# Brief notes on security and removing HTTPS from my website

I was under the false impression (based on superficial ‘knowledge’) that enabling HTTPS for my website is a fundamental method of securing the communication and connection with my website. My mentors at TMSR were kind to open my eyes and get me started in the right direction.

Besides hosting my website – the plan was to have my Linode VPS pull in my email so that I could access the same anywhere via Emacs (mu4e). I was planning to use it as some kind of personal media + mail + document server, with no real consideration given to security. This was a misguided and naive ‘plan’ placing trust where it should not be. The Linode VPS should be recognised for what it is – a public toilet computer that I rent (not own) as an initial step, and more importantly in my case – it should be consistently treated as such, while I learn the ropes to setup air-gapped metal for my personal needs, and/or graduate to a hosting that I can trust, i.e pizarro.

asciilifeform: shrysr_: search logs for 'pki'. ( summary : it's an elementary scam, enemy has master keys that make a joke of the supposed 'crypto' )

BingoBoingo: http://logs.nosuchlabs.com/log/ossasepia/2019-08-26#1000640 << the code necessary to get https is likely to contain leaks that allow reading the server's memory. Examples of this have been found numerous times in the past. See "Heartbleed" et al.

asciilifeform: 'openssl' is coupla MB of ??? liquishit 'obfuscated c' .
snsabot: Logged on 2019-01-03 14:10:44 asciilifeform: stratum: given that the most active criminal is the nato reich itself, what exactly is the worth of pkiistic 'sekoority' where they have master key ?


With respect to the solution – to quote from Heartbleed.com:

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

The above website also lists the versions of different OS’s and openssl that are vulnerable. In my case – both OS and openssl version appeared to be outside (post) the vulnerable versions, which is only a small measure of comfort, because it appears that vulnerable keys are still accessible in some way (?).

I did not spend much time looking for similar vulnerabilities, but at the moment – I am content to heed the advice at TMSR and return to this topic when I know more. I have not studied the codebase of openssl – and it makes sense to keep it simple – the VPS will not contain any information that should not be public.

• [ ] One question that occured is – why should vulnerable information be stored or available in that specific portion of server memory, and why does such sensitive information not get ‘deleted’ immediately after being used.
certbot delete