BigDino Blog – Page 2 – Tales of hacking and stomping on things, by Lee Hutchinson

Pronunciation of names and places in C.J. Cherryh’s “Foreigner” books

November 13, 2023July 9, 2018

Author C. J. Cherryh is one of the last great living masters of science fiction, easily on a par with Clarke, Herbert, or Wolfe. Her strength is in building worlds populated with believable humans and non-humans, and then writing those characters in such a way that the reader ends up deeply empathizing with them—even the most alien of aliens.

Her best-known works are the long-running Alliance-Union novels, which taken together describe a war-filled future history epic of the expansion of humankind off of Earth and into the rest of the galaxy. However, for the past couple of decades Cherryh has been focusing on a different series altogether: the Foreigner books.

The series (starting with Foreigner) tells the tale of a lost human colony ship forced to take permanent refuge at far-off world populated by heretofore undiscovered aliens: the three-meter tall black-skinned atevi. Atevi don’t experience the same emotions as humans and have an innate perception of numbers that’s described as roughly analogous to the human perception of color. Humanity and atevi are similar enough that they quickly establish cordial relations, and different enough that war is inevitable.

But I’m not going to do a whole series recap—we’d be here forever, since the series at this point consists of 19 books with at least two more to come. Instead, I want to focus on a very touchy subject, and one about which readers of the books will no doubt have very spiky feelings: pronunciation of names and places.

N.B. Folks who haven’t read at least one Foreigner book should probably bail on this entry, because this post probably isn’t going to be super-interesting unless you’ve already got some Ragi words bouncing around in your head.

Farewell to HPKP, hello to DNS-01 and ECDSA

November 13, 2023February 18, 2018

A few months back I switched on HTTP public key pinning, a security scheme designed to make it more difficult for attackers to do nefarious things with the BigDino web server. HPKP is difficult to implement and comes with a long list of configuration pitfalls—and, as of today, I’m done with it.

Sixty-one days ago I stopped sending out HPKP headers, which I’d set to a sixty day duration. This morning, I ripped out the scaffolding of Certbot scripts and cron jobs that kept LetsEncrypt running properly with HPKP, and replaced them all with the blissful simplicity of Neilpang’s acme.sh coupled with DNS-based validation.

Grieving over the death of StartSSL

November 13, 2023December 3, 2017

What was once the web’s best source for free SSL/TLS certificates and affordable-by-normal-humans wildcard certs is dead, killed by shitty unethical behavior by a shitty company called WoSign. So thanks, WoSign—thanks for wrecking StartCom and their StartSSL service. You destroyed something wonderful and useful to millions of people. Hope it was worth it, dicks.

If there’s an upside to this mess, it’s that Let’s Encrypt has mostly made StartSSL redundant. Where StartSSL was once the only place to go if you wanted free certificates, LE now fills that gap—very successfully, too. And LE will begin offering free wildcard certificates starting in 2018, so that’s another need fulfilled.

But man, I am going to miss the hell out of StartCom and StartSSL.

Ghost hits 1.0: Reflections on three years of Ghost blogging

November 13, 2023July 29, 2017

In September 2013, after years of light blogging with Jekyll via Octopress, I switched to a very sexy-looking new blogging platform called Ghost. Ghost was written with Node.JS and promised to be fast and efficient, with a minimalist writing interface and a slick looking dashboard.

I wrote up the platform in a quick article for Ars shortly after the public beta became available. The new and shiny had won me over, and I ditched Octopress and converted everything to Ghost.

But development took far longer than anyone anticipated. Essential blog features like post scheduling lagged; others, like customizable excerpts or the ability to center images without resorting to manual HTML and CSS entry still haven’t shown up. And that slick dashboard? Canceled.

Making LetsEncrypt work with HPKP and leaf-pinning

November 13, 2023June 11, 2017

Note: I no longer use key pinning and support for the feature is deprecated in Chrome. Proceed at your own risk.

Public key pinning is scary. The technology’s purpose is to allow website owners to include a cryptographic fingerprint in outgoing HTTP headers that corresponds with the fingerprint of the server’s certificate; if the fingerprint in the headers doesn’t match the actual fingerprint, it could be evidence that something nefarious is going on. You might be the victim of a MITM attack, or the site might have been compromised, or you might be accessing a fake version of the site that has a legitimate (but falsely-issued) SSL/TLS certificate.

