Category: Outreach

Making the Grade with SSL

Disclaimer: These are the steps that I followed. Please do due diligence and investigate fully before you attempt to modify your own server. Your mileage may vary…

I have a number of websites that run on Windows servers running Internet Information Server (IIS). One of the requirements I pretty much insist on is that if a site allows you to log in, it has to have an encrypted means of communications. We do that by generating a certificate request inside of IIS Manger and sending the certificate signing request (CSR) off to be signed by a certificate provider like GlobalSign, Digicert, etc. The certificate provider with sign the certificate and send you back a blob of text that you can save in a text file with a *.cer extension at the end. You then open up IIS Manager, select the server and Complete the CSR, which installs the certificate on the server. You can then edit the bindings for the website that you want to enable SSL on, add an HTTPS binding and select the certificate.

Easy peasy…you’re done, right? Unfortunately, not quite.

All kinds of security buzz these days about SSL work-arounds and tricks to reduce the security that they provide, funky names like the BEAST attack, POODLE, FREAK, etc. So we want to make sure that the ciphers and encryption techniques that we use are as safe as possible. There are tools available on the web that will hammer your SSL implementation and tell you if there might be any weaknesses. One such online tool is the Qualys SSL Labs test – available at: https://www.ssllabs.com/ssltest/

I ran the SSL Labs scan on a Windows Server 2008 R2 box running IIS 7.5 that I’d just installed a certificate on. The results were not very good with the out-of-the-box settings – an “F” (see below)

SSL Labs Initial Scan

SSL Labs Initial Scan

The report gives us some feedback on what they think the deficiencies are in your site’s SSL configuration and some links to some more info. In the case of this Windows 2008 R2 server, it’s identified:

  • SSL 2 is supported – it’s old, it’s creaky, and it’s not to be trusted
  • SSL 3 is supported – (see above) and it’s vulnerable to POODLE attack (oh noes – not poodles!)
  • TLS 1.2 isn’t supported – TLS 1.1 isn’t either, but they leave that out, we’ll fix that too
  • Some of the SSL cipher suites advertised by the server as supported are either considered weak, or they don’t support Perfect Forward Secrecy

The first three items we can fix by editing the registry, the last item requires us to modify one of the group policy settings. The standard disclaimers apply – don’t make any changes to your system unless you are a highly trained professional who understands that these changes may cause your system to no-worky and make sure you have a full backup of the system so that you can restore it if things go sideways.

To disable SSL 2.0 & 3.0 and to enable TLS 1.1 & 1.2, I had to run Regedit.exe and go to:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

You’ll probably only see one key under Protocols – SSL 2.0 and in my case it only had a Clients key.

SSL 2.0 Initial Values

SSL 2.0 Initial Values

I created a Server key under SSL 2.0 and added a DWord name of “DisabledByDefault” with a data value of “1”. Now the server won’t attempt SSL 2.0 connections.

Disable Server SSL 2.0

Disable Server SSL 2.0 and 3.0

To disable SSL 3.0 create a similar SSL 3.0 key under Protocols, create a key called Server under it and add a Dword with name DisabledByDefault with data value “1” there as well. No more SSL 3.0 served up now.

To enable TLS 1.1 and 1.2, you follow similar steps of creating TLS 1.1 and TLS 1.2 keys under Protocols and creating a Server key under each. This time, however, I added two Dword values under each of their Server keys. One named DisabledByDefault with a data value of “0” (we don’t want them to be disabled) and then add a second DWord named “Enabled” with a data value of “1” (the default is “0”, so you’ll need to change the value to “1” once you create the Dword entry).

Keys to enable TLS 1.1 and 1.2

Keys to enable TLS 1.1 and 1.2

I closed Regedit – no need to “save” as it auto-saved for me.

Next we need to edit the group policy setting that determines which SSL cipher suites that the server will offer up. To edit the group policy on my stand alone server clicked Start -> Run and typed “gpedit.msc” to open the Windows group policy editor snap-in. The entry we want to modify is under:

Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings

The entry we want to modify is “SSL Cipher Suite Order” which was “Not Configured” by default. This means that it falls back to the Windows Server default ciphers and ordering.

