Note: [04/14/14] Today I was contacted by GlobalSign representative Gregory who stumbled over this blog post, and he was so kind to revoke the affected certs free of charge. He also added, in response to my summary below, that there is an option in the Chrome settings to enable revocation checking, and that beginning April 1, 2015, GlobalSign will restrict the maximum validity of then-issued certs to 39 months.
So the Heartbleed bug (CVE-2014-0160) is out, and every administrator using SSL to protect his infrastructure has been wondering the same thing: should I absolutely, positively, without a doubt, replace all certificates and associates keys?
The only reasonable answer is: yes – if you used certificates on a vulnerable machine. Even those in disbelief were quickly proven wrong.
The first thing I did was to patch all impacted OpenSSL instances and restart the services that depend on the OpenSSL library (that includes not only HTTP but also MTA and IMAP, among others). That was the easy part.
What followed was a major pain with my certificate authority and one of its partners.
Windows doesn’t automatically reconnect VPN connections when you resume from standby mode. Sometimes this can be annoying – for instance when you are using someone else’s Internet and want to make sure that your connection is always secured through the VPN. To fix this, I created a task that automatically connects to a predefined VPN whenever you resume Windows.
It’s raining outside. It has been cold and gloomy in the last couple days. Since I cannot afford going to a sunny, remote beach right now, the best I can do is load one of the below webcams and watch ocean waves crash onto the sand. Pathetic I know.
The following live streams are from the Earthcam Network. They are pretty well known, and there are quite a few other blogs listing at least some of these streams. With one big difference: All the lists I’ve seen link to them using the Real Time Messaging Protocol (RTMP) protocol. The biggest drawback is that RTMP only works in Flash. But who wants to do Flash these days? Fortunately, Earthcam streams are powered by the Wowza Media Server, which includes support for other protocols as well. So after some food for thought I was able to find the following links which all point to the AVC/H.264 streams using standard HTTP. This means they should be compatible with a wide range of popular video players (I am using MPlayer).
Did you follow the guide how to install strongSwan 5 on Debian Wheezy? You may have noticed that strongSwan doesn’t automatically start when you reboot the server (tested with 5.1.0-3~bpo70+1). The fix requires a small modification to
udpnat is a useful tool to figure out the optimal interval for sending out UDP keepalive packets in a specific environment. From the description:
Today I ran into a problem with IPsec Xauth PSK and the built-in Android VPN client (Android 4.1.2), resulting in some sites (such as www.yahoo.com) not loading through the VPN tunnel. Turns out I was dealing with MTU issues. When the Android VPN is started, it sets the MTU to 1500 on the tun0 interface:
Update 04/20/2014: Adjusted to take into account the modular configuration layout introduced in strongSwan 5.1.2. Tweaked cipher settings to provide perfect forward secrecy if supported by the client.
This article is a step by step guide on how to prepare strongSwan 5 to run your own private VPN, allowing you to stop snoopers from spying on your online activities, to bypass geo-restrictions, and to circumvent overzealous firewalls.