Month: October 2021

From F to A+

TL;DR: this post is about how I improved my site ssllab.com HTTPS rating from F to A+ .

Make HTTPS great again.

Not all HTTPS-enabled sites are created equally, so welcome to the Internet of broken protocols and pardon my usage of a political phrase.

When I set up this site long ago, it was running on VPCs with many components which with today’s standards, were considered vulnerable: OpenSSL 1.1.0g, PHP5.4, Apache2.1 on Debian 7. You named it.

That’s why ssllabs.com used to rate my site as F:

Before

file

After

It’s rated A+, and I’m pretty proud of it.

file

How?

Here are the detailed steps on how I improve my site security from F to A+ in few simple steps.

1. First thing first: bye-bye to outdated OpenSSL

The previous version of openssl on Debian was suffering from these 2 critical vulnerabilities: SSL Pulse (CVE-2014-0224) & Padding Oracle (CVE-2016-2107). That’s the reason why SSLLab report an F.

The fix was fairly simple: upgrading OpenSSL.

sudo apt update && sudo apt upgrade openssl libssl-dev

After that, check the version:

openssl version
OpenSSL 1.1.1d  10 Sep 2019

2. No more outdated ciphers

SSLLabs also reported another two issues which cap the grade at B:

  • “This server accepts RC4 cipher, but only with older protocols. Grade capped to B”
  • “This server does not support Forward Secrecy with the reference browsers. Grade capped to B.”

Ok, onto finding Apache2 config files:

# assuming Apache2 is at /etc/apache2 
grep -i -r "SSLEngine" /etc/apache2
/etc/apache2/sites-available/default-ssl.conf:   SSLEngine on
/etc/apache2/sites-available/diophung.com.conf:  SSLEngine on

Here we go, the config files are default-ssl.conf and diophung.com.conf. From there, I decided to remove RC4 due to its flaws, and then enable Forward Secrecy in the config files:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

After that, restart Apache2 and recheck

apachectl -k restart

3. Why stop at A when you can get A+?

At this step, ssllabs rated the site as A, which is pretty good result. But I figured I can get to even better result A+ and being me, I wouldn’t stop. So the next step, is to enable HSTS:

I opened up the Apache2 config files and add this HSTS header:

<VirtualHost diophung.com:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>

Feel free to read up about HSTS if you’re curious.

Voila!

After everything, the site is now rated as an A+ result. I’m pretty happy about it and a bonus is that the site also loads 45% faster. So, strongly recommend you give it a try: https://ssllabs.com and let me know what score do you have?

 

Stanford LEAD, an amazing journey

Stanford GSB, 2021

Over, but not done

Yes, it is here: this week I received my Stanford LEAD graduation certificate in my mailbox after a year-long journey.

After 1 year, 9 courses, 10 teams, 83 submissions, and hundreds of self-research hours, I can proudly wrap up another chapter in my life-long learning journey.

How it started

It was in August 2020, the COVID-19 pandemic has been going on for over a year, I decided to turn this challenging time into a memorable time. At work, I was leading my teams with a net new initiative, a critical mission to help my company grow 5X over the next 3 years. At home, I was expecting a new baby and at the same time, my 2-year-old son was ready to go to preschool. We’re also moving to a new home.

One might say there was never a busier time.

But I did it. I chose to go to Stanford. One month after submitting my essays, references, and video presentation, I received the Stanford welcome letter.

Reflection on the course

Throughout the year, I had the opportunity to meet Stanford GSB’s world-class faculty. From renowned professors, inspiring course facilitators to amazing fellow LEADers – leaders of their own organizations, all have been very welcoming. It’s been an absolute pleasure to have the opportunity to learn, share, and practice all aspects of leadership.

The contents were excellent, with each course being designed to be very interactive. The case studies were fantastic with relevant industry examples and many were from Harvard (yes, HBR articles are weekly must-read). I must say I loved the readings and case study, but not so much for written submissions 🙂

The course structure was pretty flexible with offline readings and 1-hour Zoom call every week with professors and course facilitators (CF). Our CFs were wonderful partners and many of them were in fact LEAD alumni. I was truly humbled to have my coaching sessions with many of them.

Fun fact: each Stanford LEAD cohort is given a unique name representing the GSB spirit. In the past, we have had names such as Vanguards, Explorers, Pathfinders – mine is Navigators. It meant so much when the whole world was navigating uncharted water with the COVID-19 pandemic.

Final thoughts

Being a life-long learner, I’d wholeheartedly recommend Stanford LEAD to anyone who aspires to be a leader in your organization and considering. To help with the course selection, I will share the courses I took, together with my experience in another blog post.

Here are some excerpts for a preview:

  • Principled and Purposeful Leadership
    Rank: A
    Leadership lessons through self-reflection, looking inward, looking outward, defining your own values, mission, then defining an execution plan for your mission within the organization. Executive coaching sessions available.
  • Critical Analytical Thinking
    Rank: A+
    Frameworks for thinking logically, realizing biases and deriving reasonable conclusions, plenty of practicing with team and debates, excellent reading materials & examples on how some legendary leaders in the industry made their decisions.
  • Financing Innovation: The Creation of Value
    Rank: A-
    Corporate finance, financial statements (P & L, cash flow, annual reports), method to calculate WACC (Weighted Average Cost of Capital), understanding startup funding series (pre-money, post-money value).
  • Strategic Leadership
    Rank: B+
    General leadership strategies, defining a firm’s core strengths and advantages.
  • Communicating with Impact
    Rank: A+
    Solid techniques and strategies, applicable frameworks for effective communication.
  • Decision Making
    Rank: A
    Frameworks and tools for well-rounded, sound decision making process with imperative and data-driven approaches.
  • Customer Experience Design – A Neuroscience Perspective
    Rank: A-
    Put customers first, see through their lens, leverage the X framework to convert customers from low → high-energy engagement.
  • Persuasion: Principles and Practice
    Rank: A+
    Superb psychological insights & comm strategies. Simple yet effective examples through leadership stories.
  • The Innovation Playbook
    Rank: A
    Imagine you’re a startup founder with a problem & an idea: these are the steps to take your product from concept to POC to launch.