Archive

Posts Tagged ‘browser’

Poodle.. or rather, what’s all the fuss with SSLv3

December 7th, 2014 No comments

The “Poodle” attack on websites and browsers was all over the media a few weeks ago, following in the shadow of Heartbleed.

Here’s what most users need to know… This is an vulnerability that exists in secure internet communication because…

  1. While most newer systems rely on TLS security, they still support older protocols (SSLv3 in particular for this issue)
  2. As secure communications generally attempt to find a “common” method, they will often “drop down” to older supported versions (even if they are now often considered insecure!)
  3. Most browser and server software (unless recently patched) will allow for this “drop down” in security.
  4. Most software provides a mechanism to disable this by the user or in configuration.
  5. Upgrading your software will usually remove these “problematic” vulnerabilities.

Simply put… for a consumer, it’s best to upgrade to a newer browser or find the appropriate configuration to disable SSLv3 if you are unable to upgrade. Server administrators generally should update their sofware on a regular basis for security items such as this one!

NOTE: Many CDN’s such as CloudFlare are proactive and block this vulnerability.

Technical details on the Poodle vulnerability (if you’re into that sort of thing!):

Instructions here are for Apache HTTPd 2.2.23 and newer, other servers will require a similar change:


  1. sudo vi /etc/apache2/mods-enabled/ssl.conf
  2. Change the following line from:
    SSLProtocol All -SSLv2
    to:
    SSLProtocol All -SSLv2 -SSLv3
  3. sudo service apache2 reload
  4. sudo service apache2 restart

Can be tested at the following websites:

REFERENCES:

“msapplication-config” and browserconfig.xml

November 15th, 2014 No comments

Windows-8/MSIE-11 introduced Tiles, as such server administrators may have started seeing HTTP 404 errors in their server logs as it attempts to look for a “browserconfig.xml” file at the root of a website domain. If you are inclined to use this file, you should definitely look into the documentation for how to best make use of it. Others may just wish to prevent the error from making “noise” in their log files.

To remove the error, add the following to your pages; alternately you COULD define the URL of your file as the ‘content’ attribute:

<meta name="msapplication-config" content="none" />

You can alternately place an empty /browserconfig.xml on your web server for each domain.

An common example of how to use this file is below:

<?xml version="1.0" encoding="utf-8"?>
<browserconfig>
<msapplication>
<tile>
<square70x70logo src="/mstile-70x70.png"/>
<square150x150logo src="/mstile-150x150.png"/>
<wide310x150logo src="/mstile-310x150.png"/>
<square310x310logo src="/mstile-310x310.png"/>
<TileColor>#8bc53f</TileColor>
<TileImage src="/mstile-150x150.png" />
</tile>
</msapplication>
</browserconfig>

REFERENCES:

Install free “recognized” SSL certificates for Apache2

August 24th, 2014 No comments

Once you have your server running with a self-signed certificate you might find it useful to have a “real” certificate that does not warn users.

Many of the CA’s provide test certificates that are generally valid for 30-60 days, I’ve recently discovered StartSSL, that generates free certificates that are valid for a full year.

  1. Generating keys and certificates….

    NOTE: this process is rather involved and is documented better elsewhere, here’s what I needed to remember to get the keys and certificates.

    • save ssl.key (private)
    • save ssl.crt (pem encoded)
    • get file from control panel: sub.class1.server.ca.pem
  2. Make sure that you move all three files to the /etc/apache2/ssl/ folder on the server.
  3. Edit the config file…
    sudo vi /etc/apache2/sites-available/default-ssl.conf

    Modify the values related to the keys and certs…

    SSLCertificateFile /etc/apache2/ssl/ssl.crt
    SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
    SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

  4. Reload the config and restart…

    sudo service apache2 reload
    sudo service apache2 restart
  5. Test it out…
    https://www.ssllabs.com/ssltest/analyze.html?d=YOURDOMAIN.COM

REFERENCES:

Create self-signed SSL certificates for Apache on Ubuntu

August 23rd, 2014 No comments

To increase the security of your web applications, it is a standard process to enable HTTPS/SSL/TLS. Unfortunately, purchasing certificates can often be very expensive. Luckily, you can create a self-signed certificate for free for casual use or testing.

These steps are for Ubuntu, I wrote similar documentation for the Windows platform that you can find way back in my blog archives!

NOTE: As certificates generated in this manner are not verified by any recognized authority, many browsers will warn users (often in frightening language) about their insecurity. As stated above, these are best used only for internal use.

  1. First you will need to have apache2 installed, at a minimum you need to run:
    sudo apt-get install apache2
  2. Enable the SSL module:
    sudo a2enmod ssl

  3. Create the folder to store the keys and certificates:
    sudo mkdir /etc/apache2/ssl

  4. Generate a private key and certificate:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

    Enter reasonable values for the fields in question.
    For FQDN Common Name enter *.domain.com for wildcard support!