SSL Cipher Suite Order Default State

SSL Cipher Suite Order Default State

To only serve up ciphers that aren’t weak and that support Perfect Forward Secrecy, I had to choose a subset of ciphers. Luckily, Steve Gibson at GRC shared out a list of ciphers that met that criteria on his site at: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt

One caveat is that the list that you paste into the group policy editor has to be a single line of comma separated values. No carriage returns or the like. I copied the text from Steve’s site into Notepad and then hit Home + Backspace for each line starting at the bottom until I got a single line of comma-separated values.

Cipher suites in a single line

Cipher suites in a single line

Click the “Enabled” radio button, highlight the default values in the SSL Cipher Suites textbox and delete them, paste in the new values from Notepad (remember, the single line, no line breaks rule), click Apply and Save and we’re done.

SSL Cipher Suite Order Enabled

SSL Cipher Suite Order Enabled

I then closed the group policy editor MMC snap-in, rebooted the server (it won’t take until you reboot) and then went back and re-ran the Qualys SSL Labs test by clicking the “Clear Cache” link. It caches the results from the previous scan, so unless you click the link, you’ll just be looking at the previous scan results.

Qualys SSL Labs A Grade

Qualys SSL Labs A Grade

Voila! We’ve gone from an “F” grade to an “A” grade. Whether the site is actually more secure or not is beyond the scope of this blog post, but if I am being asked to serve up an SSL secure site and it gets an “F” there would be some ‘splainin’ to do.

Hopefully this helps with understanding what steps were required for me to get the “A” grade.

Hurricane Katia Footprints

The ORB Lab was having a meeting in the GVis Lab this week and, as usual, the East Coast US 8-Day Averaged Sea Surface Temperature overlay was up on the screens. Dr. Oliver pointed to the screen and noted that there was a path cutting across the Gulf Stream that was cooler than usual and that it was probably due to upwelling and mixing from hurricane Katia. Sure enough, we loaded up a layer showing Katia’s track and they lined up.

Katia SST Trail

Katia SST Trail

We then checked to see if there was anything noticeable on the East Coast US 8-Day Average Chlorophyll layer and you can see what appears to be a slight bloom in chlorophyll along the track as well (slightly lighter blue).

Katia Cholorophyll Trail

Katia Cholorophyll Trail

Another neat view is the markedly cooler water that you flowing into the bays from the increased river discharge that resulted from the large amounts of rain dropped by hurricane Katia and tropical storm Lee as they passed through.

Cold river water 20110913

Cold river water 20110913

These layers and several others are processed and uploaded daily and made available via the Orb Lab website in the Public Access section. They are exposed via Google Maps interfaces as well as Google Earth embedded views and linkable KMZ file formats. Neat stuff!

NASATweetup Mission Accomplished

Welcome Home Flat Samantha!

Samanthas and Astronaut Greg Johnson

Samanthas and Astronaut Greg Johnson

Everything has finally come full circle and Flat Samantha is once again re-united with her creator Samantha. Calling @FlatSamantha‘s trip a “circle” might be a bit of a misnomer however as she has had a wild adventure over the last couple of months. Her journey started in April when young Samantha found out that I was selected to attend the #NASATweetup for the final launch of the space shuttle Endeavour (#STS134). Samantha (and all the rest of the students in the lab) were disappointed that they couldn’t come with me to watch this historic launch, and Samantha took matters (and scissors and markers) into her own two hands and created a flat adventurer that she named Flat Samantha. She asked me if Flat Samantha could ride with me to the Endeavour launch and go up in the shuttle to the International Space Station. I would have loved to say “yes” but I had to inform Samantha that time was too short and that I could only take her down to watch the shuttle launch, but that I would take lots of pictures of her during this adventure and let her share them via a Twitter account that was set up for her (after all, she was going down to a NASATweetup – how’s a girl to tweet if she doesn’t have an account ;?).

