Writing

Software, technology, sysadmin war stories, and more. Feed
Saturday, April 25, 2015

Some features just aren't worth the trouble

I've received some responses to last week's post about changing out the certs on this site. One says i should look at OCSP stapling, HSTS and HPKP. This took some digging to unravel all of the alphabet soup.

OCSP stapling basically would have me call out to my CA to fetch a small update that says "as of right now, this cert is still current". Then I'd hand that out in addition to the usual handshake stuff, instead of making clients do their own revocation list lookups.

It sounds mildly interesting, but it's complete overkill for this site.

HSTS is something else where the server basically says "hey, you have to hit me over https", so someone in the middle can't force people into http mode. I actually don't want to force this, in the name of maximum availability for people browsing from everywhere. Who knows what kind of silly regimes are out there blocking http, right?

Sufficiently paranoid individuals who care about this can certainly do the requisite client-side mangling and then fewer people will know exactly what they are reading on here. Of course, they will still be able to see that someone is coming here, so there's that. "Uh oh, they're hitting rachelbythebay.com, so they must be reading snarky tech writing. If only we knew which post..."

Finally, there's HPKP. This seems to be something which lets you pin a given public key to thwart forged certs, or some such. This is another one of those "gee whiz" type of technologies, but I just can't bring myself to worry about it. If someone really wants to make you see another version of this site than the one I published, assume it's going to happen. That goes for basically everything else, too.

What's the point of getting IPv6 working and going to SHA2, then, you might ask? Easy. IPv6 is finally to the point where it solves more problems than it creates. Those of you who haven't even played with it, it's time to get started. The number of parsing bugs alone you will find in your software (hint: ":" isn't always the separator between an IP address and a port number) will shock you.

As for SHA2, well, I don't want goofy errors on page loads.

...

Another asks how many 4096 bit signing operation my server can do. The answer is: I don't have an answer. This is a brand new box, and honestly, I never really stress my web servers boxes. They all tend to be largely static content, with a smattering of background processes running to provide the occasional database lookup. That leaves a lot of CPU power just sitting around.

Honestly though, I also am not really concerned about the performance of this site. If the page loads in a reasonable amount of time and the machine doesn't catch fire, I'm pretty happy. This isn't anything important. People aren't doing any kind of critical communications over it, after all. Nobody will die or be nervous if it loads slowly one day.

That said, the old box held up to HN and Reddit and so forth just fine, and the new box is much faster and bigger, mostly because time has passed and the world has changed. Still, for the record, a ~2 GHz single processor "Celeron 440" (whatever that implies) with a 10 Mbps connection worked just fine for my needs.

Such is life for my personal servers: many years of stable operation with not much in the way of demands from me.

My professional stuff, on the other hand, is another story.