Data Privacy: an utopy in a distophyc world.

There’s no such thing as data privacy. Every single company will sell your data one way or another. Your mobile carrier, Facebook, Google, Apple, Amazon, your favourite local (online or offline) store, even your government !

Almost everything that you use these days needs information about yourself. Location, email, mobile phone number, credit cards, bank accounts, passports, national id documents and so on.

Remember how Pablo Escobar has been caught ? Triangulation, baby !

“…used high-powered antennas to calculate the general direction of his transmission during a phone call with his son. Once this first bearing was charted and visually confirmed, roving pairs of high-tech surveillance vans crisscrossed the streets of Medellín in search of the strongest hits on Escobar’s frequency. When the operators’ equipment calculated the area where all three lines intersected, the race was on to close the distance … where a block search finally yielded Escobar’s precise location.”, Sep 2016

This happened almost 30 years ago when military GPS was in “beta version”, when there were no smart devices and no Gigabytes.

Now take all the time you need and think about data privacy in 2019.

SSL certificates: Let’s Encrypt

In this post I’ll explain how to install free SSL certificates for your website, using Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Platform: Ubuntu 14.04, Nginx and OpenSSL, SSH root access

Step 1

Download Certbot (ACME Client Implementation) for Let’s Encrypt:

$ sudo su
$ cd ~
$ wget
$ chmod a+x certbot-auto
$ ./certbot-auto

Executing ./certbot-auto will first install all the requirements.

Step 2

Generate Strong Diffie-Hellman Group. To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 3

Allow requests to Nginx, to read from . directories. Add the following lines to your /etc/nginx/sites-enabled/siteconfig*:

server {
# ... snippet start
        location ~ /\.well-known/acme-challenge/ {
           root /usr/local/acme-ssl/;
           index index.html index.htm;
           try_files $uri =404;
# ... snippet end

*siteconfig is the file name of your enabled site. eg:

Step 4

Create /usr/local/acme-ssl/ directory and chown it with Nginx user (usually www-data):

$ mkdir -p /usr/local/acme-ssl/
$ chown -R www-data:www-data /usr/local/acme-ssl

Step 5

Generate a certificate using Certbot

$ cd ~
$ ./certbot-auto certonly --renew-by-default -a webroot --webroot-path=/usr/local/acme-ssl/ -d domain.tld -d www.domain.tld

Certbot will save certificate information in /etc/letsencrypt/live/domain.tld directory.

Step 6

Enable SSL by making modifications to your /etc/nginx/sites-enabled/siteconfig* file. The new file should look like this:

server {
	listen *:80;
    	server_name www.domain.tld domain.tld;
	return 301 https://$host$request_uri;

server {
    listen *:443;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    server_name www.domain.tld domain.tld;

    # rest of your server {} block goes below ...

Step 7

Test Nginx configuration and reload reload it:

$ service nginx configtest
$ service nginx reload

That’s it. Now, when you access http://domain.tld you should be redirected to https://domain.tld/ having a valid certificate.

P.S. Let’s Encrypt certificates are valid for 90 days only. You should create a cronjob that runs twice a day and will automatically renew your certificate. Example cronjob:

30 6,23 * * * /root/certbot-auto renew --quiet --no-self-upgrade
35 6,23 * * * /etc/init.d/nginx reload

This cronjob will run twice a day: at 06:30 AM and 23:30 (11:30 PM) and will renew all the certificates that are about to expire. At :35 , Nginx configuration will be reloaded in order to use the new certificate.