The scary part is that as with HSTS, a mistake with your HPKP configuration can make your site unreachable—potentially for a long time.

Finally moving to LetsEncrypt with HAProxy, Varnish, and Nginx

November 13, 2023January 3, 2017

Poor StartCom. Since 2009—ever since I read Glenn Fleishman’s Ars piece on how to get free SSL/TLS certificates—StartCom has been my go-to for certs. Most welcome has been StartCom’s pricing on wildcard certs (that is, certificates for *.yourdomain.com, allowing you to use a single certificate for everything, if you desire) While other certificate authorities charge rigoddamndiculous prices for individual wildcard certs, StartCom gives you unlimited wildcard certs for the price of a single $60 identity validation (yes, you read that correctly). It has always been and remains an unbeatable deal. Literally. No one else comes close. Buying wildcard certs w/StartCom felt like I’d discovered an Internet cheat code.

Then a Chinese company called WoSign bought StartCom and started doing shady stuff—including, most egregiously, issuing and backdating certificates to try to circumvent the upcoming mass SHA-1 deprecation. The response has been swift and devastating: WoSign and StartCom’s certs will become untrusted by major web browsers (details on exactly what that means can be read here).

Which means, after eight years, I needed to find a new CA. And with how heavily I’ve leaned on wildcard certs, it wasn’t looking good.

A working Varnish 4 config for WordPress 4.4

November 13, 2023December 17, 2015

Adapting my extremely crufty Varnish 3.x config to Varnish 4 took most of a weekend. I found a great VCL3-to-4 script on github that did a lot of the heavy lifting, but there were a lot of little things to chase down and fix; the VCL syntax between versions 3 and 4 is juuuust different enough to cause headaches. One of the major stumbling blocks was adapting the WordPress configuration that I’d been using forever and ever; it turns out that revisiting it was a really good idea, because I’m a lot happier with WordPress VCL now than I was before.

WordPress, Varnish, Jetpack, and SSL/HSTS

November 13, 2023November 23, 2015

If you’re self-hosting WordPress on the HAProxy + Varnish + Nginx stack we’ve long talked about here at BigDino, you might have run into a few configuration quirks during set-up that went outside the scope of our blog entries a bit. One of those quirks is getting WordPress working with Jetpack, a WordPress plugin by the WordPress folks that adds a whole dump truck’s worth of extra management features and functionality to self-hosted WordPress.

HTTPS and HSTS with Varnish, thanks to HAProxy

November 13, 2023May 3, 2015

(Now updated to work with HAProxy 1.6.x!)

The unencrypted web is on the way out. We made the switch here at BigDino Central to all-HTTPS a few weeks ago, but doing so brought with it a problem: how can we keep using Varnish cache with HTTPS traffic? The answer turned out to be by adding another layer into the web stack—and now we’re using HAProxy to terminate SSL. It wasn’t difficult to set up, and it works for all the different sites we host on our one physical web server.

Keeping Varnish in the mix felt important, because we’ve been using it for a few years (wow, has it been that long?), and it’s a neat tool that’s helped the site bear up under some crazy Reddit- and Ars-driven traffic storms. But the nature of Varnish means that out of the box it won’t help you with HTTPS traffic. Because the HTTPS negotiation happens between the end user and Nginx—which sits below Varnish in the stack—all Varnish sees of HTTPS traffic is the encrypted side, and you can’t cache what looks like an unending string of unique, encrypted nonsense.

Why leave Octopress for Ghost?

November 13, 2023November 2, 2014

More than one person has e-mailed me in the past few months asking why I switched away from Octopress—which I was initially so excited about!—to Ghost. Octopress, after all, has a lot of attractive qualities—it can live on Github (though I’ve never bothered with that functionality); you can write blog posts in vim; it uses static pages rather than requiring PHP or Node or something running behind the scenes to generate stuff.

After a year of semi-regular blogging with Octopress, though, I was just kind of…bored with it. The official Octopress blog hasn’t received an update since July 2011, only a few months before I actually started using Octopress myself. Blogging with vim and banging out a static site and pushing it via rsync was cool, but ultimately it just wasn’t as convenient as I’d wanted it to be, and the longer I went between blog entries, the more of Octopress/Jekyll’s liquid tags I’d have to go look up again.

And so…Ghost.