I emailed Stephanie Schierholz that I would like to bring along another #NASATweetup attendee and that she wouldn’t take up any extra space. Without batting an eye Ms. Schierholz said “no problem, I’ll have a #NASATweetup badge waiting for her as well”.

FlatSamantha STS134 NASATWeetup Badge

FlatSamantha STS134 NASATWeetup Badge

The original launch date for the shuttle was adjusted forward as there was a conflict between when the Endeavour would be at the ISS and when the Soyuz 25S capsule would be there with some time sensitive experiments. It just so happened that the new launch date fell during my sons spring break period at school, so we scheduled a family vacation to Orlando prior to the launch and had a blast sharing the road trip down and the theme park adventures with Flat Samantha prior to the new launch date. I took her over to the Kennedy Space Center for the #STS134 #NASATweetup where we enjoyed the many presentations that the fine people at NASA had arranged for us on day #1 and then came back for what ended up being a scrubbed launch on day #2 (see: “STS-134 NASATweetup is only half over“).

We sat in the tent waiting for the hundreds of thousands of other disappointed spectators that were parked outside the Kennedy Space Center to head home after the launch scrub, knowing that it would be a couple of hours at least before the roads would be passable. As we chatted amongst ourselves, I started talking with Beth Beck and she asked me about the back story on my flat companion. I told her about Samantha and how she would like to have seen Flat Samantha go into space and that I could only promise to get her to the NASATweetup event to watch the launch. Ms. Beck said that since the launch was scrubbed, that there might be a possibility to fulfill Samantha’s wishes and that she would get back to me. Sure enough, a few days later I got an email from her saying that one of the astronauts – Gregory Johnson (aka @Astro_Box) said that he would do what he could to get @FlatSamantha into space. True to his word, we received a picture from space of one @FlatSamantha in the cupola of the International Space Station.

Flat Samantha in the ISS Cupola (photo by Gregory Johnson)

Flat Samantha in the ISS Cupola (photo by Gregory Johnson)

Upon the Endeavour’s return, Flat Samantha was escorted to a couple of other NASA Tweetup events including the #NASATweetup for the Sophia Telescope, the @NASAJPL Tweetup by @Schierholz and even the historic landing of the space shuttle Atlantis #STS135 with @BethBeck. Being flat and portable makes it much easier to get invited to some pretty awesome events it seems.

The title of this post is “NASATweetup Mission Accomplished” because the journey home to creator Samantha was accomplished this past week. The journey home was not via a FedEx envelope or the like, however. Flat Samantha was escorted home and hand-delivered by none other than astronaut Gregory Johnson while he was on the east coast giving a mission debriefing to NASA empoyees at NASA HQ in DC. Samantha, her parents and myself were invited to attend the debriefing and to meet with @Astro_Box for some photos following the debriefing by the ever awesome Beth Beck. When the University of Delaware’s ORB Lab students (who were anxiously following @FlatSamantha’s adventure) found out about the trip, they asked if they could come too. I asked Ms. Beck whether that was possible and not only did she say “yes” but she provided the entire group with reserved up-front seating for the debrief!

NASA HQ Debrief

NASA HQ Debrief (photo by Beth Beck)

I want to give a heart-felt thank you to Stephanie Schierholz and Beth Beck for allowing us all to join @FlatSamantha in her whirlwind adventure, both via Twitter and in person. I would also like to thank Gregory Johnson for making not only one little girls wish come true by bringing her flat proxy into space, but for also taking time out of his incredibly busy schedule to bring that excitement to our small group of students and the rest of the world. The employees and representatives of NASA embody the compassion, the “can do” attitude and the educational and outreach expertise that the rest of us should pay close attention to. We are all honored to have been included in these adventures and their memories that we will carry with us for a lifetime. Rocket On NASA!

Group Photo with Greg Johnson and Flat Samantha (photo by Beth Beck)

Group Photo with Greg Johnson and Flat Samantha (photo by Beth Beck)

PS – All of the Flat Samantha #STS134 #NASATweetup adventure photos have been uploaded to the Flat Samantha Ocean Bytes media gallery – enjoy!

