We hear the phrase “national security” all the time, but when the state starts to monitor our communications, recording them without solid suspicion, legal basis and without any apparent purpose, we have to ask ourselves the question: are they really protecting national security or are they protect their own?
— Edward Snowden
This digest is intended to increase the interest of the Community in the issue of privacy, which in the light of becomes more relevant than ever.
On the agenda:
Enthusiasts of the community of the decentralized Internet provider "Medium" create their own search engine
Medium has established a new CA, Medium Global Root CA. Who will be affected by the changes?
Security certificates for every home - how to create your own service on the Yggdrasil network and issue a valid SSL certificate for it
Remind me - what is "Medium"?
Medium (English Medium — “intermediary”, original slogan — Don't ask for your privacy. take it back; also in English word medium means "intermediate") - a Russian decentralized Internet provider that provides network access services at no cost.
The full name is Medium Internet Service Provider. The project was originally conceived as в .
It was formed in April 2019 as part of the creation of an independent telecommunications environment by providing end users with access to the resources of the Yggdrasil network through the use of Wi-Fi wireless data transmission technology.
More information on the topic:
Enthusiasts of the community of the decentralized Internet provider "Medium" create their own search engine
Initially online , which the decentralized ISP "Medium" uses as a transport, did not have its own DNS server or public key infrastructure - however, the need to issue security certificates for the services of the "Medium" network solved these two problems.
Why is PKI needed if Yggdrasil out of the box provides the ability to encrypt traffic between peers?There is no need to use the HTTPS protocol to connect to web services on the Yggdrasil network if you are connecting to them through a locally running router on the Yggdrasil network.
Indeed: Yggdrasil transport is on the level allows you to safely use resources within the Yggdrasil network - the ability to conduct completely excluded.
The situation changes radically if you get access to Yggdarsil intranet resources not directly, but through an intermediate node - the access point of the Medium network, which is administered by its operator.
Who in this case can compromise the data that you transmit:
- Access point operator. Obviously, the current operator of the access point of the "Medium" network can listen to unencrypted traffic that passes through its equipment.
- intruder (). "Medium" has a problem similar to , only for input and intermediate nodes.
This is how it looks like
Solution: to access web services within the Yggdrasil network, use the HTTPS protocol (layer 7 ). The problem is that it is not possible for Yggdrasil network services to issue a genuine security certificate by conventional means such as .
Therefore, we have established our own certificate authority - . The vast majority of the services of the Medium network are signed by the root security certificate of the intermediate certificate authority "Medium Domain Validation Secure Server CA".
The possibility of compromising the root certificate of the certification authority was certainly taken into account - but here the certificate is more needed to confirm the integrity of the data transfer and exclude the possibility of MITM attacks.
Services of the "Medium" network from different operators have different security certificates, one way or another signed by the root certification authority. However, root CA operators do not have the ability to sniff the encrypted traffic of services that they have signed security certificates with (see section XNUMX. ).
Those who are especially concerned about their safety can use such means as additional protection, such as и .
At the moment, the public key infrastructure of the Medium network has the ability to check the status of a certificate using the protocol or through the use .
Get to the point
User began developing a search engine for web services located on the Yggdrasil network. An important aspect is the fact that the determination of the IPv6 addresses of services during the search is carried out by sending a request to the DNS server located inside the Medium network.
The main TLD is .ygg. Most domain names have this TLD except for two: .isp и .gg.
The search engine is under development, but its use is already possible today - just visit the website .
You can help the development of the project, .
Medium has established a new CA, Medium Global Root CA. Who will be affected by the changes?
Yesterday, the public testing of the functionality of the certification center "Medium Root CA" was completed. Upon completion of testing, errors in the operation of public key infrastructure services were corrected and a new root certificate of the certification center "Medium Global Root CA" was created.
All the nuances and features of the PKI were taken into account - now the new certificate of the Medium Global Root CA CA will be issued only ten years later (after its expiration date). Now security certificates are issued only by intermediate certification centers - for example, "Medium Domain Validation Secure Server CA".
What does the certificate trust chain look like now?
What you need to do to make it work if you are a user:
Since some services use HSTS, before using the resources of the Medium network, you must delete the data of the intranet resources of the Medium. You can do this in the History tab of your browser.
Also necessary certification center "Medium Global Root CA".
What you need to do to make it work if you are a system operator:
You need to reissue the certificate for your service on the page (the service is available only in the Medium network).
Security certificates for every home - how to create your own service on the Yggdrasil network and issue a valid SSL certificate for it
Due to the growth in the number of intranet services of the Medium network, the need has increased for issuing new security certificates and configuring their services in such a way that they support SSL.
Since Habr is a technical resource, in each new digest one of the agenda items will reveal the technical features of the Medium network infrastructure. For example, below is a comprehensive guide to issuing an SSL certificate for your service.
The examples will indicate the domain name domain.ygg, which should be replaced with the domain name of your service.
Step 1. Generate Private Key and Diffie-Hellman Parameters
openssl genrsa -out domain.ygg.key 2048Then:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Step 2. Create a Certificate Signing Request
openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.confFile contents domain.ygg.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName = Locality Name (eg, city)
localityName_default = Kolomna
organizationName = Organization Name (eg, company)
organizationName_default = ACME, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *.domain.ygg
[ v3_req ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
crlDistributionPoints = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess = OCSP;URI:http://ocsp.medium.isp
Step 3. Submit a certificate request
To do this, copy the contents of the file domain.ygg.csr and paste it into the text box on the site .
Follow the instructions on the site, then click Submit. If successful, a message containing an attachment in the form of a certificate signed by an intermediate certification authority will be sent to the e-mail address you specified.
Step 4. Set up your web server
If you are using nginx as your web server use the following configuration:
File domain.ygg.conf in the directory /etc/nginx/sites-available/
server {
listen [::]:80;
listen [::]:443 ssl;
root /var/www/domain.ygg;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.ygg;
include snippets/domain.ygg.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}
}
File ssl-params.conf in the directory /etc/nginx/snippets/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
File domain.ygg.conf in the directory /etc/nginx/snippets/
ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;
The certificate you received by email must be copied to /etc/ssl/certs/domain.ygg.crt. private key (domain.ygg.key) place in the directory / Etc / ssl / private /.
Step 5. Restart your web server
sudo service nginx restartFree Internet in Russia starts with you
You can render all possible assistance in establishing a free Internet in Russia today. We have compiled a comprehensive list of how you can help the network:
- Tell your friends and colleagues about the Medium network. Share to this article in social networks or personal blog
- Take part in the discussion of technical issues of the Medium network
- Create your web service on the Yggdrasil network and add it to
- Raise your to the Medium network
Previous releases:
See also:
We are on Telegram:
Only registered users can participate in the survey. , you are welcome.
Alternative voting: it is important for us to know the opinion of those who do not have a full account on Habré
-
↑
-
↓
7 users voted. 2 users abstained.
Source: habr.com