{"id":1367,"date":"2013-10-17T15:12:51","date_gmt":"2013-10-17T13:12:51","guid":{"rendered":"http:\/\/blog.gocept.com\/?p=1367"},"modified":"2013-10-17T15:19:23","modified_gmt":"2013-10-17T13:19:23","slug":"improving-http-security-at-the-flying-circus","status":"publish","type":"post","link":"https:\/\/blog.gocept.com\/2013\/10\/17\/improving-http-security-at-the-flying-circus\/","title":{"rendered":"Improving HTTP security at the Flying Circus"},"content":{"rendered":"<p>We now know that the secret services employ extended eavesdropping techniques to scan and analyze nearly all Internet traffic. This worries us since we want to keep our customers&#8217; data confidential. We get a lot of questions about how secure sites hosted at the <a href=\"http:\/\/flyingcircus.io\">Flying Circus<\/a> are. As security has many aspects, I would like to focus on one question in this post: How secure is our HTTPS encryption? In other words, is it likely that some third party sitting in the transmission path is able to decrypt traffic between our server and the user&#8217;s browser?<\/p>\n<p>We have checked everything twice to ensure a good level of security with the default configuration of our web server role. Of course no-one can guarantee absolute security, but this is what we do currently:<\/p>\n<ul>\n<li>We have improved the web server configuration so that HTTPS web sites still maintain an &#8216;A&#8217; rating at <a href=\"https:\/\/www.ssllabs.com\/ssltest\/\">SSL Labs<\/a>. They have recently tightened their check criteria in the light of Snowden&#8217;s revelations on NSA practices. An &#8216;A&#8217; rating means that the encryption is still very hard to break.<\/li>\n<li>We use only open-source software. There are reports that secret services try to get <a href=\"http:\/\/www.wired.com\/threatlevel\/2013\/09\/nsa-router-hacking\/\">back doors into security products<\/a> to intercept traffic\u00a0<em>after<\/em> it has been decrypted. Commercial security devices are a black box: You must trust them not to forward your data elsewhere. In contrast, open source software uses only published source code. The sources are read and used by a world-wide community of developers, who are in general very security aware. We compile the source code by ourselves. Although it might be possible to hide an cuckoo&#8217;s egg in the source code so advanced that it does even not get recognized by experts, this is highly unlikely.<\/li>\n<li>We are in the process of switching on <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTP_Strict_Transport_Security\">HTTP Strict Transport Security<\/a> (<a href=\"https:\/\/tools.ietf.org\/html\/rfc6797\">HSTS<\/a>) for all HTTPS-only sites. This means that web browsers are told to reject unencrypted connections to such a site.<\/li>\n<li>We employ <a href=\"https:\/\/en.wikipedia.org\/wiki\/Perfect_forward_secrecy\">perfect forward secrecy<\/a> (PFS). This means that even when captured (encrypted) traffic is stored and there will be a decryption attack available in the future, past traffic will still be undecipherable. Note that not all browsers support PFS; for example, some old IE versions on Windows XP feature only insufficient crypto. We think that it is better to reject encrypted connections from broken systems than lulling users into a false sense of security.<\/li>\n<\/ul>\n<p>What is not so good currently:<\/p>\n<ul>\n<li>We are not able to support the newest encryption suite <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\">Transport Layer Security 1.2<\/a> (<a href=\"https:\/\/tools.ietf.org\/html\/rfc5246\">TLS 1.2)<\/a>. To get this running, we must upgrade some shared libraries which are central to our OS deployment. This will probably take place during our next major OS upgrade at the end of the year. TLS 1.2 is more resistant against some advanced attacks but is not supported by all browsers.<\/li>\n<\/ul>\n<p>To summarize: we have implemented decent security measures to prevent third parties to decipher encrypted web traffic. Our &#8216;A&#8217; rating with SSL Labs is better than the majority of web sites today. There is still a library upgrade pending, but we have it already on our list.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We now know that the secret services employ extended eavesdropping techniques to scan and analyze nearly all Internet traffic. This worries us since we want to keep our customers&#8217; data confidential. We get a lot of questions about how secure sites hosted at the Flying Circus are. As security has many aspects, I would like &hellip; <a href=\"https:\/\/blog.gocept.com\/2013\/10\/17\/improving-http-security-at-the-flying-circus\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Improving HTTP security at the Flying Circus&#8221;<\/span><\/a><\/p>\n","protected":false},"author":11966441,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[10221],"tags":[13734460,164265,801],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pFP3y-m3","jetpack-related-posts":[{"id":247,"url":"https:\/\/blog.gocept.com\/2012\/10\/25\/introducing-the-flying-circus\/","url_meta":{"origin":1367,"position":0},"title":"Introducing the &#8220;Flying Circus&#8221;","author":"Daniel Havlik","date":"October 25, 2012","format":false,"excerpt":"We have been busy in the last months to improve the presentation of our hosting and operations services a lot - and if you attended the Plone Conference in Arnhem, you may have noticed some bits and pieces already: T-Shirts, nice graphics, a new logo, etc.When pondering how to name\u2026","rel":"","context":"In &quot;en&quot;","block_context":{"text":"en","link":"https:\/\/blog.gocept.com\/category\/en\/"},"img":{"alt_text":"Image","src":"https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2012\/10\/flying-circus-mainvisual-ohg-transp-rgb-lowres.jpeg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2012\/10\/flying-circus-mainvisual-ohg-transp-rgb-lowres.jpeg?resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2012\/10\/flying-circus-mainvisual-ohg-transp-rgb-lowres.jpeg?resize=525%2C300 1.5x"},"classes":[]},{"id":1246,"url":"https:\/\/blog.gocept.com\/2013\/03\/03\/how-we-organize-large-scale-roll-outs\/","url_meta":{"origin":1367,"position":1},"title":"How we organize large-scale roll-outs","author":"Daniel Havlik","date":"March 3, 2013","format":false,"excerpt":"In the coming week we will deploy an extensive OS update to our production environment which (right now) currently consists of 41 physical hosts running 195 virtual machines. Updates like this are prepared very carefully in many small steps using our\u00a0development and staging setups that reflect the exactly same environment\u2026","rel":"","context":"In &quot;en&quot;","block_context":{"text":"en","link":"https:\/\/blog.gocept.com\/category\/en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1444,"url":"https:\/\/blog.gocept.com\/2014\/07\/21\/flying-circus-at-europython-2014\/","url_meta":{"origin":1367,"position":2},"title":"Flying Circus at EuroPython 2014","author":"","date":"July 21, 2014","format":false,"excerpt":"If you're attending EP14, be sure to visit our Flying Circus\u00a0booth at BCC level A! We're here to discuss web operations. Managed hosting is only as good as the people behind it. So just walk over, test us, ask any question related to web operations!\u00a0Additionally, we have some demo VMs\u2026","rel":"","context":"In &quot;en&quot;","block_context":{"text":"en","link":"https:\/\/blog.gocept.com\/category\/en\/"},"img":{"alt_text":"Flying Circus boot at EP14","src":"https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2014\/07\/dscn1363.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2014\/07\/dscn1363.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2014\/07\/dscn1363.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":1873,"url":"https:\/\/blog.gocept.com\/2016\/10\/26\/towards-restrictedpython-3\/","url_meta":{"origin":1367,"position":3},"title":"Towards RestrictedPython 3","author":"Michael Howitz","date":"October 26, 2016","format":false,"excerpt":"The biggest blocker to port Zope to Python 3 is\u00a0RestrictedPython. What is RestrictedPython? It is a library used by Zope to restrict Python code at instruction level to a bare minimum of trusted functionality. It\u00a0parses and filters the code for not\u00a0allowed constructs (such as\u00a0open()) and adds wrappers around\u00a0each access on\u2026","rel":"","context":"In &quot;en&quot;","block_context":{"text":"en","link":"https:\/\/blog.gocept.com\/category\/en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2016\/10\/zope-is-not-dead.jpg?fit=1200%2C658&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2016\/10\/zope-is-not-dead.jpg?fit=1200%2C658&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2016\/10\/zope-is-not-dead.jpg?fit=1200%2C658&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2016\/10\/zope-is-not-dead.jpg?fit=1200%2C658&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/blog.gocept.com\/wp-content\/uploads\/2016\/10\/zope-is-not-dead.jpg?fit=1200%2C658&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":85,"url":"https:\/\/blog.gocept.com\/2011\/06\/27\/no-luck-with-glusterfs\/","url_meta":{"origin":1367,"position":4},"title":"No luck with glusterfs","author":"","date":"June 27, 2011","format":false,"excerpt":"Recently, we've been experimenting with glusterfs as an alternative network storage backing our VM hosting. It looked like a very promising candidate to replace our current iSCSI stack: scale-out with decent performance, mostly self-configuring, self-replicating, self-healing. And all of this out-of-the-box without complex setup. In contrast, the conventional architecture with\u2026","rel":"","context":"In &quot;en&quot;","block_context":{"text":"en","link":"https:\/\/blog.gocept.com\/category\/en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1431,"url":"https:\/\/blog.gocept.com\/2014\/04\/11\/heartbleed-bug-and-the-flying-circus\/","url_meta":{"origin":1367,"position":5},"title":"Heartbleed bug and the Flying Circus","author":"","date":"April 11, 2014","format":false,"excerpt":"tl;dr: The Flying Circus is not affected by the Heartbleed bug As reported by several media there is a serious bug in the OpenSSL library, widely known as the Heartbleed bug. The bug was introduced in the OpenSSL development tree on January 1st, 2012 and was finally released with OpenSSL\u2026","rel":"","context":"In &quot;en&quot;","block_context":{"text":"en","link":"https:\/\/blog.gocept.com\/category\/en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/posts\/1367"}],"collection":[{"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/users\/11966441"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/comments?post=1367"}],"version-history":[{"count":26,"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/posts\/1367\/revisions"}],"predecessor-version":[{"id":1430,"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/posts\/1367\/revisions\/1430"}],"wp:attachment":[{"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/media?parent=1367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/categories?post=1367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gocept.com\/wp-json\/wp\/v2\/tags?post=1367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}