Let’s Encrypt – getting your own (free) SSL certificates

For those who’ve not been paying attention the Let’s Encrypt project entered public beta recently so that anyone could get their own SSL certificates. So I jumped right in with the simp_le client (as the standard client tries to configure Apache for you, and I didn’t want that as my config is pretty custom) and used this tutorial as inspiration.

My server is running Debian Squeeze LTS (for long painful reasons that I won’t go into here now) but the client installation was painless, I just patched out a warning about Python 2.6 no longer being supported in venv/lib/python2.6/site-packages/cryptography/__init__.py. 🙂

It worked well until I got rate limited for creating more than 10 certificates in a day (yeah, I host a number of domains).

Very happy with the outcome, A+ would buy again.. 🙂

Locking Down WordPress Admin and Login URLs

For those WordPress admins who are lucky enough to only access via certain defined IP addresses (IPv4 or IPv6) you can lock down access to the wp-admin and wp-login.php URLs in your Apache configuration with just:

<location /wp-admin/>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128 10.1.2.3/32 1234:5678:90ab:cdef::/64
</location>

<files wp-login.php>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128 10.1.2.3/32 1234:5678:90ab:cdef::/64
</files>

Hopefully that helps someone!

Google Disaster Recovery Paper in ACM

Via Tim Freeman (@peakscale) on Twitter, this very interesting paper on how Google handles disaster recovery planning and testing. Best quote so far:

When the engineers realized that the shortcuts had failed and that no one could get any work done, they all simultaneously decided it was a good time to get dinner, and we ended up DoS’ing our cafes.

They explicitly prevent “critical personnel, area experts, and leaders from participating”, and are prepared to take downtime (and revenue loss) as part of it. They also exposed some interesting issues that wouldn’t have come to light anyway (as these things inevitably will do):

In the same scenario, we tested the use of a documented emergency communications plan. The first DiRT exercise revealed that exactly one person was able to find the plan and show up on the correct phone bridge at the time of the exercise. During the following drill, more than 100 people were able to find it. This is when we learned the bridge wouldn’t hold more than 40 callers. During another call, one of the callers put the bridge on hold. While the hold music was excellent for the soul, we quickly learned we needed ways to boot people from the bridge.

There was also the time they were running low on diesel fuel for a generator and didn’t know how to find the emergency spending procedure, so someone volunteered to put a 6 figure sum on their personal credit card. Probably would do wonders for any air miles they were accruing that way!

On a more whimsical note, there was one comment in the article that attracted my attention, saying:

most operations teams were already continuously testing their systems and cross-training using formats based on popular role-playing games.

gives pause for thought, if it was Call of Cthulhu I could imagine:

I’m sorry, but your data centre has just been eaten by Shub-Niggurath and your staff have all run away or been consumed by her 1,000 young. Take 5 D6 SAN loss and roll on the permanent insanity table.

Though perhaps Paranoia would have been a more appropriate choice, plenty of troubleshooters needed there I suspect..

Great Terms & Conditions

Wonderful fake T&C’s for a fake password checker (well, intended to reinforce that you should never use them).. For example:

You may terminate your relationship to Estatis Inc. by burning all of your possessions and accomplishing applicable purification rites. In this event, you agree that an Estatis Inc. Retaliatory Creature shall be summoned to allow Estatis Inc. to retain full ownership of your soul. In the unforeseen event of you defeating the Estatis Inc. Retaliatory Creature, you shall be released from any obligations arising from your use of the Estatis Free Password Security Checker for the rest of your mortal life, notwithstanding any claims to your soul in Heaven, Hell, the Netherworld or any places with similar legal status. Additional information can be provided by your personal deity or deities (if any).

There’s some other fun stuff in there..

Protect Your Family with the Kogan Portector!

If you’re worried about spam and scams coming through the Internet Portal (thanks to Stephen Conroy for pointing that threat out) then get yourself a Kogan Portector! Here’s their advert for it on YouTube..

Of course you must be sure to read the disclaimer..

