You are not logged in.

Pages: 1 2

#26 2019-03-04 23:46:34

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: SOLVED: Securing a home network

I do agree that finding out how certificates and their chains work is a useful learning exercise (and used to be mandatory), but nowadays with the advent of free SSL certificates from LetsEncrypt it's a no-brainer to get properly trusted certificates instead of setting up your own infrastructure.

I rent a VPS for $5 a month that runs a mailserver and several websites amongst other things. Everything runs under its own subdomain with separate, fully trusted automatically renewing certificates. As long as you own a domain it's possible for anyone to set up free secure communications for all of their services.

The best ciphers and protocols to use change on a regular basis as threats and then patches emerge. The best places to look for up to date information are usually the browser vendors, Mozilla has a good page here for example.

That's just reminded me, I haven't audited my server recently so here we go...  Last time I checked it was doing pretty well...

https://bbs.archlinux.org/viewtopic.php … 7#p1741847
https://www.ssllabs.com/ssltest/analyze … lithery.uk

Yep. Still at A+ on my webserver configuration according to SSL Labs smile

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#27 2019-03-05 00:21:58

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: SOLVED: Securing a home network

@Slithery, I can't agree with you when it comes to a local/intranet, the trust of a self-signed chain is infinite compared to using a CA used from an outside party.
Why would you want a party in the middle checking if your certificate is valid when you can do that yourself?
You'd need a dummy domain at least, and for what, I wouldn't go that path if not needed wink

Now when it comes to a web-facing server you make a point and need that outside CA to verify if we can trust whatever we connect to, a website F.I.

Hey everyone is free to do what he/she wants to, trust is a value worth everything or nothing everyone's own choice in the end wink

edit: I know I 'sound' hard, like it's all or nothing, probably not but if I treat it like that there's also very little reason for doubt/uncertainty, at least for me and maybe others...

Last edited by qinohe (2019-03-05 00:40:42)

Offline

Pages: 1 2

Board footer

Powered by FluxBB