Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: How secure can my webpage be.

  1. #11
    Join Date
    Mar 2009
    Beans
    1,322

    Re: How secure can my webpage be.

    OK just as a security observation, I just messed with a garage door opener remote not too long ago. It had 10 3-position switches to set the combination. So 3^10 is 59049 combinations. I understand a standard door key (or car key) has about 10,000 combinations.

    So let's say you have a bigger exposure because your device is on the Internet. Even so, I think ssh with a required key would be more than enough here, as long as you have a secure box.

    My concern is that an rpi might not have that much of a security audit. But even so, I think you're probably not overly exposed, certainly there are other people doing the IoT thing and have had few problems if any.

    With a web page you'd want it encrypted (https) which means a certificate of some sort, otherwise anyone with a wifi sniffer could see your password and it would be busted no matter how good your password is. You could use a self-signed cert, but you'd need something.

    IMO for this sort of thing, the ssh idea sounds easier and inherently safer.
    Help stamp out MBR partition tables. Use GPT instead!

  2. #12
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How secure can my webpage be.

    Quote Originally Posted by 1clue View Post
    OK just as a security observation, I just messed with a garage door opener remote not too long ago. It had 10 3-position switches to set the combination. So 3^10 is 59049 combinations. I understand a standard door key (or car key) has about 10,000 combinations.

    So let's say you have a bigger exposure because your device is on the Internet. Even so, I think ssh with a required key would be more than enough here, as long as you have a secure box.

    My concern is that an rpi might not have that much of a security audit. But even so, I think you're probably not overly exposed, certainly there are other people doing the IoT thing and have had few problems if any.

    With a web page you'd want it encrypted (https) which means a certificate of some sort, otherwise anyone with a wifi sniffer could see your password and it would be busted no matter how good your password is. You could use a self-signed cert, but you'd need something.

    IMO for this sort of thing, the ssh idea sounds easier and inherently safer.
    I know the ssh thing was my idea, but you covered the most important points.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #13
    Join Date
    Mar 2007
    Beans
    776

    Re: How secure can my webpage be.

    If your pi was connecting to the wifi network and you were using WPA2 with strong passwords then anyone "sniffing" would only see encrypted traffic between your device and the WAP. I'm trying to recall (it has been awhile) but I'm pretty sure that each connection to a WPA2 device has its own encryption certificate so even others connected to the WPA2 WAP with a valid log on password/key could not see another's traffic. If you planed to control the pi from within your own WIFI network then you'd not need https.

    If you wanted your pi on the internet though using NAT/PAT so that you can access the pi from any internet connection in the world then you'd need to use https. You can use a self signed cert on the pi. Then just tell your laptop (other internet connected device) to import and keep that certificate. (You'd have to google up the steps) then that laptop would just trust that certificate. Or, the professional way (more expensive) would be to get a trusted 3rd party certificate like go daddy. There was theses guys (I cant recall the name.) that gives out free 3rd party certs for home users.
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  4. #14
    Join Date
    Mar 2009
    Beans
    1,322

    Re: How secure can my webpage be.

    Considering that the OP is using this for personal home security, a third party certificate is less than desirable. The only people who SHOULD trust the cert are people in that family or 'circle of trust'.

    If the pi can't handle the ssl cert, you could have a main Linux node with apache2 and a self-signed cert exposed to the Internet, and then use wired or WPA2 to the pi. Use name-based virtual hosts on the exposed apache, and redirect to the proper device. For example, https://garage.myhouse.com or https://stereo.myhouse.com, or my favorite, https://foghornInMyDaughtersRoom.myhouse.com. Or maybe electricCat.myhouse.com.

    The rpi is so versatile, don't you think?
    Help stamp out MBR partition tables. Use GPT instead!

  5. #15
    Join Date
    Mar 2007
    Beans
    776

    Re: How secure can my webpage be.

    By 3rd party I mean like a world recognized cert from a Trusted Authority. For example, you trust godaddy's cert, and godaddy issues your server a cert. So your laptop gets a cert from your server, then knows godaddy issued it so it checks with godaddy who it trust to verify that the cert you got from your server is good.
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  6. #16
    Join Date
    Mar 2009
    Beans
    1,322

    Re: How secure can my webpage be.

    Exactly. He's making a web page that he will use to open his garage door. In what scenario would a third-party certificate be even desirable? How many people are going to be involved here? Certainly he doesn't want just anyone to do it.

    If you're going to do this with a web server, then a self-signed cert is all you want.
    Help stamp out MBR partition tables. Use GPT instead!

  7. #17
    Join Date
    Mar 2007
    Beans
    776

    Re: How secure can my webpage be.

    Not thinking you know what a 3rd party cert is. So, you know when you goto a website and it says something about the certificate not trusted and asks if you want to continue? A valid 3rd party solves that problem. It is just (if not more) secure than a self signed. It will provide confidentiality during the log on and execution process of the pi's web application.
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  8. #18
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How secure can my webpage be.

    Why bother with dealing with ssl certs and stuff when you can just run a script/command via ssh and be done with it..
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #19
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,761
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: How secure can my webpage be.

    Quote Originally Posted by CharlesA View Post
    Why bother with dealing with ssl certs and stuff when you can just run a script/command via ssh and be done with it..
    Because many people prefer GUI interfaces with nice shiny buttons to press?

    I haven't given this problem a whole lot of thought, but I'd probably set up a web page using PHP and a self-signed certificate to encrypt the login process. Have the PHP script run the appropriate command using shell_exec() if the person authenticates correctly. If you don't want to build authentication into the application itself, which is surely overkill in this case, just use Apache basic authentication with an HTTPS connection.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  10. #20
    Join Date
    Mar 2009
    Beans
    1,322

    Re: How secure can my webpage be.

    Quote Originally Posted by ant2ne View Post
    Not thinking you know what a 3rd party cert is. So, you know when you goto a website and it says something about the certificate not trusted and asks if you want to continue? A valid 3rd party solves that problem. It is just (if not more) secure than a self signed. It will provide confidentiality during the log on and execution process of the pi's web application.
    I run several PCI compliant servers. I've been buying SSL certificates for more than a decade. A third party certificate adds expense and, in this case, gets absolutely nothing of value in return. The only difference between a third party cert and a self-signed cert is that the third party can cost more than a thousand dollars per year, and the self-signed is free. The automatic browser recognition of a 'valid' certificate is worth exactly this: You don't have to look at the "unknown certificate" window the first time you load the page.

    In the case you're going to some sort of site that processes credit cards, or maybe a bank site, you get a lot from a third party certificate. It lets people who don't know the owner of the web site that the certificate authority (verisign, thawte, etc) has taken certain measures to verify that the web site is being run by a valid business and has a legal identity. In my experience, the more expensive the certificate the more painful the interview process is, and the higher the 'quality' of the endorsement is. For example, Verisign charges up to USD $1750 per year for their standard certificates, and their validation is extremely inconvenient for the people buying the certificate. Thawte, although owned by the same company, has less stringent requirements and a less painful interview process.

    Frankly I think that for either of these certificate authorities, I don't think they would issue a certificate for some guy's garage door for any price. The price of the certificate has nothing to do with the quality of the encryption key, because they never actually have the key. You generate it, you make a CSR and you send that in. The private key never crosses the network.
    Help stamp out MBR partition tables. Use GPT instead!

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •