over the years.

The Spooks, the US NSA, actually has some excellent guides on securing systems, software, databases and hardware . Good stuff and very useful and practical.

I’m currently going over their recently released OSX Security Configuration guide redacted (pdf) and have to say it is quite impressive. Excellent stuff on the usual unix security and some excellent coverage of OSX specific stuff (beyond its excellent default security config) like FileVault and Keychain. Especially good if you’re a security whiz on Linux but need to know details on the differences with OSX.

Great op-ed piece worth reading by perhaps America’s foremost security expert, Bruce Schneier, on the DHS security warnings (Department of Homeland Security, for the non-US acronym followers) and their actual effect in terms of security (zero) versus the effect on the populace (fear). Short, pulls no punches and questions the political motivation of the entire system.

There are two basic ways to terrorize people. The first is to do something spectacularly horrible, like flying airplanes into skyscrapers and killing thousands of people. The second is to keep people living in fear.