27 October 2016

The Internet and Hosting Providers

The Internet:

  • A term used to collectively describe the interconnected heterogenous networks that route packets worldwide using Internet Protocol (IP).

Domain Name System (DNS):

The Internet Corporation for Assigned Names and Numbers (ICANN):

  • ICANN is a bureaucracy of committees of subcommittees that advise them on the things they should advise the other committees. They also run the internet's root (.) domain servers and allocate IP address ranges. Their notable accomplishments include not breaking the internet, and making the ".moe" top level domain (TLD) available.
  • Example: ICANN's Multistakeholder Policy

Registrar:

  • An entity that deals with the registy operators directly. The actual registry entry consists of the IP addresses of the DNS servers for that subdomain. Registry entries need at least two IP addresses for DNS Servers on different subnets.
  • Example: The registry entry for "mydomain.com" points to some DNS server somewhere running BIND and its fallback.
  • Generic Top Level Domains (gTLDs) are sub-delegated to multiple registrars by ICANN. Yeah...
  • Example: So to use "mydomain.moe," mydomain must be registered with a registrar that supports the .moe domain.
  • Example: Domain name registration using Hover is a service provided by Tucows which is listed here: ICANN-Accredited Registrars.
  • Various Registrars: Hover, Gandi, Namecheap.com, Name.com, Google, and Dreamhost.
  • Hover supports the ".moe" TLD. For additional registrars see get.moe.
  • Terms: Annual, $1-40, but usually about $10-25.

DNS Hosting Providers :

  • Also called Managed DNS services. These services run the actual servers that actually resolve addresses. Prices for enterprises-level DNS services are usually done by queries per month and not all providers support DNSSEC.
  • Examples: AWS Route 53, Dyn, UltraDNS, Akamai, easyDNS, Verisign Managed DNS
  • Terms: Requires getting a quote, but usually Monthly $5-20 or Yearly $35-60 (assuming 10M queries/month)
  • For registered domains with very few queries, as is typical with domains for personal use, some hosts also have a free tier.
  • Examples: Cloudflare (free, $20/month for DNS + CDN), namecheap.com by Verisign (free, $8/year)
  • Some managed DNS providers also have free lists of domains for which they will resolve arbitary subdomains (e.g. mydomain.ddns.net). The idea is to avoid having to buy an actual domain yearly. These providers typically offer discounted rates for these "DDNS services."
  • Examples: afraid.org (free, $30/year), noip.com (free, $25/year)
  • Most managed DNS providers also provide miscellaneous other services:
    • VPS, cloud storage, CDN, name registration (either themselves or as a proxy to a registrar), web hosting, blog hosting, certificate authority, etc.
  • More Info: List Managed DNS Providers, and Comparison of Managed DNS Providers
  • Guides: Configuring DD-WRT to use Afraid.org's DDNS services

VPS Hosting (IaaS) :

  • A VPS company offering Infrastructure as a Service (IaaS) offers to lease a virtual machine that shares space on the same physical host with other VPSes. VPS hosting companies sometimes also offer dedicated servers and bandwidth for an additional fee. They normally allow shell access and manage the physical hardware on your behalf. However, responsibility for maintaining the software on the server, sometimes even the operating system's updates, is the user's responsibility.
  • Terms: Monthly, Usually $10-40+
  • Examples : Amazon Web Services, Rackspace, Linode, DigitalOcean

Web Hosting (PaaS):

  • A company that offers access to a directory served over HTTP. Web hosts usually also provide server side PHP services and an FTP address that represents the root of the site. They normally do not allow shell access. In addition to IaaS tasks, they handle maintenance of the underlying operating system software but the website software, such as any PHP scripts or CMS, is the user's responsibility. Most also offer non-shared hosting for an additional fee.
  • Terms: Monthly $4-20+
  • Examples: DreamHost, HostGator, Bluehost, GoDaddy, some more

Application Hosting - Blogs/Seedboxes (SaaS):

  • Similar to a web host but focuses on supporting application layer software, typically a CMS specific to blogging like a wordpress, drupal or joomla. Seedboxes are a type of SaaS offering that support the BitTorrent protocol specifically. In addition to PaaS tasks, they also do the maintenance for the underlying application software (a.k.a. the CMS or ruTorrent) to allow users to focus on the content instead of maintenance. SaaS providers do not always allow arbitrary extensions to the CMS, unlike PaaS providers.
  • Wordpress, Terms: free or $36,100, 300 yearly.
  • Blogger, Terms: free
  • Weebly, Terms: free or $8, 12, 25, 48 monthly
  • Also see: SquareSpace ($20/month+), Alternative Blogging Styles
  • Most PaaS companies also offer blog hosting for $15/month+.

