This is Warren Kwok's Internet note pad, electronic diary, online rubbish journal, whatever you might name it ! It is an archive of my random thoughts in a chronological order. I am not good at reporting boring things and change them to lively. If you find this blog boring, sorry that it is your problem.
This site has the worst web server configuration in the world. reformgovernmentsurveillance.com It listens on an IP address instead of a fully qualified domain name. Digital certificate and https can not be applied. Lack of "robots.txt", no 404 Error page and I believe there are many other apparent flaws.
After careful deliberation, I propose to my department not to do SMTP over TLS. I am sure I make the right decision. The considerations are as follows:
1. There might be less than 1 % of mail servers globally supporting this function.
2. There is no standard or recommended practices if self-signed certificates can be allowed in server or client sides. 3. Equally, there is no standard or recommended practice whether servers should request clients to present their certificates for authentication. 4. In the lack of industry practice, network administrators just arbitrarily make their SMTP TLS settings or using the defaults provided by commercial off-the-shelf packages of security gateways/appliances. 5. A lot of mail servers which might have operated for many years have outdated CA list. 5. In case of mail delivery failure, it is nearly impossible to conduct trouble-shooting nor request the other side to amend their settings. Opportunistic TLS encryption could only be achieved if there is supporting recommended industry practice
Port25.com is a renowned world leader on enterprise-grade email solutions. How can port25.com has this crazy setting in MX: port25.com. 3600 IN MX 100 mail.port25.com. mail.port25.com. 3600 IN AAAA 2002:453f:951e::1 This leads me to issue my last serious warning to all network administrators: 6to4 addresses should not be used to set up web and email servers, whether in test mode or production mode. They cause a lot of troubles. Please use 6in4 tunneling.
Many IT bloggers have written down the steps for making self-signed certificates. I should jotted down my own notes on how to generate my own CA cert and use the CA cert to sign my own server cert. The procedures, if I can recall correctly, should more or less be as follows:
**** Generate my own CA cert/key and sign
my own server cert ****
#openssl genrsa -des3 -out myca.key 4096
[Generate a key for self-signed CA, require
to generate a passphrase to protect the key]
Great, just found out that Gmail performs SMTP over SSL/TLS without caring whether the server or client cert in the other side is signed by a CA. This ensures 100 % support for encryption. That’s says, we can use a self-signed certificate. A million thanks to Gmail.
For over 10 years,
whenever I feel not happy, I listen to the songs of Scooter and then things in
my mind change. “Faster, harder, scooter”, “move your ass”, “Apache rocks the
bottom”, so many to follow. Thanks for the
fantastic music, Scooter. You guys are
CSL has increased the daily charge of data roaming from HK$168 to HK$198, an increase of 18 %. I can not afford such a high daily charge. For my next trip, I will rent a pocket wifi device which is charged at HK$88 per day, available at Telecom Square:
Just ordered and received one SSL certificate from Cheapl SSLs at US$8.9 for 1-year use, no other charges. www.cheapssls.com Even though it is affordable, I still think that the PKI structure which puts Certificate Authorities in a supreme position is a flaw. There is no need to have Certificate Authorities in the digital online world.