Heartbleed is a critical vulnerability in OpenSSL revealed yesterday. I’m not sure it could be more serious: it allows an attacker to connect to your server and use the TLS heartbeat extension to obtain 64k of server memory (and do it again to get another 64k and again and…) – while leaving no traces in logs. That server memory might include primary key material (private keys), secondary key material (usernames and passwords), and collateral (memory addresses, canaries used to detect overflow, etc)
Recovering from Heartbleed
How to run a question period
Many different kinds of events involve a presenter giving a speech, and often taking questions. Unfortunately, question periods are often a problem – for both the presenter and the audience. Here are some thoughts on making it better.
Validating SSL certificates for IRC bouncers
IRC bouncers are sort of like a proxy. Your bouncer stays online, connected to IRC, all the time, and then you connect to the bouncer using a normal IRC client. I connect to my bouncer with an SSL-encrypted connection, but I hadn’t been validating the certificate until now. Validating the SSL certificate is critical for thwarting man-in-the-middle (MITM) attacks.
In a MITM attack, the victim connects to the attacker, thinking it is the service they want to talk to (the IRC bouncer in this case). The attacker then forwards the connection to the service. Both connections might use SSL, but in the middle, the attacker can see the plaintext. They can simply eavesdrop, or modify the data flowing in both directions. SSL is supposed to prevent that, but if you don’t validate the certificate, then you don’t know who you’re talking to. I want to know I’m really talking to my IRC bouncer, so let’s figure out how to validate that certificate.
Permanent link for post:
/post/validating-ssl-certificates-for-irc-bouncers/
Posted: Sep 14, 2013
Tags:
Posted: Sep 14, 2013
Tags:
Server-side security war games: Part 15
We’re nearly at the end! This is the 2nd-last level.
We know there is a users table, with columns “username” and “password”. This time, the code just checks that the username exists. There’s no way to print out the data we want. Instead, we’ll have to do something cleverer.
Mocking LWP::UserAgent properly
This is an update to an earlier post I wrote about the adventures I had in creating and using a mock LWP::UserAgent for testing purposes. The ever-vigilant mst overheard a conversation on the same topic, and jumped in. He pointed out that Test::MockObject (and everything using it) overrides UNIVERSAL::isa in a way that hides bugs. Because it can hide bugs, it is definitely not safe to use in a test suite, where you’re trying to uncover bugs.
Still no partial checkouts in Git
Update: Git 1.7.0 now supports “sparse” checkouts (quick overview).
Richard Fine has an excellent blog post discussing why it’s time to stop using Subversion. I was struck by the similarities between his reasons for leaving SVN in the dust and mine:
CLI Perl syntax highlighter
Last night, someone posed a problem in #perl-help. They wanted to have syntax highlighting in their shell for Perl code. I immediately suggested that they use Pygments – I knew about it because I’d used it before, and I had experimented with the command line tool. But I was surprised there wasn’t already a Perl solution.