Content Delivery Networks (CDN):

  • CDNs mirror internet content (usually web) onto geographically distributed servers in order to:
    1. increase the performance of the service
    2. provide redundancy
    3. provide some resistance to D/DoS attacks
  • CDNs need the the domains registrar to point to them to function.
  • Since CDNs essentially behave as proxies for website, they naturally terminate TLS connections and reform them to the destination server (but this depends upon specific configurations). This means a user can be given a false sense of security since the TLS connection is not actually end-to-end and the connection between the CDN and the target server is still potentially unencrypted/unauthenticated (this depends upon specific configurations).
  • Proxying of all traffic naturally means that raw sockets style operations are not usually possible when using CDNs. This helps shield the target from DoS attacks.
  • Cloudflare, Amazon Cloudfront, Rackspace CDN, Akamai CDN
  • Terms: free, $20-200+/month

Transport Layer Security (TLS) and Certificate Authorities:

  • For connections attempting to communicate in a secure manner, authentication and encryption are performed on TCP port 443 using the Transport Layer Security (TLS) protocol prior to the transmission of application layer data (e.g. HTTP data). The idea is to form a secure connection and then "tunnel" application layer through that secure connection.
  • Security = Encryption + Authentication. The encryption can be done via a symmetric cipher (AES usually) but to agree upon the key used in a way that negates tampering, requires the use of asymetric or "public key" cryptography.
  • To minimize the possibility of MitM attacks, connections typically attempt to authenticate via certificate exchange prior to attempting to agree on a symmetric cipher.
  • Without the connection authentication, an attacker could agree on a symmetric key with the client, then form another connection between themselves and the client's target server and proxy traffic back and forth. Such an attacker would be in a position to observe and tamper with the application layer data.
  • The following certificate details will normally cause clients to abort TLS handshakes:
    1. The public key of the cert's root signature is not found in the certificate trust store of the localhost (e.g. it is not trusted).
    2. The domain on the certificate does not match the retrieved DNS lookup information.
    3. The current date on the localhost is prior to the certificate's "not valid before" field.
    4. The current date on the localhost is after the "not valid after" field.
  • Since arbitary domains/servers can not expect their certificate to already exist in the trust stores of their clients, usually an entity which is already in the trust store will bootstrap the server's certificate.
  • This is done by encrypting the public key of the arbitary domain with their (the entity's) private key and embedding that information in the certificate. This certificate is prevented from tampering (e.g. changes to the domain field) via a hash function like SHA1 and SHA-256.
  • Certificate revocations are handled via the broken CRL mechanism, the poorly implemented OCSP Protocol, or by the TLS 1.2+ only OCSP Stapling technique. More information here and here
  • So anyway, the entity that already has their public key stored in a certificate in the trust store is called a "Certificate Authority."
  • To use TLS with your HTTP server:
    1. Use openssl to generate a private key and an associated certificate signing request.
    2. Give the not-yet-a-cert cert to a C.A..
    3. They will do DNS name domain lookup to validate control of the domain, "sign" it and give it back as an X.509 cert.
    4. Then configure the HTTPS server software (or a TLS proxy) to use that certificate with TLS on port 443.
    5. Note: The EFF's Certbot automates the above steps using the letsencrypt C.A..
  • As a side note: TLS supports tunneling arbitrary application layer protocols.
    • SMB can be tunneled through TLS using VPN software.
    • FTP becomes SFTP.
    • Certain protocols require it (OpenVPN).
  • Examples: letsencrypt (free, basic domain validation only), Digicert ($175+, also supports EV certs)

Recommendations:

  • Always use HTTPS and note the exact protocol when linking to avoid mixed content warnings.
  • Guide: Manually Add SSL to Wordpress
  • If not willing to spend any monies, then just go start a site on wordpress/blogger.
  • Otherwise, buy your own .moe domain and do managed blog hosting.
  • Do not bundle your registrar with any other services, ever. Things get too messy when moving.
  • Remember to keep backups of posts (mypost.markdown or mypost.html), regardless of hosting provider.
  • It is not a good idea to use subdomains since changing configurations can get (time) expensive over time.
    • Try to buy one instead. Managed DNS hosting is free for sub-business entities (cloudflare/namecheap).

No comments:

Post a Comment