The website has had a facelift! And not just a cosmetic one either, the entire core of the website has been replaced, with old fashioned static HTML, and some fancy CSS. I decided that Wordpress had to go, it’s time was up.

Problem

Wordpress is insecure, or to be more fair to Wordpress, the myriad of plugins and themes are often insecure. Of course if you keep up to date then you’re relatively safe, but you’re still not that safe really. On top of the insecurities of Wordpress, it’s slow, being heavily database dependent each page load requires several queries of the database to get all the content it needs to serve the page; of course you could install a caching plugin to speed things up, but then that’s another plugin to keep up to date!

Solution

The solution if I want ultimate speed and performance with maximum security was to ditch all the databases and PHP and return to basics and use only HTML. I’ve been learning about a solution called Jekyll of late in preparation for a new company website which will be built using it, and I figure why not use that same solution for my personal website? After all, if we’ve made a business decision to use it then the same reasons apply just as well to my personal website. Plus, I wanted to play :P

Jekyll is a piece of software written in Ruby that generates a static HTML website out of a collection of templates and files that I then upload into my web server. It’s a little more “techy” but the result is a very fast website, impossible to hack, and I think you’ll agree, rather nice looking. And with all the features of a traditional slow Wordpress site but not a database or piece of server side code in sight, all static HTML and CSS! Very cool.

And to be sure I got as much performance as possible out of it, I’ve opted to use Nginx for the web server rather than Apache to give the site even more of a speed boost.

I shall write some posts in the near future about how I installed Nginx and Jekyll rather than describing it all in this post. And I’m also going to look at enabling a few other bits and pieces on the server in the future, so look out for posts about those too.

If you are using a Routerboard and have children then there is a good chance that you would like to implement some sort of filtering on your internet connection to protect them from some of the darker elements of the internet. Luckily due to the power and versatility of RouterOS you are able to do this very simply and elegantly.

In this guide I’m going to talk through how to accomplish several different things necessary to achieve good quality, almost teenager proof, filtering. By the end of it you’ll have done the following:

  • Setup a DNS server on the router to handle DNS queries from your LAN.
  • Configured the router to use Norton ConnectSafe DNS (a free filtered DNS service) for DNS queries.
  • Added a destination NAT rule to prevent anyone using alternative DNS servers to work around DNS level filtering.
  • Learnt how to block specific websites using a Layer7 protocol and firewall filter. Useful for websites such as Tumblr which aren’t blocked by Norton but are good candidates for blocking due to large amounts of adult material.
  • Optionally hidden the Norton ConnectSafe block page if you don’t want users to see that the page was blocked.

So, let’s get started.

For the purpose of this example assume the local LAN is 10.10.2.0/24 on bridge interface bridge1 – your settings will be different so substitute with your own values.

All the commands in this are written as if being entered from the command line, however they are just as easily entered via the web GUI; by reading each entry carefully it is clear which menu entries and fields to fill in.

1. Setup a recursive DNS server for the LAN

Tell the DNS server in the Routerboard to allow remote DNS requests.

ip dns set allow-remote-requests=yes

Add a firewall rule (if necessary) to allow DNS requests on the input chain. This will need to go above any drop commands on the input chain.

ip firewall filter

add chain=input comment="TCP DNS" connection-state=new dst-port=53 protocol=tcp src-address=10.10.2.0/24
add chain=input comment="UDP DNS" connection-state=new dst-port=53 protocol=udp src-address=10.10.2.0/24

Configure the LAN to use the router as the DNS server via DHCP. This is probably already happening, but check your DHCP server configuration to be sure.

2. Configure Norton ConnectSafe DNS

There are several levels of filtering with Norton ConnectSafe DNS, these settings will filter high risk websites such as phishing and pornography.

ip dns set servers=199.85.126.20,199.85.127.20

For more information about the Norton ConnectSafe service check out the website.

