php - Dave's Blog

Search

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Tweet from David_Risney

2015 Nov 17, 8:41
SMBC on the topic of bacon cancer http://www.smbc-comics.com/index.php?id=3930 …
PermalinkComments

Retweet of FTC

2015 Nov 4, 6:03
Our #StartWithSecurity workshop starts now. Watch live: https://player.streamspot.com/simple/live.php?cn=f9a676ee&aspect=true&w=1280&h=720&noArchiveBtn=true&noLiveBtn=true … Agenda: https://www.ftc.gov/news-events/events-calendar/2015/11/start-security-austin …
PermalinkComments

Tweet from David_Risney

2015 Aug 16, 2:31
Economics solve ethical quandaries: http://www.smbc-comics.com/index.php?id=3831 …
PermalinkComments

Retweet of simevidas

2015 Jul 26, 8:27
The size of web fonts (per page) quadrupled over the last 2 years: http://httparchive.org/trends.php?s=All&minlabel=Jul+15+2013&maxlabel=Jul+15+2015#bytesFont&reqFont … pic.twitter.com/zl8HgpZDg0
PermalinkComments

exec($_GET

2014 Apr 29, 8:27

Does it betray my innocence that I’m shocked by the amount of exec($_GET you can easily find on github? Hilarious comment thread on hacker news: 

This is awful. Shell commands are not guaranteed to be idempotent, people! These should all be of the form exec($_POST, not exec($_GET.

ephemeralgomi

PermalinkCommentshumor security http php technical

honeysweetsugaricklepie: Uhh has anyone notice Garry Marshall’s...

2014 Feb 24, 11:57


honeysweetsugaricklepie:

Uhh has anyone notice Garry Marshall’s Wikipedia page?

Hahaha

Wiki user ‘Gillian Marshal’ (http://en.wikipedia.org/w/index.php?title=Garry_Marshall&diff=prev&oldid=596787114) updated his page yesterday. Nice and subtle only editing the summary section on the right.

PermalinkCommentsgary-marshal humor wikipedia gillian-jacobs gillian-marshal comedy-bang-bang

Stripe CTF - Input validation (Levels 1 & 2)

2012 Sep 6, 5:00

Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.

Level 1

Code

          $filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {

Issue

The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.

Notes

Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.

Level 2

Code

    $dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "

Successfully uploaded your display picture.

";
}

Issue

This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:


Notes

Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.

PermalinkCommentsinput-validation php security technical

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

DVD Ripping and Viewing in Windows Media Center

2010 Aug 17, 3:05

I've just got a new media center PC connected directly to my television with lots of HD space and so I'm ripping a bunch of my DVDs to the PC so I don't have to fuss with the physical media. I'm ripping with DVD Rip, viewing the results in Windows 7's Windows Media Center after turning on the WMC DVD Library, and using a powershell script I wrote to copy over cover art and metadata.

My powershell script follows. To use it you must do the following:

  1. Run Windows Media Center with the DVD in the drive and view the disc's metadata info.
  2. Rip each DVD to its own subdirectory of a common directory.
  3. The name of the subdirectory to which the DVD is ripped must have the same name as the DVD name in the metadata. An exception to this are characters that aren't allowed in Windows paths (e.g. <, >, ?, *, etc)
  4. Run the script and pass the path to the common directory containing the DVD rips as the first parameter.
Running WMC and viewing the DVD's metadata forces WMC to copy the metadata off the Internet and cache it locally. After playing with Fiddler and reading this blog post on WMC metadata I made the following script that copies metadata and cover art from the WMC cache to the corresponding DVD rip directory.

Download copydvdinfo.ps1

PermalinkCommentspowershell wmc technical tv dvd windows-media-center

I'm Married!

2010 Jun 12, 2:18

2010_05_Dave and Sarah Wedding_Sarah and Dave Married WalkDid I mention that I got married two weeks ago today on May 29th? Its true! Our wedding was a kind of planning singularity -- all of my planning efforts would get sucked into that day and I couldn't make any plans past that date. But the actual wedding itself was lovely and I didn't feel nearly as stressed out or nervous during the wedding as I did trying to plan for it. I've been gathering wedding photos on our wedding website photos page.

