Featured Articles

WordPress Multisite on the Darknet (Mercator .onion alias)
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Detecting (Malicious) Unicode in GitHub PRs
WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Introducing BusKill: A Kill Cord for your Laptop
Hardening Guide for phpList
previous arrow
next arrow

HPKP Best Practices for Let's Encrypt

This post describes how to generate a few backup public key hashes to add to your HTTP Public Key Pinning (HPKP) config that might save you from bricking your domain if Let's Encrypt ever gets untrusted like StartCom did.

If you have a healthy distrust of the X.509 PKI trust model, then you've probably heard of HPKP (and probably also HSTS & CAA). Website certificate pinning was a trend first started by google, who hard-coded a pin of their certificates in their Chrome browser. Eventually, google helped build a more standardized pinning method under RFC 7469. And today, it's supported by Chrome, Firefox, and Opera.

Pinning is a great TOFU improvement to https, but--if misconfigured--you could "brick" your domain--making it so that your client's browsers will refuse to let them access your site for months or years (interestingly, this has also caused some security experts to think of how HPKP could be abused in ransom-ware). Therefore, it's a good idea to follow a few HPKP Best Practices.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: HPKP Best Practices for Let's Encrypt

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN--and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn't leak DNS; see improvements section

Update 2017-08-25: Added "kill switch" firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN's vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the 'home' wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP--giving a false sense of privacy).

Update 2021-02-01: Fixed GitHub URL of cryptostorm's free OpenVPN configuration file Update 2021-02-14: Fixed GitHub URL of cryptostorm's paid OpenVPN configuration file

Update: I wrote this guide in 2017. It's intended for an audience that has
. . . → Read More: Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

Using uBlock Origin to Whitelist

As some mega websites deploy APIs that are used nearly ubiquitously on most of the Internet's websites (I'm looking at you Facebook & Google), I've begun to compartmentalize my browsers to "jail" specific website usage to a single, sandboxed browser (profile). This is sometimes referred to as a Site-Specific Browser (SSB).

Besides making sure that your SSB is isolated in that it cannot access your regular browser's data (a configuration I plan to document in the future), it's essential to block all network traffic from/to your SSB and all websites, except a whitelist. Unfortunately, getting block-all-then-whitelist functionality in uBlock Origin was annoyingly not documented, so I decided to publish it.

If you want uBlock Origin to block all traffic, add the following line to the textbox in your "My filters" tab of uBlock's Dashboard.

*.* Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Using uBlock Origin to Whitelist

Let's Encrypt!

Finally, this website is (only) accessible over https!

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

Tor->VPN in TAILS to bypass tor-blocking

This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings).

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Tor->VPN in TAILS to bypass tor-blocking

pycurl through Tor without leaking DNS lookups

This article describes the correct way to use pycurl over Tor, such that both DNS lookup data and HTTP(S) traffic is sent through Tor's SOCKS5 proxy.

If you google "pycurl tor", one of the first results is a stackoverflow post that describes how to configure pycurl using the pycurl.PROXYTYPE_SOCKS5 setting. Indeed, even the tutorial To Russia With Love on the Tor Project's Official Website describes how to pass pycurl through Tor using the pycurl.PROXYTYPE_SOCKS5 setting.

However, using pycurl.PROXYTYPE_SOCKS5 will leak DNS queries associated with your HTTP requests outside of the Tor network! Instead you should use pycurl.PROXYTYPE_SOCKS5_HOSTNAME.

The --socks5-hostname argument was added to libcurl v7.26.0. The pycurl.PROXYTYPE_SOCKS5_HOSTNAME argument wasn't added to pycurl until pycurl v7.19.5.1, which (at the time of writing) was less than 2 months ago!

This article will describe how to install pycurl v7.19.5.1 onto the latest version of TAILS at the time of writing, which is TAILS v1.2.3.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: pycurl through Tor without leaking DNS lookups

Eavesdropping Analysis of PGP Metadata

This post attempts to answer the following question: If an evesdropper intercepts a message encrypted with gpg, how much information will they be able to extract from the message without a decryption key?

I will show the unencrypted metadata added to a GPG-encypted message, and I will present commands that can be used to extract this unencrypted metadata.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Eavesdropping Analysis of PGP Metadata

Browsing without being tracked via Fingerprinting

Your browser aggrigates a *lot* of data about your computer, and it won't hesitate to provide all of this data to a nosy web site. In fact, if a website requests a large dataset of your computer's configuration, concatinates it together, and passes it through a hash function, the resulting hash can be farily unique.

This procedure can be done (and is done) on seperate websites to track users and their activity across multiple websites. If the same procedure [get data, concatenate, hash()] produces the same hash value when done on 2 seperate websites, the website can be fairly certain that you're the same user. This technique for tracking users is known as Browser Fingerprinting.

Just to get an idea of how effective this is, here's an excerpt from the above-linked article:

[The EFF] found that, over their study of around 1 million visits to their study website, 83.6% of the browsers seen had a unique fingerprint; among those with Flash or Java enabled, 94.2%. This does not include cookies!

You can test the uniqueness of your browser's "fingerprint" using this handy EFF tool.

There is a really great document descirbing techniques that could be used to prevent
. . . → Read More: Browsing without being tracked via Fingerprinting

Custom Synapse Shortcuts

I've been using Synapse for a few months now. This software is invaluable to my experience on my PC because: # I can *quickly* do what I want to do without fighting with a big, hierarchaial menu # It doesn't require any huge dependencies (I use XFCE, so I don't want something that requires Gnome or KDE libraries)

Unfortunately, the documentation is non-existant. So when I wanted to be able to configure Synapse to execute a custom command when I typed a custom keyword, it took me a while to figure it out.

This post explains how to define custom commands in Synapse to execute custom commands in your terminal. For example, I'll show how to make "Google Drive" open a firefox window to https://drive.google.com

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Custom Synapse Shortcuts

Github

With each passing day, it's becoming more and more obvious that Internet users are transitioning to cloud-based storage. Between (1) My home workstation running Arch Linux, (2) my laptop dual-booting in Ubuntu Linux and Windows 7, (3) my netbook running eeebuntu, and (4), public-access PCs at my University, I need a way to open the latest version of our files from any geographic location on any OS.

A few years ago I built a multi-TB storage solution which hosted my personal, online Subversion repository. But power is expensive, so this box ended up getting turned off. In response, I fell into the bad habit of storing my source code merely as files on the cloud without version control.

Several years ago (assuming your file was small enough) this meant emailing an attachment. Or, more recently, uploading it to Google Docs. Then people started using DropBox. Finally, if you cared about the privacy of your data, you moved to Wuala.

But Wuala tends to corrupt my files as I'm editing them in gvim, so I started storing my files locally again--which rocked the boat and convinced me to finally get around to learning git. Git has always been on my to-try
. . . → Read More: Github