Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
jaytar1856y@R1100 have a look on the basics of SSL. Yes, the key is constant while the cert is valid (often about 2 years). No, this is not a problem because it takes even supercomputers a lot of orders of magnitude more time to factorize the public key.
-
jaytar1856y@R1100 as far as publicly known, even banks and government organisations use the same type of cryptography that SSL uses. A functional quantum computer with a few kilo qbits will evaporate almost every encryption in use today. But there are some quantum safe encryption algorithms which can be used in that case. Unfortunately, you need a quantum computer to use them.
-
C0D4669026y@R1100 if someone has a quantum computer in there garage, you have more to worry about then decrypting a SSL cert.
-
jaytar1856y@R1100
There are, however, some rules on certs that you should follow:
- never ever store the private key anywhere accessible to someone who should not have acces. An imposter could take the identity of your site and you don't want that. A copy on a USB stick in a locker is fine, a copy in your dropbox is a nogo
- if you suspect someone got hold of your private key, immediately revoke the cert (a good CA can do this) and get a new one
- create the private key directly on the server it will be used for, reduces the risk of someone intercepting the communication
- use wildcards very cautiously, i prefer getting a new one for a new subdomain -
@jaytar For quantum safe algorithms a quantum computer is not required.
Google experimented with those a while ago but I'm not sure if those algorithms are still included in Chrome. -
the security of https largely depends on your server config:
1) don't allow SSL ever.
2) ideally, only allow TLS 1.2, not 1.1 or 1.0 unless you have a considerable user base with Android below version 5.
3) keep your server updated to make sure you have no vulnerabilities like heartbleed.
4) don't allow weak cypher algorithms. Good cert plus weak configured algorithms is bad.
5) forward http to https or use the upgrade-insecure-requests HTTP header.
6) use the HSTS header.
7) check the whole thing with https://www.ssllabs.com/ssltest/ and follow the recommendations. -
A little note where the cypher algorithms come into play. First, the client tells the server which symmetric algorithms it supports. The server selects one of these, and they exchange the symmetric key. This symmetric key is encrypted via asymmetric encryption with the public/private key pair of the server. The rest of the communication then runs with the selected symmetric algorithm using the symmetric key. That's pretty similar to how PGP works.
The reason for this setup is that asymmetric encryption would be too slow to use on everything. So, if you have a good cert with strong keys, but then allow weak symmetric cypher algorithms to be used for the content encryption, the whole thing will fall flat. -
olback107946yThis is what you get with letsencrypt. It's free and good enough unless you're a bank.
-
@olback acually, this is what you can get with Let's Encrypt certificate if the server is configured properly.
-
olback107946y@Fast-Nop Do you have a guide or something, I'd like to get to that A+ sweetness as well...
-
@olback to be honest, my algorithm is checking out whether things are right, and if they aren't, I mostly open a support ticket with my hosting provider and tell them to fix that. :-)
But in your case, the DH key exchange needs some reconfig, that's why the grade is capped to B. -
C0D4669026y@olback that’s nice, you’ve done well to get it that high.
Let’s encrypt on a raspberry pi looks like this. -
hacker17656y@C0D4 hey, thanks. I'll research more into that because I have no idea how to disable support for those yet...
Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?
rant