Security

When using Viscocity to connect to a corporate network or any other openVPN server, you’re probably using certificates with a reasonable lifetime, but sometimes the certificate expire and needs be updated. Replacing the certificate files through the Viscocity interface is quite easy - just edit the connection and replace the certificate files in the appropriate tab.

There is however another little trick, which may need to be applied before the new certificates work. Viscocity offers to save the certificate password in the Keychain and I choose to use this feature, which caused a bit of trouble when updating the certificate. While it ought to - Viscocity does not - clear the password, when the certificate is changed, so to get prompted you need to go into the Keychain access tool and delete the stored password.

One of the great features of Wordpress is the wide variety of plugins available. They often enable a lot of interesting functionality and integrations to other services not native to Wordpress itself. Most of these plugins are developed by individuals or small teams independent of the core community - and often not with a keen interest in security, but an exclusive focus on “making stuff work”.

I’ve been using the Wordpress “Google AdSense Dashboard” for awhile, and after the recent host of password leaks, I’ve been changing and upgrading password all around. This change lead to expose what I would call a critical password exposure in the plugin and so far caused me to remove the plugin everywhere I’ve installed it.

While surfing the net, you often come across web agencies how promote SSL-certificates (or TLS security) on their products - or their ability to create “secure web applications” with SSL. Most users know HTTPS/SSL/TLS as the little lock, that promises “security” when visiting a page - but what kind of security it actually provides is rarely explained - and far worse often misunderstood.

The while SSL is the popular name (and as it was once known) and HTTPS usually is the way users sees it (as part of a URL in a browser) - the correct name is TLS a short for Transport Layer Security.

I’m still enjoying the fresh new Ubunutu 9.04, and one of the nice new features is a firewall – which Canonical calls “Uncomplicated Firewall”. I’m usually not hooked on firewalls, but just for the fun of it I enabled the firewall on my laptop and it seems to work quite well. The firewall doesn’t seem to have any noticeable impact on system performance and as the laptop from time to time visits open wifi’s, it’s probably a good idea to have protection from other users on open networks.

It’s often the case that security is an inconvenience and gets in the way of usability and ease of use. There are exceptions though and for a number of weeks I’ve been playing with the Yubikey (thanks to Schack) from Yubico.

It’s a small device, which plugs into a USB port, and to the computer acts as a keyboard. It has some advanced security build-in with the ability to generate one-time verifiable passwords, but is incredible easy to use – plug it into the USB port and press the single button when you need to sign in to services supporting the Yubikey.