PermalinkCommentswedding photo personal marriage

YouTube - Charlie Brooker - How To Report The News

2010 Jan 30, 2:26Similar to the "This is the title of a typical incendiary blog post" (http://faultline.org/index.php/site/item/incendiary/) except this is a typical news report. "...and this is a lighthouse keeper being beheaded by a lighthouse beam."PermalinkCommentsbbc humor video via:waxy satire journalism tv news

Android eBook Reader And Makers

2009 Dec 13, 1:27

I was reading Makers, Cory Doctorow's latest novel, as it was serialized on Tor's website but with no ability to save my place within a page I set out to find a book reading app for my G1 Android phone. I stopped looking once I found Aldiko. Its got bookmarks within chapters, configurable fonts, you can look-up words in a dictionary, and has an easy method to download public domain and creative common books. I was able to take advantage of Aldiko's in-app book download system to get Makers onto my phone so I didn't have to bother with any conversion programs etc, and I didn't have to worry about spacing or layout, the book had the correct cover art, and chapter delimiters. I'm very happy with this app and finished reading Makers on it.

Makers is set in the near future and features teams of inventors, networked 3d printers, IP contention, body modifications, and Disney -- just the sort of thing you'd expect from a Cory Doctorow novel. The tale seems to be an allegory for the Internet including displacing existing businesses and the conflict between the existing big entertainment IP owners and the plethora of fans and minor content producers. The story is engaging and the characters filled out and believable. I recommend Makers and as always its Creative Commons so go take a look right now.

PermalinkCommentstor aldiko cory doctorow g1 makers ebook android book

Blog Layout and Implementation Improvements

2009 Jul 19, 11:44

Monticello, home of Thomas Jefferson, Charlottesville, Va. (LOC) from Flickr CommonsI've redone my blog's layout to remind myself how terrible CSS is -- err I mean to play with the more advanced features of CSS 2.1 which are all now available in IE8. As part of the new layout I've included my Delicious links by default but at a smaller size and I've replaced the navigation list options with Technical, Personal and Everything as I've heard from folks that that would actually be useful. Besides the layout I've also updated the back-end, switching from my handmade PHP+XSLT+RSS/Atom monster to a slightly less horrible PHP+DB solution. As a result everything should be much much faster including search which, incidentally, is so much easier to implement outside of XSLT.

PermalinkCommentsblog database redisgn xslt mysql homepage

Platonic Ideals in Anathem and The Atrocity Archives

2009 Apr 7, 11:58
The Atrocity ArchivesThe Jennifer MorgueAnathem

This past week I finished Anathem and despite the intimidating physical size of the book (difficult to take and read on the bus) I became very engrossed and was able to finish it in several orders of magnitude less time than what I spent on the Baroque Cycle. Whereas reading the Baroque Cycle you can imagine Neal Stephenson sifting through giant economic tomes (or at least that's where my mind went whenever the characters began to explain macro-economics to one another), in Anathem you can see Neal Stephenson staying up late pouring over philosophy of mathematics. When not exploring philosophy, Anathem has an appropriate amount of humor, love interests, nuclear bombs, etc. as you might hope from reading Snow Crash or Diamond Age. I thoroughly enjoyed Anathem.

On the topic of made up words: I get made up words for made up things, but there's already a name for cell-phone in English: its "cell-phone". The narrator notes that the book has been translated into English so I guess I'll blame the fictional translator. Anyway, I wasn't bothered by the made up words nearly as much as some folk. Its a good thing I'm long out of college because I can easily imagine confusing the names of actual concepts and people with those from the book, like Hemn space for Hamming distance. Towards the beginning, the description of slines and the post-post-apocalyptic setting reminded me briefly of Idiocracy.

Recently, I've been reading everything of Charles Stross that I can, including about a month ago, The Jennifer Morgue from the surprisingly awesome amalgamation genre of spy thriller and Lovecraft horror. Its the second in a series set in a universe in which magic exists as a form of mathematics and follows Bob Howard programmer/hacker, cube dweller, and begrudging spy who works for a government agency tasked to suppress this knowledge and protect the world from its use. For a taste, try a short story from the series that's freely available on Tor's website, Down on the Farm.