3. Add a destination NAT rule to force DNS to Norton ConnectSafe

This destination NAT rule will force all TCP and UDP DNS traffic to be redirected to the Norton ConnectSafe DNS servers instead. This will prevent a local user manually setting a DNS server other than the router itself.

ip firewall filter add action=dst-nat chain=dstnat comment="Force filtered DNS" dst-port=53 in-interface=bridge1 protocol=tcp to-addresses=199.85.127.20 to-ports=53

ip firewall filter add action=dst-nat chain=dstnat comment="Force filtered DNS" dst-port=53 in-interface=bridge1 protocol=udp to-addresses=199.85.127.20 to-ports=53

4. Block specific sites using a Layer7 protocol.

Firstly, add a Layer7 pattern to match a website, in this case Tumblr (a common source of inappropriate material often not included in filtering).

ip firewall layer7-protocol add name=Tumblr regexp="^.+(tumblr.com).*\$"

Secondly, add a firewall rule to block traffic that matches the created Layer7 rule.

ip firewall filter add action=drop chain=forward comment="Block Tumblr" in-interface=bridge1 layer7-protocol=Tumblr

Repeat these steps for each website that you wish to block.

7. Block the Norton block page.

There are some scenarios where you may not wish to show the block page to overtly state that the page has been blocked. Conveniently Norton redirects the traffic to blocked pages to a single IP address so it’s easy to hide.

ip firewall filter add action=drop chain=forward comment="Drop Norton block page" dst-address=54.200.80.90 in-interface=bridge1 out-interface=ether12

Naturally Norton may well use other IPs that I just haven’t encountered yet, so you may need to add more rules if you encounter another block page that you wish to hide.

Final Remarks

DNS filtering isn’t perfect, a VPN would overcome this particular method. It also will also be unable to filter out things such as P2P or proxies. That said, this method will be absolutely fine for the average home user wanting to prevent their children getting access to undesirable content on the internet too easily. More effort would be required if you have particularly clever teenagers to control.

 

If reading the news over the past few weeks has told us anything, it’s that the government will seize any opportunity to have a crack at reading your personal communications. David Cameron has decided that the likes of Whats App, Snapchat, and Facebook Messenger are a threat the very fabric of society due to their encrypted nature; he feels that in order for the country to be safe the security services need to be able to read everything. The old adage about not worrying if you have nothing to hide comes to mind.

I am going to talk you through how to protect probably one of the most widely used forms of digital communication, email. To do this we’re going to setup PGP, or to be precise, GPGTools, the open source equivalent for Mac.

Note, this guide is for an Apple user, specifically someone running OS X Yosemite. If you’re using Windows, you probably having bigger privacy problems than David Cameron so don’t worry too much about encrypting your email. 

What is PGP?

First of all, what is PGP? PGP is an encryption algorithm widely used throughout the world, it stands for “Pretty Good Privacy” and is a public/private key system. In public/private key encryption one is able to distribute the public key to anyone at all (hence the name) and this key can be used to encrypt communications to the owner of that key. Through the miracle of cryptography only the private key can decrypt those communications, and as the name suggests, the private key is just that, private.

PGP is desirable as an encryption method because it’s quite simple to use, established, and most importantly, open source. Although commercial software exists to implement PGP, open source software is sufficient for the average user and just as capable.

Why use encryption for email?

Encrypting your email has two benefits,  firstly it protects the contents of your message from prying eyes. Secondly, it confirms the identify of the sender so you know it was really sent from that person. This second point is accomplished via digitally signing the email with the private key that only you have. This digital signature has a two-fold benefit because it is also able to confirm the integrity of the message, i.e. whether it has been tampered with in transmission.

Isn’t email already encrypted I hear you ask?

Yes, to some extent email already is encrypted. Many mail providers provide SSL encrypted websites to write your webmail on, and for those using desktop mail clients they provide SSL/TLS encrypted SMTP and IMAP servers so the mail is encrypted in transit. Furthermore the majority of major providers encrypt the email in transit to the recipient mail server, using the same SSL/TLS encryption. The problem with this you may realise is that all of that encryption is handled by someone else, you don’t know at what point they may choose to decrypt it, or for that matter be compelled to decrypt it by a court or government.

If you add your own layer of encryption onto the message itself, then you have ultimate control over whether that message is read. If your mail provider is compelled to hand over the encryption keys to their systems then at least all the government or court is going to get is another layer of encryption, one that they’re going to have to ask you for the key. Of course, whether you comply and provide the key is another matter, and it may well be a legal requirement in your country for you to provide the key, it certainly is in the UK. But at least you know about it right? And casual blanket surveillance is impossible without your knowledge and cooperation.

Installing PGP

So, let’s get started then shall we? For the purpose of this guide I will presume that you are using Apple Mail, and that you have an email account set up in it and working already.

