Mukund

Feed

• RSS 2.0

Archive

• July 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• June 2006

Labels

• cifs
• cricket
• dos
• gadgets
• graphics
• life
• linux
• music
• privacy
• programming
• security
• storage
• tinyproxy
• travel
• web
• windows

Firefox 3 and SSL certificates

Posted on July 5, 2008 at 13:54 UTC in security, web

I should not single out only Firefox 3 for this issue, but because it's the browser I use, it gets criticised. Recent UI usability changes in web browsers towards handling self-signed and other “invalid” SSL certificates leave a lot to be desired.

Take my use-case. I want to use a HTTPS secured connection for bugzilla.banu.com (which is a website I setup for my projects). I don't have the dough to get my wildcard certificate for *.banu.com signed by a CA. So I use a self-signed certificate. This self-signed certificate does not mean that the bugzilla website accessible via HTTPS is any more malicious to any end-user than the main Banu website at www.banu.com accessible via HTTP.

I want new visitors who use my Bugzilla to be able to use it as any other plain-old website without suggestion that it's somehow malicious. Google or Wikipedia for example wouldn't like it if the browser screamed “This host uses an invalid security certificate” when someone visited http://www.google.com/ or http://en.wikipedia.org/.

HTTPS is simply an access protocol here. It can serve both authenticated and unauthenticated sessions. This whole issue would seem even more stupid if we didn't have HTTPS but something like STARTTLS for HTTP. Most web surfers do not know the difference between HTTP and HTTPS. They would go by what their browser shows them about whether a website is to be trusted or not. Current browser wording for messages that are displayed when a certificate is not signed by a known CA leans towards suggesting that somehow the remote website is malicious. A website using a self-signed certificate may not be malicious. In fact, statistics lean towards the fact that most websites are not malicious. Browsers would gladly present any content using HTTP, but when an unknown certificate is reached, it's now a stopping point and you now need to do a lot of actions in a browser such as Firefox 3 to get past to the website.

A more usable UI would be to simply indicate that the session was protected when the certificate is deemed as valid (via any padlock icons, or the green/blue Extended Validation info, or the yellow URL bar), and allow a user to simply browse the website otherwise without indicating in the UI that there is any secure connection, without having to go through any extra steps to accept a self-signed certificate.

This would raise some questions. What about forms which post to HTTPS URLs? Would having the browser stop you when it reaches an “invalid” certificate be correct to stop the browser posting to such URLs? No, this won't serve any purpose, as users hardly ever check the action URL of a form to see if it's SSL protected or not before submitting form information. They would look to trust the page which contains the form in the first place, to do the right thing.

With the change suggested above, a user visiting my bugzilla website would not see any icons or other UI indicators in her browser to say that her connection is authenticated even though she's using HTTPS. Nothing would discourage her from using my website. On the other hand, if I add my self-signed wildcard certificate to my list of personal certificates in Firefox, I can have an indiciation that my session is authenticated.

Update: In response to my own post, it occured to me that someone could hijack and force a renegotiation with a malicious server and get posted form fields if the above was implemented, i.e., if your form was served by an authenticated website, but when you submitted it, a MITM attack directed the posted form to a different webserver. So this is probably a bad idea.

Some cool programmer software

Posted on July 5, 2008 at 02:36 UTC in linux, programming

Here are some more software programs for Linux that you may find useful. I used most of them at my last place of work.

