‼️Aviation Security: Why your airline shouldn’t use self signed certificates

To make it short, and beyond basic IT related reasons, because IT security for an airline is directly linked to Aviation security and passengers safety.

What are the risks associated with self-signed certificates? Mainly:
• Leave the door open for various attacks, intercepting or corrupting information
• Train users to be less securelock

Here is a bit of reading about it:
https://en.wikipedia.org/wiki/Self-signed_certificate
or Google about «risk self signed certificate»

There are multiple ways to skin a cat, so let’s focus on one of them applied to Windows running Wildfly, «free», easy to implement, using automatic renewal. Here are some few steps which will put your operation back to an acceptable level of security using Let’s encrypt free SSL/TLS certificates

Note that the self-signed certificate is just one aspect among others, and if you skipped this one, it would be very wise to discuss privately about some other potential vulnerability aspects. Contact us directly in private: contact@feel.aero

Here are some few steps that you should pass to your EFB admin or IT department.

Download the binary build of letsencrypt for Windows there:
https://www.win-acme.com/
At this time, the latest version is 2.1.12 64bits (Upper banner link)

Unzip and move the folder under C:\Program Files\win-acme

Modify or replace the Script\ImportJKS.ps1 by:
• Specifying the correct java path for your installation
Set-Alias keytool "C:\Program Files\Java\jre1.8.0_181\bin\keytool.exe"
• Add -deststoretype pkcs12 to both keytool calls

I left the default password ‘airbus’ for the keystore unchanged to ease the setup, but it’s a good practice to change it based on the documentation, as well as the default port 8443, subject to frequent scans.

Place the attached script in the win-acme folder. It stops the Wildfly service, moves the .jks, creates or renews the certificate, and starts the service again

The first launch has to be executed manually «as an administrator» because it’s interactive. Accept all options.

Finally, go to modify in «task scheduler» the task which was generated:
• Set the trigger to 60 days instead of 1, as recommended by letsencrypt (Certificates are valid for 90 days)
• Change the action to launch C:\Program Files\win-acme\cert-fsa.bat (Starts in C:\Program Files\win-acme\)

cert-fsa.bat

@echo off

set HOST=fsa.yourdomain.com
set KEYSTORE=C:\Airbus\Wildfly\standalone\configuration\fsa-keystore.jks
set KEYSTOREPASS=airbus

sc stop wildfly

:loop
sc query wildfly | find "STOPPED"
if errorlevel 1 (
  timeout 1
  goto loop
)

move /Y %KEYSTORE% %KEYSTORE%.old

wacs.exe ^
    --target manual ^
    --host %HOST% ^
    --store none ^
    --installation script ^
    --script "Scripts\ImportJKS.ps1" ^
    --scriptparameters "\"{CacheFile}\" \"{CachePassword}\" \"%KEYSTORE%\" %KEYSTOREPASS% %KEYSTOREPASS%"

if not exist %KEYSTORE% (
    move /Y %KEYSTORE%.old %KEYSTORE%
)

sc start wildfly

Scripts/ImportJKS.ps1

param(
    [Parameter(Mandatory=$true)]
    [string]
    $PfxFile,
    
    [Parameter(Mandatory=$true)]
    [string]
    $PfxPassword,

    [Parameter(Mandatory=$true)]
    [string]
    $KeyStoreFile,

    [Parameter(Mandatory=$true)]
    [string]
    $KeyStorePassword,
    
    [Parameter(Mandatory=$false)]
    [string]
    $KeyStoreKeyPassword
)

Set-Alias keytool "C:\Program Files\Java\jre1.8.0_181\bin\keytool.exe"
echo "Keystore $KeyStorePassword"
if ([string]::IsNullOrEmpty($KeyStoreKeyPassword)) 
{
    keytool `
        -v `
        -noprompt `
        -importkeystore `
        -srckeystore "$PfxFile" `
        -srcstoretype PKCS12 `
        -srcstorepass "$PfxPassword" `
        -destkeystore "$KeyStoreFile" `
        -deststorepass "$KeyStorePassword" `
        -deststoretype pkcs12
} 
else 
{
    keytool `
        -v `
        -noprompt `
        -importkeystore `
        -srckeystore "$PfxFile" `
        -srcstoretype PKCS12 `
        -srcstorepass "$PfxPassword" `
        -destkeystore "$KeyStoreFile" `
        -deststorepass "$KeyStorePassword" `
        -destkeypass "$KeyStoreKeyPassword" `
        -deststoretype pkcs12
}

blinkHub published on Github

What’s the most important for you? Use an approved process where having expired weather and NOTAMs is not a big deal, or work with actual near real time information? Today we’re publishing on Github our service to handle Aviation messages from multiple sources, store them, and notify users via DM and websockets! Pretending to do the work is not enough, now you have a solution:

https://github.com/aerofel/blinkHub

#airlines #flightoperations #flightsafety #businessaviation #airbus #boeing #a350 #a330 #a320

Visualize areas defined by coordinates in NOTAMs

We’re introducing today a new feature to our NOTAM and weather monitoring platform.

You’re probably pretty familiar with text NOTAMs like the one hereafter, but how many times have you been actually spotting on a map the area defined with coordinates?

🗺 NOTAMN VVTS A1241/20
W-[BO]/001NM FIR VVTS
[17]07:00 ↔️ [20]08:00
FRNG WILL TAKE PLACE WI:
115737N1091613E - 115650N1091649E - 115636N1091631E - 115716N1091545E
- 115737N1091613E
BRG: SE
- ALL FLIGHTS ARE PROHIBITED WITHIN THIS AREA.
- DURING THIS TIME, DEP/ARR ACFT IS NOT TEMPO OPERATED AT CAM RANH
INTL AP.
GND ↕️ 2100FT AMSL
⏱ 17 0700-0800 2330-2359 18 0000-0010 0040-0120 19 2330-2359 (RESERVE DAY) 20 0000-0010 0040-0120 0700-0800 (RESERVE DAY)
✨【DISPLAY ON MAP】

Our @blinkAeroBot  will display a map overlaying the region for you. You just have to click

https://t.me/blinkAeroBot

Use a DM bot to enhance communication

Why not using Telegram DM (Direct Messages) to communicate with crews? We have a bot capable of monitoring weather, NOTAMs, notices, display roster or changes, enable communication between crew or operation. Ask us to get more information about this very innovative and exclusive platform.