Archive for Computers & WWW

Replacing StartSSL

A small service I created for personal use had its SSL certificate expire a few weeks ago. I replaced it using my go-to free certificate provider, StartSSL. Unfortunately, accessing this service from my iPhone still didn’t work afterwards, or rather it did, but the certificate still wasn’t trusted. I was forced to ignore this issue at the time due to other pressing matters and, as the service was just used by me, on my device, I simply set the app to ignore the issue until I had time to diagnose the problem properly.

Today I replaced my e-mail signing certificate, also from StartSSL. This time I knew something was wrong; adding the certificate to Thunderbird and sending a test e-mail to be retrieved by my iPhone, the certificate again wasn’t trusted.

Turns out that silently, unbeknownst to me and I’m sure many others, the following chain of events has occurred

  1. StartCom which runs StartSSL were taken over by WoSign
  2. Due to past issues with WoSign regarding the erroneous issuing of certificates for a domain that they had no authority to issue for, they had their root certificate rights revoked by Apple, Mozilla, Google and others
  3. Since the take over of StartSSL, the aforementioned device/software companies have also ceased to trust the root certificates of StartCom.

This has resulted in my having to spring into action. The silent take-over of a previously trusted organisation by a dubious one located in a political jurisdiction known to be questionable with respect to web security is worrying enough, but with the added pain of being unable to send signed e-mail and issue new certs for my soon to expire domains required to be addressed immediately.

I’ve found that comodo, a trusted certficate authority, will issue free e-mail signing certs so I’ve jumped over to that immediately for e-mail and that is running nicely.

In addition there is “LetsEncrypt”, which, once installed, allows you to generate trusted SSL certificates for your domains using the following command

letsencrypt certonly --manual -d my.domain.com

When running the above it’s important to remember that validation you have control over the domain for which the certificate will be issued requires you to

  • Be running a web server on port 80 on the domain
  • Said port 80 server to be accessible publicly through your firewall
  • For you to place a file to be served on the web root of this server

You can always stop apache (or whatever your web server is) and run up a simple stand-alone python server to do the job, but you won’t be able to get away without changing your firewall rules.

This is a departure from the way I’m used to doing things which used the administrative e-mail address registered to the domain and code sent to this for validating I owned the domain. This was nicer as it meant I didn’t have to play with my config all that much (some servers I run use non-standard ports and don’t have port 80 open by default for example).

Anyhow, from my reading of the documentation about LetsEncrypt, it seems that all major browsers and Apple iOS are trusting certificates signed this way. I’ll update this post if that turns out not to be the case, but I’m optimistic.

Hopefully this post will help to raise awareness and also assist some folk out of a bit of a pickle with their security arrangements.

Comments    

Draytek DNS Drops

Some time ago I wrote an article about fixing a VPN connection issue over a Draytek router concerning a UDP flood defense setting. Its turns out that the very same setting can also cause an issue with DNS, the symptoms of which I will outline below. For the fix, head over to the old article above.

Essentially the symptoms are simple. You browse the web as normal and then all of a sudden DNS for new sites (not in local cache) stops resolving. A router reboot is the only way to fix the issue. Increasing the flood defense packet ceiling as mentioned in the article above stops the issue from occurring. I said it was simple!

As to why this issue had happened to me once more, despite having applied an earlier fix, I can only conclude that the ceiling I setup earlier, being tailored to the speed of my ADSL link at the time, should now be higher as I have around twice the bandwidth I used to. I doubled the value and now all is well.

Comments    

Focusing on the Value-Add

It’s a common thing on e-commerce sites these days; we find a product we like, read all about it, but before committing to a purchase, we decide to have a quick search around to make sure we’re getting the best deal price-wise. It’s the online shopping equivalent of trying on a pair of shoes in the shop and then having a quick check on your phone to make sure you can’t get a better deal elsewhere.

Understandably, retailers are twitchy about this. They build sites jam packed full of information, the value-add if you will, to try and encourage confidence in buyers, only to lose the sale on the price point, despite having invested in the customer experience.

I came across a site a few months ago that was fighting back against this post-decision shopping around in a very innovative way.

The following image is the product on sale

And this is what happens when you select the product name text with the intention of copying and pasting into a search engine

Now, it doesn’t *prevent* you from doing the copy/paste, but it does ensure you stop and think, as a customer, about the realities of doing business and if, given the level of service you’re getting, if the price is actually *already* fair.

Food for thought for e-commerce operators and customers alike I’d say.

Comments    

Locked out of iPhone

The other day I had cause to turn off my iPhone. Unlike many who leave theirs permanently on, it’s something I often do; restaurants, theatre, cinema, church to name but a few places where it’s simply good etiquette to do so. Anyway, I digress.

When I switched the device back on again some hours later, I was greeted with a request to “re-activate” it using my apple ID. The problem with this is that for those security concious people like myself who place their iCloud password in LastPass, you cannot get access to the the LastPass app if your phone is locked, which a de-activated phone effectively is.

Fortunately I was within easy reach of a PC on which I could install LastPass, login, retrieve the requisite password and unlock the phone.

This could have been so much worse though; with a phone that could do nothing but call 999 and no PC to retrieve my password, I could have been incommunicado while abroad or some other such significant inconvenience.

I simply didn’t *know* that an iPhone could just de-activate its self like that – certainly a risk worth evaluating when you decide what password (random, unknown, in LastPass v.s. simpler, recallable) to utilise for the purpose!

Comments    

PPTP VPN in Ubuntu 15.10

Recently I had cause to connect to my home VPN from my laptop, being out of town and on a connection not part of my usual trusted network. I tried to connect as usual using PPTP via the network manager on the Xubuntu desktop but no dice – the connection was failing every time. After establishing my iPhone was able to connect from the same network, I realised that the last time my laptop had successfully connected to the VPN was prior to my upgrade to Ubuntu 15.10 and therefore something must have changed with the default settings under the hood to cause the problem.

To cut a long story short, after much digging and hair pulling, I established that you need to enable 3 kernel modules to get the PPTP VPN client back up and running in the latest version of Ubuntu. Add the following to /etc/modules and reboot

nf_nat_pptp
nf_conntrack_pptp
nf_conntrack_proto_gre

After that you should find that your PPTP VPN connection invoked in the usual way from the network manager no longer fails. Happy days!

Comments off    

Export Public Key From pkcs12 Container

Everytime I renew my S/MIME certificate I always seem to wind having to consult the OpenSSL man pages to ascertain the approrpiate command to use in order to extract the certificate from the PKCS12 file I get from my certificate authority so I can share said certificate on my contact page. As I’m sure I’m not the only one who winds up having to look this up, I’m sharing it here.

openssl pkcs12 -in container.p12 -clcerts -nokeys -out public.pem

If you then investigate the contents of the PEM file inside a text editor you’ll find your certificate between the BEGIN and END lines – you should share this content on your website or directly with contacts so that your signed e-mails can be verified as to their origin and also so that contacts can encrypt mail such that it can only be read by you if required.

Comments off    

Handling the Heartbleed Bug

So when news of the Heartbleed Bug hit the tech news sites and security bulletins I decided to read up on it when I got home from work and go from there. While it’s true that some news sites aimed at the general public have gone rather over the top about this and in many cases got their facts and recommendations plain wrong, my evening reading was not that enjoyable – this is indeed a very serious bug and is likely to affect everyone in some way shape or form. Note that I said affect, and not compromise – this is important – there was and still is no evidence that the bug was being exploited in the wild.

For those with a technical inclination, the register has done a nice little round up of how the bug works. The non technical among you may find this heartbleed cartoon illustration over on XKCD more useful.

Anyway, I thought I’d share with you the steps I have taken and will be taking going forward to help mitigate the effects of the bug. I’ve laid out the steps in order, note that I’ve focused on external services first – this was deliberate – no sense in using external services to help me fix my own infrastructure if they were not patched yet.

External Infrastructure

  • Verified with my hosting company that their servers were not affected. Xilo confirmed to all customers that their OpenSSL version was prior to the appearance of the bug. This ensured all keys stored in their infrastructure and used by me are secure
  • Ensured that my cloud based password management system was unaffected. LastPass were very open and detailed with their customers in explaining that despite their servers having been affected and subsequently patched and their certificates re-issued, a combination of passwords never being sent to their systems without an additional layer of encryption to which they never see the key and Perfect Forward Secrecy, customer data was and remains secure.
  • Verified that my certificate provider’s online portal is currently patched and protected. StartSSL have confirmed that their infrastructure was never vulnerable to the attack.