• Coverity Prevent is a non-free static analysis tool for C and C++ similar to lint and Sparse, which has a pretty good signal-to-noise ratio. It checks and catches many programming errors, along with the the occasional false positives. It's a good tool to have around if your company can afford it. Sparse is also useful with a lot of C programs.
• If you are a Git user, msmtp is something that you can use as a helper to git-send-email which lets you send email through a SMTP server that only does TLS.
• If you are an Emacs user working with projects in C and C++, you probably already know of the wonderful (and non-free) Xrefactory, a source code navigation and refactoring tool. I had looked for something which came close to IntelliSense and Visual Assist X on Linux, and Xrefactory is it. The commercial version is much better than the $free version if you're gonna try it. The program's maintainer has expressed a willingness to release the $free version under a free software license if someone wants to package it for Debian. Also, Cscope with the xcscope.el module is also pretty decent, but it won't navigate in scope the way Xrefactory will.
• Wireshark rules! You already know that if you are a network programmer, but even the web browsing user can get a lot of bang from it. For example, you have this Flash object on a website that downloads some data (.flv?) from the web server. You want to know what URL it's accessing for it. Or you want to get at a URL (to download it using curl) that is constructed by JavaScript and works only when the web browser also sends several cookies along. You can find out all this information by doing a packet capture using Wireshark and parsing what you've captured. Wireshark breaks the packets up into protocol specific layers with plenty of annotations. EFF has an article on how you can detect packet spoofing by ISPs, using Wireshark. Wireshark does suffer from slow parsing issues if you're working with multi-million-frame captures. Its filter expression syntax is also pretty basic. Implementing indexing of pcap files will probably help it with the speed issue. Scapy is another useful tool that lets you interactively construct and deconstruct packets.

history meme

Posted on April 16, 2008 at 08:42 UTC in linux

On my workstation, which is one of two machines I use:

[muks@jurassic ~]$ uname -a
Linux jurassic 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
[muks@jurassic ~]$ history | awk '{a[$2]++}END{for(i in a){print a[i] " " i}}' | sort -rn | head
326 ls
168 cd
92 git
74 clear
66 joe
30 grep
28 svn
15 ssh
15 cat
13 cp
[muks@jurassic ~]$

I seem to use clear a lot!

So the nerd is "in" now?

Posted on April 6, 2008 at 08:02 UTC in music

Touch my body has hit #1 this week on the Billboard 100. She has all of my 99 cents. The song is a tune and it seems we're the demographic (you'll have to watch the video for that).

What the heck is 802.11n? You don't want me to compile your kernel?

Try Sparse

Posted on March 29, 2008 at 04:54 UTC in programming

Try Sparse to analyze your C code. Unlike Splint, it works well with the GTK libraries and reports a wide range of issues. It also neatly fits in with the autotools build system, so you can basically run your autotools and prep for a make, and then call:

make CC=cgcc

cgcc is a wrapper which invokes sparse first, and then gcc. Then go through the warnings and fix them.

SMB/CIFS file migration engine

Posted on March 20, 2008 at 05:08 UTC in cifs, storage, windows

For the last 9 months, I've been working on a SMB/CIFS virtualization product at Brocade. We announced this product to the world yesterday.

FME lets sysadmins migrate open files (holding rangelocks and oplocks) that are being used by client applications in a DFS namespace, from one filer to another without disruption. Hence the name virtualization. Client applications don't know that files are being moved at the remote end. My work has been in the CIFS datapath, tracking and restoring open file metadata such as rangelocks and oplocks, and also helping migration processes track changes in a file's data while it's being migrated. It'd be very cool to a network filesystem developer or even a sysadmin, to see a Wireshark packet capture of the orchestrated steps.

This work was, for various reasons, done in Windows land, as a driver. Yes, I know.. ugh yuck bleh, but I got to explore a bit of Windows land .

tinyproxy is back

Posted on March 6, 2008 at 08:15 UTC in tinyproxy

The last maintainer of tinyproxy transferred over maintainership of the project yesterday. So the fork nanoproxy is now obsolete and has been removed. The tinyproxy project will keep its old name, because existing users know it as that.

Visit the tinyproxy project!

Forked tinyproxy

Posted on February 11, 2008 at 07:57 UTC in tinyproxy

I forked tinyproxy to create nanoproxy today.

I've been a regular user of tinyproxy for the past 2 years, as it allows me to masquerade as a user in another country/university pretty easily through a SSH shell account. Unfortunately, tinyproxy has been unmaintained for about 3 years now and is marked as inactive on SourceForge.net. There are known bugs in it. I also want it to be a part of my Linux distribution. So what's better than to maintain it. I tried to contact the last active author to ask for access to maintain it, but didn't get any responses so I forked it to a new project called nanoproxy. There'll be releases after a few things are fixed.