Coincidentally, both Anathem and the Bob Howard series take an interest in the world of Platonic ideals. In the case of Anathem (without spoiling anything) the universe of Platonic ideals, under a different name of course, is debated by the characters to be either just a concept or an actual separate universe and later becomes the underpinning of major events in the book. In the Bob Howard series, magic is applied mathematics that through particular proofs or computations awakens/disturbs/provokes unnamed horrors in the universe of Platonic ideals to produce some desired effect in Bob's universe.

PermalinkCommentsatrocity archives neal stephenson jennifer morgue plato bob howard anathem

Thoughts on registerProtocolHandler in HTML 5

2009 Apr 7, 9:02

I'm a big fan of the concept of registerProtocolHandler in HTML 5 and in FireFox 3, but not quite the implementation. From a high level, it allows web apps to register themselves as handlers of an URL scheme so for (the canonical) example, GMail can register for the mailto URL scheme. I like the concept:

However, the way its currently spec'ed out I don't like the following: PermalinkCommentsurl template registerprotocolhandler firefox technical url scheme protocol boring html5 uri urn

MP3 player from Yahoo! - bookmarklet / phpied.com

2009 Mar 25, 10:09Bookmarklet to apply the Yahoo media player to any page that has mp3 links. "Take the player with you. Run my bookmarklet that will simply insert the required javascript into the page."PermalinkCommentsbookmarklet mp3 javascript music yahoo

Official Google Webmaster Central Blog: Specify your canonical

2009 Feb 14, 5:41"Now, you can simply add this link tag to specify your preferred version... and Google will understand that the duplicates all refer to the canonical URL: http://www.example.com/product.php?item=swedish-fish. Additional URL properties, like PageRank and related signals, are transferred as well."PermalinkCommentsvia:mattb google link html url uri canonical canonicalization web

Halloween and Gas Park Weekend

2008 Nov 4, 10:14

Gas Works Park, SeattleGas Works Park, SeattleThe weekend before last Sarah and I went down to Gas Works Park in Seattle. Gas Works Park is a former Seattle Gas Light Company gasification plant now turned into a park with the machinery kept intact and found right on the shore of Lake Union. There's a large hill right next to the plant with an embedded art installation from which you get an excellent view of the park and the lake. Anyway a very cool place. Afer, we ate at Julia's of Wallingford where I stereotypically had the Santa Cruz omelet. Good food, nice place, nice neighborhood.

Trick-or-Treat at MSFT by Matt SwannThis past weekend was Halloween weekend. On Halloween at Microsoft parents bring their kids around the office buildings and collect candy from those who have candy in their office. See Matt's photo of one such hallway at Microsoft. The next day Sarah and I went to two birthday parties the second of which required costume. I went as House (from the television show House) by putting on a suit jacket and carrying a cane. Sarah wore scrubs to lend cred. to my lazy costume. Oh yeah and on Sunday Sarah bought a new car.

PermalinkCommentsgas works park halloween personal sarah

Investigation of a Few Application Protocols (Updated)

2008 Oct 25, 6:51

Windows allows for application protocols in which, through the registry, you specify a URL scheme and a command line to have that URL passed to your application. Its an easy way to hook a webbrowser up to your application. Anyone can read the doc above and then walk through the registry and pick out the application protocols but just from that info you can't tell what the application expects these URLs to look like. I did a bit of research on some of the application protocols I've seen which is listed below. Good places to look for information on URI schemes: Wikipedia URI scheme, and ESW Wiki UriSchemes.