  5. Edit the config file:

    sudo vi /etc/apache2/sites-available/default-ssl.conf

  6. Un-comment or update the following lines:

    ServerName YOURDOMAIN.COM
    ServerAlias WWW.YOURDOMAIN.COM
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

  7. Enable to SSL website and restart:

    sudo a2ensite default-ssl.conf
    sudo service apache2 reload
    sudo service apache2 restart

  8. Test it out… provided your firewall routes port 443 to your server.

    https://www.ssllabs.com/ssltest/analyze.html?d=YOURDOMAIN.COM

REFERENCES:

Preventing Blackberry browser from messing up your UI

August 10th, 2014 No comments

I’ve previously given steps to prevent phone numbers (and other elements) from being automatically reformatted by Skype Toolbar and IOS Safari, there is still a small segment of the user population that uses Blackberry devices that can similarly benefit from a little code.

The following stops auto detection and formatting of phone and email addresses on devices with the BlackBerry Browser.

HTML:

<meta http-equiv="x-rim-auto-match" content="none" />

WML:

<meta name="x-rim-auto-match" http-equiv="x-rim-auto-match" forua="true" content="none" />

REFERENCES:

Skype toolbar meta tag… preventing Skype from messing up your UI

August 9th, 2014 No comments

I’ve previously documented the method used to prevent IOS devices from formatting numbers.

Users on other platforms, notably Windows, have Skype installed and it too can cause some headaches with your UI as it inserts elements to decorate phone numbers.

For users that have the Skype Toolbar enabled, the following META tag will prevent it from doing a lot of damage!

<meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" />

REFERENCES:

HTML cleartype meta tag?

August 3rd, 2014 No comments

This tag allows for activation of ClearType in Mobile IE for smoothing fonts.


<!--[if IEMobile]><meta http-equiv="cleartype" content="on" /><![endif]-->

NOTE: Future use of this approach is questionable, as MSIE10 dropped support of conditional comments, and HTML5 validators (in general) do not “like” the http-equiv values as they are not standardized

REFERENCES:

Preventing IOS/Safari from formatting numbers

August 2nd, 2014 No comments

There are many cases where your application may display numbers that “resemble” phone numbers, but are not, unfortunately Safari’s default behavior is for it to be “helpful” and format them into clickable/callable links for the user of Apple IOS devices.

Adding the following META tag can prevent that default behavior:

<meta name="format-detection" content="telephone=no" />
.

NOTE: I’ve seen some mention of using this method for ‘address=no’ and ‘email=no’, but have not looked into or verified those implementation yet!

REFERENCES:

opensearchdescription.xml

July 19th, 2014 No comments

OpenSearch is a relatively obscure topic that I’ve only crossed a few times, here is the premise.

A simple tag can be added to your content, in this case HTML, but a feed can also contain this element.

<link rel="search" href="http://www.giantgeek.com/opensearchdescription.xml" type="application/opensearchdescription+xml" title="giantgeek.com" />

That link refers to a file that resembles the one below, in it you can specify the URL to the search facilities on a website, or as in the case below, use the parameters for a Google search of your website.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE OpenSearchDescription>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">
<ShortName>GiantGeek.com</ShortName>
<Description>Use Google to search our web site.</Description>
<InputEncoding>UTF-8</InputEncoding>
<Tags>giantgeek skotfred</Tags>
<Contact>[email protected]</Contact>
<Image width="16" height="16" type="image/x-icon">http://www.giantgeek.com/favicon.ico</Image>
<!-- NOTE: this uses Google, you can give your own search url instead -->
<Url type="text/html" method="GET" template="http://www.google.com/search?q=site:giantgeek.com {searchTerms}"/>
<Url type="application/opensearchdescription+xml" rel="self" template="http://www.giantgeek.com/opensearchdescription.xml"/>
</OpenSearchDescription>

Many modern browsers that provide a ‘search box’ in the browser interface, can then add the capability to perform a search of your website even when the user is not there already.

REFERENCES and Additional Reading:

Install Opera Browser on Ubuntu

July 5th, 2014 No comments

I was recently attempting to port some older Selenium tests to a new Linux machine and found that I did not have the Opera browser installed. Thus, I submit the following.

There are several ways to go about doing this, depending upon your skills.

1. Most simple IMHO…

  • Add the path to the application file, then install, updates will come as they are released.
    sudo vi /etc/apt/sources.list
  • Add the following line to the file.
    deb http://deb.opera.com/opera/ stable non-free
  • Update the software registry:
    sudo apt-get update
  • Install:
    sudo apt-get install opera

2. Another method, with the same results:

  • sudo sh -c ‘echo “deb http://deb.opera.com/opera/ stable non-free” >> /etc/apt/sources.list.d/opera.list’
  • sudo sh -c ‘wget -O – http://deb.opera.com/archive.key | apt-key add -’
  • sudo apt-get update
  • sudo apt-get install opera

3. Additionally, you can simply download the files from the Opera website and uncompress wherever desired on your drive.

REFERENCES:

/////