Own Infrastructure

  • Patched all servers I administer that were vulnerable – check yours here

    apt-get update
    apt-get upgrade

  • Re-generated all SSH host keys on vulnerable hosts (remember to leave the pass phrase blank)

    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

  • Revoked certificates that were in use on previously vulnerable hosts. Some providers may charge for this but you’re not fully secure without it!
  • Re-issued certificates that had been revoked using new keys. Generate these and CSR as follows

    openssl genrsa -out server.key 4096
    openssl req -new -key server.key -out server.csr

  • Restarted all services using OpenSSL. In many cases this will be done by the package manager during the upgrade process but if you’ve changed keys etc. a restart will be needed to pick this up

    /etc/init.d/ssh restart
    /etc/init.d/apache2 restart

Passwords

  • Given that changing a password prior to a site admin both patching the server and revoking/re-issuing their certificate is a pointless exercise, I plan on relying on a combination of the LastPass checker and conversations with web masters directly about if I should change passwords or not. I’m expecting a large number to need changing but hopefully it can be done at a relaxed pace over the next few weeks as and when news becomes available regarding the vulnerability or otherwise of a site.

Finance

  • Confirmed, via the LastPass checker, that PayPal have never been vulnerable due to the software they use for SSL
  • While it’s possible that credit card numbers, bank details and indeed other personal details may have been leaked via the bug, I deemed that replacing bank cards etc. was overkill. After all most banks offer fraud cover and my subscription to credit report monitoring includes tools to help manage any increased risk of identity theft. In any case, many personal details sent in this way are not easily changed, in fact only a credit card number can really be replaced – bank details, national insurance number, address etc. are all set in stone.

Hopefully this overview is helpful to those who are confused!

Comments (2)    

Cannot update WordPress post

I came across an old post on my blog the other day that was getting a lot of hits. When I viewed the page I decided that the code snippet in the article could do with an increase in text size to make it more readable.

I went into the admin panel and added an in-line style attribute to the code tag in question. When I saved the page WordPress reported that the post had been updated, however the text in the editor screen reverted back to what it had been prior to my change. I tried numerous times to save and tried different browsers but try as I might, the change just wouldn’t “stick”.

I usually consider myself pretty adept at solving WordPress related issues but this one was stumping me so I did what all developers do when they are in a tight spot and I googled it. Most posts turned up were completely unrelated, but one article suggested that the issue may be symptomatic of a corrupted table.

A quick command as the MySQL root user had my answer and effected the fix into the bargain

[kieran@www:~/public_html]$ mysqlcheck --check --databases wordpress --tables wp_posts -u root -p
Enter password:
wordpress.wp_posts
warning : Table is marked as crashed
error : Key in wrong position at page 132096
error : Corrupt

I re-ran the same command to make sure it had effected a fix (it isn’t clear from the output)

[kieran@www:~/public_html]$ mysqlcheck --check --databases wordpress --tables wp_posts -u root -p
Enter password:
wordpress.wp_posts OK

Now updating the offending post works first time without issue. I suspect, although can’t be sure, that the corruption occurred during a recent upgrade of the server when not all the services, MySQL included, got shut down gracefully.

Comments (1)    

SecurityException in Application

When carrying out a recent upgrade of suPHP I encountered the following error in my apache error logs and PHP pages were not being served.

SecurityException in Application.cpp:511: Unknown Interpreter: php

Turns out the fix is a simple one; the syntax of the config file has change between versions and it’s simple a case of replacing the following lines:

[handlers]
;Handler for php-scripts
x-httpd-php=php:/usr/bin/php-cgi

;Handler for CGI-scripts
x-suphp-cgi=execute:!self

With the following (note the addition of double quotes)

[handlers]
;Handler for php-scripts
x-httpd-php="php:/usr/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

A quick bounce of apache and you should be back and kicking

Comments off    

Removing kernel from OpenVZ Container

When I recently upgraded an OpenVZ container in-situ over SSH, I had a few issues with the upgrade path. One of these was that the upgrade process called for the installation of a new kernel, however a container doesn’t need one and in my case couldn’t handle installing one either and thus caused the upgrade process to error out.

The fix was to force remove the kernel, both from the dpkg directory structure (in this case I copied the files to /tmp/ just in case) and using dpkg it’s self. The following commands as root:

mv /var/lib/dpkg/info/linux-image-3.2.0-58-generic.* /tmp/
dpkg --remove --force-remove-reinstreq linux-image-3.2.0-58-generic

Resuming the dist-upgrade after this process was a success

Comments off    

« Previous entries