Disclaimer

The content of this blog is my personal opinion only. Although I am an employee - currently of Imagination Technologies's MIPS group, in the past of other companies such as Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Wednesday, December 01, 2010

Https not everywhere sucks

Woke up this morning with a little idea wrt an FPGA fun hacking project.
Wrote it up.
Wanted to post on my private wiki, but instead posted on Google sites
https://sites.google.com/site/glewprivate/fpga-processor-isa--uarch-hacking.

Why?  I hate Google sites.  But Google sites uses https/SSL.  Whereas, my privae wiki does not have https/SSL.

Why not?  because my web hoster, Dreamhosts, requires a fixed IP for SSL.  And I have only paid extra for two domains to have the fixed IP and SSL.  Not the domain that hosts my private wiki.

Why not host my private wiki on one of my two fixed IP https/SSL domains?   Because dreamhost only supports, by default, one UNIX (Linux) user ID per such domain.  So all of the websites on such a domain are vulnerable to each other.

I'm moving towards fixing this, with my own virtual private server, so I can set up setuid CGI.  Mainly, haven't gotten around to setting that up yet.   But, also, doing so loses me the automatic updates that dreamhost provides.

Why do I care about https/SSL?  I really should not need to answer this, but...  In particular, this morning I'm at a motel.  I can assume that bad guys may be monitoring all of my traffic that is not encrypted.  No VPN.  Hence, want to use https/SSL for anything that needs a password.

Why no VPN?  A1: can't use work VPN, personal.  A2: haven't paid for personal VPN server.  But, in any case, a VPN server would only encrypt from my tablet across the motel wifi to the VPN server somewhere in the net.  From there, it would be unencrypted if, e.g., using plain old http.  VPN helps, but really need end to end encryption, such as https/SSL give.

Bottom line: this morning decided to use Google sites, even though I hate it, because it offers https/SSL.  Could have used Google docs, similar.

Hmm...   Google's www.blogger.com, which I am using now, doesn't seem to use https.    Doesn't this make blogging vulnerable?   Isn't the rule that everything  password protected needs to be encrypted - or at least the cookies carrying the authentication need to be.  Not just the login, but all authorizing?

Personal To Do:

1) Set up setuid cgi asap

2) install whatever wiki I care about - and move my wiki

3) keep playing with virtual server apache

No comments: