SSL Certificate Update Runs In Background Successfully Now.

For the parts of my Web-site – that have nothing to do with my blog – which use SSL, I have been subscribing to certificates from ‘Let’s Encrypt‘. These certificates have as their basis a ‘Certbot‘ robot, that runs on each subscribing server, and that tries to renew certificates when the time has come to do so.

On some past occasions, this robot has failed to do this in the background, requiring that I manually restart my Apache Web-server.

Due to the recent ‘normalization’ of my server-configuration – setting Apache to listen on port 443 again – I’m happy to find out that the Certbot has renewed my SSL Certificate as a background task, without requiring my manual participation, and that it was able to restart Apache as well, without resulting any any disruption, to the availability of my blog to readers. Yay!

Dirk

 

Experimenting with Tor

I own an old, beat-up laptop I name ‘‘, from circa 2005. And with this laptop, I am exploring the fantasy that it should be configured to connect to the Internet, entirely using ‘‘. I am trying to replicate what the USB-stick is said to do, but in the hopes that my own achievements will be more credible. You see, I doubt that really accomplishes what it claims to accomplish.

I have to admit, that I really have no idea, what that old laptop is supposed to do, once it is connected via . This just seems like a fun project. And, there exist few services today, which will just let people connect via . What one can do is browse, using a Web-browser, and not use Google, because the geolocation services of Google tend to blacklist most of the exit nodes of .

But, wanting one additional ability, I also decided that should connect to a less-important email server of mine via IMAP, and through . What I discovered, was that the email client I was using for this does not itself support a Proxy, through its own GUI. And so I read that some command-line utilities exist for Linux, which will force the programs specified to use such a proxy.

The first utility I tried was called ‘‘. But there is a caveat with this utility, that people fail to point out. It will negotiate the email client to connect to Port 143 in plain-text, rather than in cipher-text. I had not noticed this, until my laptop had connected to my email service, in plain-text in fact. This means that a corrupt exit node would have been able to sniff my password.

This is the full extent to which I was compromised. There was really no other sign, that anybody might have tried to connect to my (subscribed, paid-for) email server, in my place. But such a single exposure was more than what I was willing to let sit.

So I immediately changed the password of this subscribed, paid-for email service, to a much harder password, before anybody else got the chance, and I am still able to use that email address fully.

But then the question lingers in my head, of how I might nevertheless connect to it via . There exists another command-line utility named ‘‘, which claims to tunnel all the TCP/IP connections of its designated program, through the Proxy, without analyzing what types of authentication may be taking place.

I tried to use as described, but only found the comforting message, that the stream could not reach the IMAP server in question. So here there was no evidence that the utility in question actually breaks TLS encryption.

But ultimately, I would still not feel comfortable using , after the experience I had with , because I need to take the idea that does not break encrypted protocol, entirely on the words of software-authors who I cannot ultimately trust. These are specialists after all. Even might eventually compromise my connection-security, even though it is not supposed to.

And so my little laptop remains useless, from any practical perspective.

Dirk

Continue reading Experimenting with Tor