Blog posts tagged "security" – 5 posts found:

2016-02-13: HTTP Public Key Pinning

Posted at 2016-02-13 20:46:37 by SHD

HTTPS sites are encrypted with a public/private key pair, being vouched for in a certificate by having that certificate signed by a trusted CA. However, it might be possible that somebody generates a certificate for your domain and has it signed by a fraudulent or compromised CA. Protection against this is provided by use of HKPK. But what keys should be "pinned" and why? I've found information about this online to be lacking, so I did some research and here's the results.

2014-05-09: PHP: Why might session_start fail, claiming "no such file or directory"?

Posted at 2014-05-09 15:49:30 by SHD

Here's a little problem that bit me after an OS upgrade to a webserver. Whenever session_start was called, PHP would throw a warning message and not actually start the session:

2013-03-29: Switching to CloudFlare

Posted at 2013-03-29 00:26:48 by SHD

For more than a decade, I've run my own BIND-based DNS server, using FreeDNS for a free secondary DNS service. There has been quite some to do about a large-scale DDoS attack perpetrated against Spamhaus recently. One significant aspect of this attack was that the DDoS used so-called DNS amplification. This makes use of misconfigured DNS servers ("open recursors") to greatly increase the amount of traffic sent to a victim. One fellow server administrator wrote about this and it made me wonder about being an open resolver. Fortunately, my own server was properly configured and could not be used as an accessory in such an attack, but what if it had been? That's where CloudFlare comes in.

2012-01-14: Accessing sites blocked by your ISP

Posted at 2012-01-14 20:53:21 by SHD

Just recently, MPAA/RIAA sock puppets Brein managed to convince some clueless judge to order two of the largest ISPs in the Netherlands, XS4ALL and Ziggo to block (in)famous torrent website The Pirate Bay. TPB have put up a message that is shown to anyone visiting from a Dutch IP address, as shown below. XSALL and Ziggo have both announced they will appeal to a higher court, which is a good thing. I don't even use TPB myself and wouldn't really miss it, but I do care deeply about worthless assholes doing anything limiting my internet access. So, how would this work and what can I (or anyone) do to give these lying thieves the finger and circumvent these blocks if they are upheld by the higher courts?

2011-07-07: Enabling IPv6

Posted at 2011-07-07 23:33:21 by SHD

It's not something many people will notice, as most of the difficult bits will have to be handled by the ISPs, but it's going to get more and more important for web developers and hosting providers to allow IPv6 access to their services. We've effectively run out of IPv4 addresses. As more and more people bring more and more devices online every day the common technique to share IPv4 addresses, NAT, even carrier-grade NAT which share a single IPv4 address among a large part of a provider's customer base, is not a sustainable solution. In the future, there will be people who can access the internet solely through IPv6. At first, it will be in the areas with the fastest-growing number of people online, particularly Asia. If you want those people to be able to access your website and services, make sure your servers respond to IPv6 traffic.