Woohoo! New SSL Cert (4096 key)

Since all of our HTTPD traffic is forced SSL, valid credentials are required to prevent visitors to Erowid.org and EcstasyData.org from seeing a very nasty error message when trying to access the sites. With an expiration date looming, it was time to renew Erowid.org’s low-end SSL certificate. Why low end? Because we consider the browser certificate authority to be an illegal global racket.

First, the good news. Check out our “A” rating from Qualys SSL Labs:

SSL Labs A Rating of Erowid HTTPD Server Security
SSL Labs A Rating of Erowid HTTPD Server Security

We mostly achieved this a couple of years ago when our sysadmin team worked to eliminate all of the basic problems, like removing support for dangerously weak encryption ciphers and forcing more secure handshake methods. But, if you look at the Qualys report, you’ll see that our server doesn’t allow the known-broken encryption algorithms.

And, as of today, we’re trying out a 4096 bit key. Many of the sites I looked at suggested that the CPU load cost of doing the key negotiation wasn’t worth the extra security, but JL, our main sysadmin, said we should give it a try. We’ll watch the server load over the next week or two, but right now it seems fine.

As far as the rant about the global criminal conspiracy that is the certificate authority, well, I will leave that to others. To be clear, I think it’s all a money scam, facilitated by the browser folks.

We choose to buy a cheap chained certificate because of the usurious pricing of the better, greener, happier certificates. They punish us by making the URL bar not as pretty and also making the certificate viewing experience worse. Despite the CSR having all the right info, the $50-100 per year wildcard-SSL certs don’t display our organization name or location properly. Pay $200-1000 per year and, with no additional security, we would get a happy-looking green bar and Erowid displayed in the browser URL bars.

Snake oil forever.

As I was searching for an example of an expensive green bar, I discovered that trying to view the front page of CNN via SSL resulted in terrifyingly bad browser behavior. It looks like a hijack (MTM) or just fails.

I'm Glad I'm Not a CNN Sysadmin
I’m Glad I’m Not a CNN Sysadmin

In early 2015, Erowid joined EFF’s HTTPS Everywhere campaign, because we believe that, today, virtually no communications should occur online in clear text. It is a sad statement about humanity that most of us, including institutions handling sensitive data about us, still use  unencoded plaintext email that requires no warrant and is, essentially, a public broadcast.

P.S. In an insanely conspiratorial way, I believe that the NSA and other anti-public-crypto agencies have worked to torpedo efforts over the last twenty years to get email more secure. In the United States, a fig leaf of privacy is enough to trigger Fourth Amendment protections.

New Upgraded SSL Certificates on Erowid and EcstasyData

This last week we installed upgraded security certificates on Erowid and EcstasyData.

Over the last couple years there have been lots of new exploits and problems discovered with SSL. Although we have kept up with all the security updates as soon as they were announced (thanks to JL and Brian!), we had not upgraded our web security certificates that allow for substantially more secure connections for browsers that request it.

The new certs support SHA-2. SHA-1 is now considered “dangerously weak” and some groups have declared that they will no longer support it by the end of 2015. https://www.symantec.com/page.jsp?id=sha2-transition

As of today, SSLLabs.com gives Erowid.org an “A” :

SSL Labs Gives Erowid A
SSL Labs Gives Erowid A