Reinventing the Web

Tim Berners-Lee
Tim Berners-Lee

We’ve seen some successful technical “reinventions” of the Web such as HTTPS/2 and HTML5 making sites faster and more responsive, but this “Web’s Creator Looks to Reinvent It” initiative is not new, but I will come to that later.

There are a number of issues that have concerned many people, not just in the IT Security industry, but many regular internet users.

Snowden’s leaks, whatever you may think of the rights and wrongs of him making these disclosures, the lengths government agencies go to snoop are a concern to anyone that understands them.

Facebook have been accused of meddling in US elections and Google has been caught out manipulating Brexit searches. There are many other cases, promises that they are not, it’s too complex to understand etc.. But really do you belive them, maybe you don’t care.

Google does have many alternatives, a couple are which addresses the bias and which address the privacy issues, but neither have picked up many users, maybe if the close to half of English users who support leaving the EU were aware there was an alternative un-biased search engine they would use it. I tend to use Google a lot, as I use a lot of tools that they only have (Dorks etc.), But I am sure that is not the case of the loyalty shown by the majority of users, I think just familiarity and lack of knowledge of an alternative.

Facebook, now that’s an interesting one, they really have a monopoly in the Western world, there were a few competitors in the early days, but they are all gone now. Facebook has become a huge part of peoples lives, I default to skype if needing to contact friends or family, but there are some who will only respond to Facebook messenger contact.

There have been a number of open source alternatives, and to reinvent the Web as Tim Berners-Lee suggests an open source alternative to Facebook is what would be needed. The most upto date and vibrant alternative is the diaspora project, much of the initial funding came from Mark Zuckerberg (Facebook founder). It works, I have set up a few diaspora servers myself, but it is impossible now to unhook a large enough proportion of the population from Facebook, and get their involvement in anything else now, it is the nature of social networking.

Put it another way, not one of the top ten celebrities on facebook have a diaspora* account. I bet none in the top 100, but it would take me too long to confirm that.

I suspect that this very well meaning group of the technically able can create alternatives, but they do not have the ability to get people to switch over?

Enabling HSTS

HTTP Strict Transport Security is a very simple to deploy addition to HTTPS, it doesn’t enforce SSL itself but it uses pre-populated lists such as Google’s here.  Allowing clients browsers to check against, simply that the site only delivers content over https://, with no exceptions, this ensures that Man in the Middle attacks are not possible. While the only possible vulnerability this site would have had for an MitM attack would be on the contact me page, it’s nice to see the shiny A+ compared to my old banks B rating.


for me it’s just an exercise and vanity, but as you can see it will be nice when the banks follow suit, as they are mostly really insecure (don’t online bank on public WiFi, really don’t do it till they start employing HSTS and stop using insecure cyphers).

The steps to enable HSTS for Apache

Enable Headers and restart Apache:

$ sudo a2enmod headers
$ sudo service apache2 restart

Make sure the site is serving all content over https / port 443, either in your vhost config with something like:

<VirtualHost *:80>
 Redirect permanent /

or adding this to your .htaccess:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$$1 [R=301,L]

Check for any mixed content issues (insecure stuff loading in your now secure page), this tester will point you in the right direction.

And again in the .htaccess, add the required header itself.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

15552000 is about 6 months in seconds, and satisfies the ssllabs tests, lower will work for Google, even as low as 6 weeks, but as enabling  HSTS is difficult to reverse, it will make little difference and you might as well earn an A+ rating.

Run a test at and check near the bottom for:

Strict Transport Security (HSTS) Yes
 max-age=15552000; includeSubDomains; preload

If you see that, all is good, add your domain to be included in the Google Chrome’s HSTS preload list here

All the other browsers “feed” from the centralised list, as of today I’ve not been added, there is no reason I won’t be.

Using an SMTP mail relay to secure a network

Small businesses with Exchange Server or other mail servers tend to have their mail server physically located in their office (in a DMZ), which is great for performance and communicating with each other, but they tend to run all their anti-spam and virus filtering on the same server. This brings up a number of issues.

  1. Windows Server anti virus and anti spam products tend to be resource intensive.
  2. Legislation in most locals require that all email is archived for x number of years, if you receive 80% spam on your email, it means that to.
  3. Your DNS MX record is being advertised to the world, while security through obscurity is never the answer, why advertise your public IP.
  4. RBLs will blacklist your public IP if you are found to have a spam producing virus, causing your outbound mail to bounce, it can take weeks to get off GMail and Hotmail’s spam lists.
  5. Some ISPs are not reliable, while a small office maybe unhappy about not having internet access for half a day, missing emails can have a greater business impact.
  6. It’s rare, but some ISPs will block port 25 which is used to relay mail between servers if they see what they consider as abuse, normally sending a warning first.


The answer to these risks is hosting a mail relay off-site, maybe even 2 if you want that resilience, but over the last 5 years, apart from reboots forced by updates taking 10 minutes every few months, I’ve not seen a customer impacting outage.

Your office mail server can block all incoming and outgoing SMTP traffic except between the mail relay, deleting the most obvious spam and all the viruses before the mail is delivered to your office. Also filtering outgoing email, ensuring you are not spreading viruses in the company’s name, and enforcing any other security policies you may have in place. Most abuse against an Exchange Server is against port 25, the public will not even see it exists. It will make it far less obvious what your public IP is.

You can block on your firewall all smtp traffic on the network except between the Server and the Relay, if someone brings in a an infected laptop and joins your network, it wont get you RBL listed, and the ISP wont block your port 25.

I have for more than a decade used Symantec Endpoint Protection for this purpose, but their SMTP relay can only be installed on bare metal or in a virtual machine, also for some strange reason require separate IP addresses for inbound and outbound and the costs are not so low for these to be hosted outside the office, and the performance and usability is no better than a free mail relay package such as MailScanner, which can easily be installed on a small cloud instance, as a guide I have 50 (heavy) users using one $20 a month DigitalOcean instance, and the processor and memory never goes over 20% and 600 (more regular) users using 2x $40 instances at different data centers.

This mitigation in no way suggests that you do not run anti-virus software on the workstations, this is still essential as not all virus infection come from email, and you should still have anti-spam filtering to fine tune the removal of the less obvious spam as it is simplest to set the relay to only delete the obvious, Microsoft own filter is usually ample for this.

While MailScanner itself is free, some of the RBL and signature subscriptions can be pricey, but a default installation which include amongst others Clam AV. Spam detection and Spamassassin is fine in most cases, also unlike Symantec’s pricing model, most additions to MailScanner are not charged at a per user license model.

This model works just as well in a distributed environment if you have a co-located mail server. Even adding a mail relay to a heavily firewalled website that wanted to hide the real IP of the host which was previously being leaked in automated emails from the site leading to a level 3/4 DDoS attack.

If you want assistance in setting such a configuration up, I am always available for hire, and if you have a suggestion to improve on this model, I am always willing to learn.

RSS WordPress Plugin by WP