Tag Archives: ipv6

SSL everywhere

One of my new years resolutions was to put more crypto into the world. Be it because of state actors, or rogue ISPs, I think the world would be a better place with a bit more cryptography in it.

As part of this, I just converted the two websites that I run, dague.net and mhvlug.org to SSL only. I’d had an SSL cert on the admin portion of dague.net for a while, but decided there was no reason to not make all traffic SSL.

Getting Certs

You can get certificates tons of places. I had bought a $12/yr cert for dague.net through namecheap. For mhvlug.org I used startssl, which provides free 1yr certs for individual hosts. They have a process for signing up, doing some automatic verification that you own the domain in question, and then you are off to the races. Their process is about as easy as SSL management tends to be, and there are good instructions for installing the cert into Apache.

IPv4 setup

SSL comes from a time when the IPv4 namespace looked small, but manageable. Before it became clear that the median # of IP addresses per human on earth would be 5 – 10. Oh how naive we were.

As such, the base protocol has no equivalent of vhosts, which means 1 hostname == 1 ip address. dague.net and mhvlug.org live on the same linode, which means I need to carry a second IPv4 address for compatibility.

In 2006 there was an approved extension to TLS call SNI (Server Name Indication), which would bring SSL to the world of vhosting. It’s largely supported, however there are some substantial holdouts, including:

  • Android < 3 – there are enough Android 2 devices out there yet that I don’t want to kill that off
  • Python < 3.3 – fixing this in 2.x was considered a “feature” and rejected, which means Python 2.x automation tools are directly an impediment to SSLing the web, as any python web service clients will fail unless they are on Python 3.3. (We seriously need a Python 2.8)

IPv6 setup

Both of these domains are IPv6 enabled. In Apache this means you need to duplicate the SSL configuration for IPv6 as well. Oh, and you need a couple more IPs (I only had 1 on the box). Linode helpfully allocated me a /64 for my box, so now I can IPv6 to my hearts content.

What stands behind us and an all SSL internet?

SSL setup is a little harder than just throwing up a web server. That being said, it’s not that bad. I realistically think the IPv4 shortage and the failure by thing like python to fix the issue in the version people have deployed, is a real problem. Because basically bots won’t be able to find these sites, they’ll fail back to the default site.

At this point I’m not going to launch anything new that’s not SSL enabled. SSL should be our default as the internet community, and right now it only costs a small amount of time and an extra IP address.

IPv6 no longer optional

The Internet Engineering Task Force (IETF), which for all intents and purposes is the standards body of the Internet Protocol, has declared that “IPv6 is no longer considered optional.”

This has been coming for a long time, but because we have a generation of technologists that have been hearing IPv6 for ever, and it not materializing, people blow it off. No more.

As an interesting side bar, there was a great talk from Radio Free Asia last week at the OpenStack conference, and one of his challenges was not being able to get enough IP (IPv4) addresses in offices in Asia. Human rights software already needs to be IPv6 capable, otherwise you can’t install it in the locations you need it.