Timelapse of a Day in the ORB Lab’s GVis Room

I was showing the students how to operate the “birdcam” so they can use it to record a series of stills to create a time lapse video of an upcoming research cruise on the RV Hugh R Sharp. We left the birdcam in the corner and let it click away all day, shooting a new still every minute and the video above is the resulting masterpiece. It is embedded from “The UD ORB Lab” channel on YouTube.

You can learn more about the “birdcam” in a previous post about “Timelapse Video on the Cheap“. The GVis Room pictured above is the “Global Visualization Room” that was described in the post “How to Construct a Global Visualization Lab“.

Thanks to the ORB Lab crew for sharing!

 

Endeavour (STS-134) Launch Photos

This is a gallery of the launch photos that I took in the ~20 seconds that we had between ignition and the space shuttle Endeavour disappearing into the clouds. I’ll set up an outside gallery of all of the 300+ photos that I took in the coming week or so. I hope you enjoy them as much as I am.

DeepZoom of Endeavour on the Launch Pad

[Zoom.it shut down, so my DeepZoom image is no longer available. I’ll re-create it soon…]

(The image above is dynamic and zoomable, play around with it some. Mouse over it and use your scroll wheel, click and drag around on the image, or click the plus and minus buttons, even go full screen with the button on the lower-right-hand corner – have fun with it!)

One of the challenges of taking photos of special events and places is that they always look so small and lacking in visual acuity and detail. You take a picture and then later, when you’re looking at it, you feel underwhelmed that it just doesn’t capture the clarity that you remember seeing.

Two technologies that I cobbled together to create the zoomable picture above of the Endeavour (STS-134) on the launch pad are Microsoft ICE (Image Composite Editor) and DeepZoom to tile and create javascript that allows you to zoom in and out of the image to enjoy much more detail. You can learn more about Microsoft ICE via this HD View blog posting, including details on what it can do as well as download links (it’s free!). I used my digital camera to zoom into the shuttle while it was on the launch pad post RSS shield retraction and took a matrix of photos, making sure that each photo overlapped with the others a little bit so that ICE could stitch them into one large hi-res photo. Since we’re limited in the number of pixels we can display on a screen, I leveraged DeepZoom technologies to break the image into a series of sub-images and to create javascript to swap in higher-resolution tiles as you zoom into the image. Similar to what you find when you zoom into a Google Map image or the like.

Microsoft had made it quite easy to automagically create DeepZoom images (based on SeaDragon technology) via their Zoom.it site. All I had to do was upload the composited image that I’d created using ICE to a web server, feed Zoom.it the URL of the large graphic image file and then copy the embed code from the results and paste them into this post after the file had been processed. The resulting javascript and tiles that were created are hosted on their site, so I didn’t even need to include them in my image file holdings.

I hope this helps in two ways:
A) Appreciate the awesome site that we were seeing at the STS-134 NASATweetup
B) You now know how to fish (ie: how to create cool visualizations like this). Have at it!

ps – If you want to pull down the full hi-res image that was used to create this so you can print out an awesome poster of the shuttle on the launch pad, you can get it here. Enjoy!

Endeavour Launch Photo Time Lapse

I took as many photos as I could during the Endeavour launch yesterday morning as fast as my camera would allow. Here is a time lapse of the photos taken before it disappeared into the clouds. I uploaded it to YouTube at 1080p, so make sure to go full-screen with it. Enjoy!

Update: Just found a link to a video that @AVWriter posted – crank up the subwoofer and enjoy the launch from the same vantage point that we had!

STS-134 NASATweetup is only half over

I’m back from the Kennedy Space Center and the first half of the STS-134 NASATweetup. We got through most of the activities slated for Day #1 – which included meeting the ~149 other #NASATweetup attendees, a demo of the Extravehicular Mobility Unit (EMU) and Mark III spacesuits, and talks by Dana Hutcherson (flow director), Tara Ruttley (ISS associate program scientist) and astronaut Clay Anderson (@Astro_Clay). They really rolled out the red carpet for us!

