Propagating Weak Security Through Copy/Paste
We all do it. I can't remember how to do something I very rarely do, so I hop on a search engine and look it up and find an example to copy and paste.
While reminding myself how to generate a private key for SSL/TLS, I noticed the same pattern on virtually every site I visited.
openssl genrsa -des3 -out private-key.pem 2048
This got me thinking, do we need to stop and think more about the examples we find on the internet before we use them? What struck me was the "-des3" option. DES was the old Data Encryption Standard that has been around forever (relative to most of us). Triple-DES was an attempt to strengthen the standard when it became clear that its time was just about up, but that was a couple of decades ago.
In an effort to modernize, I'd like to propose copy/pasting a command that uses the newer AES encryption instead:
openssl genrsa -aes256 -out private-key.pem 4096
I have also bumped the key size to 4096 bits. YMMV.