Some Application Protocols and associated documentation.
Scheme Name Notes
search-ms Windows Search Protocol The search-ms application protocol is a convention for querying the Windows Search index. The protocol enables applications, like Microsoft Windows Explorer, to query the index with parameter-value arguments, including property arguments, previously saved searches, Advanced Query Syntax, Natural Query Syntax, and language code identifiers (LCIDs) for both the Indexer and the query itself. See the MSDN docs for search-ms for more info.
Example: search-ms:query=food
Explorer.AssocProtocol.search-ms
OneNote OneNote Protocol From the OneNote help: /hyperlink "pagetarget" - Starts OneNote and opens the page specified by the pagetarget parameter. To obtain the hyperlink for any page in a OneNote notebook, right-click its page tab and then click Copy Hyperlink to this Page.
Example: onenote:///\\GUMMO\Users\davris\Documents\OneNote%20Notebooks\OneNote%202007%20Guide\Getting%20Started%20with%20OneNote.one#section-id={692F45F5-A42A-415B-8C0D-39A10E88A30F}&end
callto Callto Protocol ESW Wiki Info on callto
Skype callto info
NetMeeting callto info
Example: callto://+12125551234
itpc iTunes Podcast Tells iTunes to subscribe to an indicated podcast. iTunes documentation.
C:\Program Files\iTunes\iTunes.exe /url "%1"
Example: itpc:http://www.npr.org/rss/podcast.php?id=35
iTunes.AssocProtocol.itpc
pcast
iTunes.AssocProtocol.pcast
Magnet Magnet URI Magnet URL scheme described by Wikipedia. Magnet URLs identify a resource by a hash of that resource so that when used in P2P scenarios no central authority is necessary to create URIs for a resource.
mailto Mail Protocol RFC 2368 - Mailto URL Scheme.
Mailto Syntax
Opens mail programs with new message with some parameters filled in, such as the to, from, subject, and body.
Example: mailto:?to=david.risney@gmail.com&subject=test&body=Test of mailto syntax
WindowsMail.Url.Mailto
MMS mms Protocol MSDN describes associated protocols.
Wikipedia describes MMS.
"C:\Program Files\Windows Media Player\wmplayer.exe" "%L"
Also appears to be related to MMS cellphone messages: MMS IETF Draft.
WMP11.AssocProtocol.MMS
secondlife [SecondLife] Opens SecondLife to the specified location, user, etc.
SecondLife Wiki description of the URL scheme.
"C:\Program Files\SecondLife\SecondLife.exe" -set SystemLanguage en-us -url "%1"
Example: secondlife://ahern/128/128/128
skype Skype Protocol Open Skype to call a user or phone number.
Skype's documentation
Wikipedia summary of skype URL scheme
"C:\Program Files\Skype\Phone\Skype.exe" "/uri:%l"
Example: skype:+14035551111?call
skype-plugin Skype Plugin Protocol Handler Something to do with adding plugins to skype? Maybe.
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" "/uri:%1"
svn SVN Protocol Opens TortoiseSVN to browse the repository URL specified in the URL.
C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe /command:repobrowser /path:"%1"
svn+ssh
tsvn
webcal Webcal Protocol Wikipedia describes webcal URL scheme.
Webcal URL scheme description.
A URL that starts with webcal:// points to an Internet location that contains a calendar in iCalendar format.
"C:\Program Files\Windows Calendar\wincal.exe" /webcal "%1"
Example: webcal://www.lightstalkers.org/LS.ics
WindowsCalendar.UrlWebcal.1
zune Zune Protocol Provides access to some Zune operations such as podcast subscription (via Zune Insider).
"c:\Program Files\Zune\Zune.exe" -link:"%1"
Example: zune://subscribe/?name=http://feeds.feedburner.com/wallstrip.
feed Outlook Add RSS Feed Identify a resource that is a feed such as Atom or RSS. Implemented by Outlook to add the indicated feed to Outlook.
Feed URI scheme pre-draft document
"C:\PROGRA~2\MICROS~1\Office12\OUTLOOK.EXE" /share "%1"
im IM Protocol RFC 3860 IM URI scheme description
Like mailto but for instant messaging clients.
Registered by Office Communicator but I was unable to get it to work as described in RFC 3860.
"C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" "%1"
tel Tel Protocol RFC 5341 - tel URI scheme IANA assignment
RFC 3966 - tel URI scheme description
Call phone numbers via the tel URI scheme. Implemented by Office Communicator.
"C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe" "%1"
(Updated 2008-10-27: Added feed, im, and tel from Office Communicator)PermalinkCommentstechnical application protocol shell url windows
Older Entries Creative Commons License Some rights reserved.