@CPUGuru, @FlatSamantha and @Astro_Clay

@CPUGuru, @FlatSamantha and @Astro_Clay

The second half of the day involved visits to the Shuttle Landing Facility and the Mate-Demate Device (big honkin’ crane and assembly to lift the shuttle onto and off-of the 747 that carries it), the Vehicle Assembly Building (the large picture behind us in the picture above) – also known as the “world’s largest single story building” in which they work on and assemble the shuttle, booster rockets etc. The last part of Day #1 was supposed to be a site visit to the shuttle itself to watch the retraction of the Rotating Service Structure (or RSS) but a rather nasty storm front presented itself and all sorts of dark clouds, rain and lightning ensued.

The Lightning Storm

The Lightning Storm

Retraction of the RSS was delayed from its original 7:00pm time to much later in the evening, so we missed being able to get up close and personal with the shuttle. By the time we arrived for “Launch Day” the following morning, the RSS had already been retracted and the fuel tanks were being filled with liquid oxygen, so we were unable to get any closer than the press site almost 3 miles away.

On Day #2 we had a group picture taken by the countdown clock and talks by astronauts Ricky Arnold (STS-119 Discovery) and Leland Melvin (@Astro_Flow – now associate director for Education at NASA). We also had a talk by Daire McCabe – a designer at Lego followed by a weather/launch update by Lt. Col. Patrick Barrett of the 45th Weather Squadron.

We all went out to the roadside in front of the Vehicle Assembly Building (VAB) to watch the caravan carrying the astronauts to Launch Pad 39A go by and wish them well, however the vans came, stopped, and turned back around (a first we’re told). Apparently a power coupling unit was not functioning on the shuttle and they scrubbed the launch. We were all a tad disappointed, but I heard a good quote along the lines of “it’s better to be on the ground wishing you were in the air than to be in the air and wishing you were on the ground”.

Caravan Carrying the Astronauts

Caravan Carrying the Astronauts

The current status is that they are in the process of replacing the faulty power coupling unit and that the earliest possible launch date is May 10th. Both @FlatSamantha and I (@cpuguru) plan on heading back down to KSC as soon as they tell us a definitive launch date. We’ll be sure to take some awesome pictures and will keep you informed once the second half of this #NASATweetup resumes. For a good timeline of the adventures of @FlatSamantha, be sure to follow her on her Twitter page, where she’ll keep you informed and upload pictures of what’s going on right then. Until then, we’re on hot stand-by, our bags are packed and we’re anxiously awaiting the good news that the launch is a go.

Flat Samantha Is Coming to the STS-134 NASA Tweetup

Flat Samantha

Samantha and her friend Flat Samantha

Flat Samantha is in the house! I was contacted by young Samantha (pictured left – the non-flat one) to see if I had room for Flat Samantha to ride with us to the Kennedy Space Center in Florida when we embark for the NASA Tweetup at the Space Shuttle Endeavour (STS-134) launch on April 29th. Today we met up with her and her parents and got instructions on how to take care of Flat Samantha.

Samantha has provided meticulous training to Flat Samantha and has crafted a first-class space suit along with a helmet to help her breath in space should the opportunity present itself.

During our pre-flight briefing, I gave her the run-down on what the travel plans will be. I promise to take good care of our new travel companion and will post pictures at every major step in our journey. Thanks for entrusting us with your friend Samantha! We’ll be sure to take good care of her and will return her to you safely when this adventure is over.

Flat Samantha is following the footsteps of some of her other flat siblings, including the original “Flat Stanley” who visited twice: once in 2002 when he went into space and did a 14-day mission on the space shuttle Endeavour and again in 2011 when he visited NASA HQ courtesy of Beth Beck.  Other flat adventurers include “Flat Paxton” and “Flat David“, who also had the opportunity to visit NASA.

Flat Samantha will be tweeting about her adventures at the #NASATweetup – you can follow her tweets via @FlatSamantha as well as mine at @CPUGuru. Welcome to the adventure Flat Samantha!

© 2017 Ocean Bytes Blog

Theme by Anders NorenUp ↑