  1. Go to https://gpgtools.org and download the latest version. At the time of writing that was GPG Suite Beta 4.
  2. Open up the DMG file, and go ahead and double click to install it.
  3. Once it’s installed, open up the GPG Tools software from your application menu. Assuming it didn’t open itself after installation.
  4. Now, create a new key for the email address you have setup in Apple Mail. You can do this by either following the wizard that may open on first load, or by clicking the new key.
  5. It will ask you for a passphrase, choose a good one, make it complex and not something easily guessed. And most important of all, keep it secret, from everyone, even your wife and grandmother.
  6.  If you have the option, select to send your newly generated key to the key server. This will help other people using PGP automatically discover your public key when emailing you, without any complicated faffing around sharing the key manually via email or carrier pigeon or something.
  7. Once the key is generated, you’re done! You are ready to use start sending government frustrating emails to upset your friendly local spy, or malicious foreign agent come to that!

How to use?

Using GPG Tools is pretty easy actually, open up Mail and click to compose a new message. You’ll notice in the corner a lovely little green icon for GPG Tools to indicate that it has a key for the email address you are composing from.

Screen Shot 2015-01-19 at 21.40.31

And if you look next to your subject line you’ll see two new icons have appeared, for signed (wax seal icon) and encrypted (padlock icon).

Screen Shot 2015-01-19 at 21.40.40

If the GPG Tools has a public key for the person you’re trying to email it will encrypt the email with their public key and the icon will go blue (Screen Shot 2015-01-19 at 21.43.33) to confirm it is going to be encrypted. Naturally you need the recipients public key to encrypt a message to them.

All emails will be signed by default, this will attach a special file and some data to the email that if their mail client understands it, will confirm it is indeed from you. Well, to be precise it is from someone who has a key that is setup with your email address. How does that mean it’s you? After all I could setup a key right now and type in your email address, no one would be any the wiser.

Signing keys

The final piece of the puzzle for PGP encryption is trust, if I know you and I personally email you my public key then you can be pretty sure that the key is from me and you can trust it. But what if you got the key from the key server? Or maybe it was automatically included on email that you’re not sure is definitely from me? How do you confirm it’s actually me who generated that key? The “key” to this question is trust.

If I download a key off a key server, I can look at that key and see if anyone else has indicated that they trust it, this is done by signing a key. Once I have a key, and I’ve confirmed that the key I have is definitely for that person, I can sign the key with GPG Tools and re-upload that key to the key server with my signature attached as a seal of approval so to speak. Another person can then look at the key and see that lots of people trust that key, so they can probably trust it too, especially if some of those signatures are people they know as well.

So, how to sign a key? Simple, right click the key in the GPG Tools software and click “Sign…” and then follow the few simple questions and re-upload the newly signed key to the key server for others to see, and in turn trust a little bit more thanks to your vote of approval.

Screen Shot 2015-01-19 at 21.54.18

 

Final points

PGP encryption, or any encryption come to that, is not going to protect you from legal wire taps and court orders. As I hinted at earlier in this post, many western governments have the capability in law to compel you to provide the encryption key for encrypted communications. Refusing to hand over the key could well get you in a lot of trouble. However, what PGP encryption does mean is that you at least are aware of the monitoring or interception of your email because you were aware of the compulsion to provide the key. Your mail provider may not have told you if they’d been compelled to hand over your emails.

PGP encryption is only any good if people actually use it, these days it isn’t difficult to use so encourage those who you email regularly to begin using it and it will become mainstream. It’s all well and good you signing all your emails, but if the people you are emailing don’t use PGP then that digital signature is pointless, and if they don’t use PGP then your message to them, and their message to you, isn’t encrypted either.

Finally, keep your computer clean and safe. If your computer is vulnerable to attack, by malware or hackers then the chances are the encryption key is vulnerable too, all it takes is a key logger and they have your private key and can decrypt the messages without your knowledge, whoever “they” might be. Malware for Mac is few and far between, but that doesn’t mean you shouldn’t be sensible and stay safe online. Plus let’s face it, the data on your PC itself is probably a lot more interesting than whatever it is you’re emailing so probably worth keeping that safe even more than your email, but that is a topic for another day.

I hope this guide has been a helpful crash course in PGP on your Mac, leave your comments below.