DISCLAIMER: The Kogan “Portector” Internet Filter is not a real product. This product is in no way affiliated with Communications Minister Stephen Conroy, The Australian Labor Party, or the Australian Government. Incorrect use may result in uncensored Internet content, freedom of speech, freedom of choice, freedom of thought, and protection of your civil liberties.

Phew, thanks Kogan for saving us!

Joining the Australian Internet Blackout

Along with folks like the Samba project I’ve joined the Great Australian Internet Blackout, so the first time (and only the first time) you visit the site you’ll get the notice about the protest. Here’s why the proposed mandatory filtering is a bad idea from the Great Australian Internet Blackout website:

  • It won’t protect children: The filter isn’t a “cyber safety” measure to stop kids seeing inappropriate content such as R and X rated websites. It is not even designed to prevent the spread of illegal material where it is most often found (chat rooms, peer-to-peer file sharing).
  • We will all pay for this ineffective solution: Under this policy, ISPs will be forced to charge more for consumer and business broadband. Several hundred thousand dollars has already been spent to test the filter – without considering high-speed services such as the National Broadband Network!
  • A dangerous precedent: We stand to join a small club of countries which impose centralised Internet censorship such as China, Iran and Saudi Arabia. The secret blacklist may be limited to “Refused Classification” content for now, but what might a future Australian Government choose to block?

If you’re using WordPress with a theme that supports widgets then participating is as easy as adding a text widget (or using one you already have) and add the single line of HTML to activate the blackout.

To paraphrase Kryten from Red Dwarf, it has just two minor flaws. One, it won’t work, and two, it won’t work. Now I realise that, technically speaking, that’s only one flaw but I thought it was such a big one it was worth mentioning twice.

Serious SSL Renegotiation Problem

This just in from Ben Lawrie:

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

But wait, there’s more..

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Ben has a patch against the current development head of OpenSSL to ban renegotiation, but for most people it’ll need backporting to their current OpenSSL versions..

WordPress 2.8.5 released – security fix and hardening work

WordPress 2.8.5 has just been released:

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

It includes a fix for a trackback DoS attack that’s apparently going on at the moment. I’ve updated the 3 blogs I look after with a quick svn switch http://svn.automattic.com/wordpress/tags/2.8.5.

Microsoft Silently Installs Firefox Plugins, Introduces Security Vulnerabilities

Oh joy, Microsoft have managed to introduce security problems into Firefox through a plugin for it that they silently install without your knowledge! 🙁

Along with .NET Framework 3.5 SP1, Microsoft have been silently installing a Windows Presentation Foundation Plugin that allows the embedding of XAML applications (an XML-based UI technology) in web pages, called XBAP (XAML Web App). The exploit is drive-by, meaning that the victim only needs to be lured onto a web-page for the attack to be effective. The only safe thing to do until a patch is issued, is to open Firefox’s AddOn Manager and disable the WPF plugin.

Mozilla might already have reacted to this, my brother (who alerted me to the above story) said:

Firefox popped up saying it’s blocking 2 Microsoft add-ons so they must be cracking down on them

Dear Microsoft – please do not stuff about with peoples web browsers that don’t belong to you, you’re just not qualified..

Nominum Ignorant of Own Security History

Oh dear, so Nominum crop up on ZDNet decrying “freeware” (by which they probably mean open source) as bad and closed source as being good by saying:

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.

Because, of course, that security through obscurity approach works so well for people like Microsoft (have you patched the SMB2 remote admin attack on your Windows boxes yet?). They go on to justify this by saying that you should look at all the security patches that get applied to BIND et. al and contrast that with their own software.

Nominum has not had a single known vulnerability in its software.

Which would be almost impressive, if it were actually true, which it isn’t. That quote is from 22nd September 2009, but over a year earlier they had to release a security patch for their software (PDF document), because:

Cache poisoning allows an attacker to selectively control destination web sites for users accessing a compromised DNS. For example, if a cache entry for Google is poisoned, a user typing in www.google.com would not get the Google website but rather a site controlled by the attacker.

In fact it wasn’t just one piece of software they wrote that had a bug, it was two..

This vulnerability affects all customers using versions of CNS and Vantio released before June 4th, 2008 regardless of what features are being used.

So perhaps people in (smoked) glass houses shouldn’t try and throw stones…