Computing Archives - Page 2 of 2

Tag Archives: Computing

“Repairing” Strict Transport Security in Chrome on OS X

2011-03-24 – 05:53
Posted in Certificates, Chrome, HSTS, SSL, Strict Transport Security
Tagged Computing, DNS, Google, Google Chrome, http, HTTP cookie, Linux, Mac OS X, Nginx, System software, Web development
Leave a Comment

One of my subdomains is for mail and I was using an easy DNS hack to point it to my hosted Gmail setup (just create a CNAME pointing to ghs.google.com). This stopped working for some folks this week and I’ve had no time to debug exactly why so I decided to go back to a simple HTTP 301 redirect to avoid any glitches (for whatever reason) in the future – or, at least ensure the glitches were due to any ineptness on my part. Unfortunately, this created an interesting problem that I had not foreseen.

I started playing with Strict Transport Security (HSTS) a while ago and – for kicks & some enhanced WordPress & Drupal cookie security – moved a couple domains to it. I neglected to actually pay for a cert that would give me wildcard subdomain usage and only put in a couple domains for the cert request. I neglected to put the mail one in and that caused Chrome to not honor the redirect due to the certificate not being valid for the mail domain.

I tweaked theStrict-Transport-Security header setting in my nginx config to not include subdomains, but it seems Chrome had already tucked the entry into (on OS X):

[code padlinenumbers=”false” gutter=”false”]~/Library/Application Support/Google/Chrome/Default/TransportSecurity[/code]

and was ignoring the new expiration and subdomain settings I was now sending. Again, no time to research why as I really just needed to get the mail redirect working. I guessed that removing the entry would be the easiest way to bend Chrome to my will but it turns out that it’s not that simple since the browser seems to hash the host value:

[code]"wA9USN1KVIEHgBTF9j2q0wPLlLieQoLrXKheK9lkgl8=": {
"created": 1300919611.230054,
"expiry": 1303563439.443086,
"include_subdomains": true,
"mode": "strict"
},[/code]

(I have no idea which host that is, btw.)

I ended up backing up the TransportSecurity file and removing all entries from it. Any site I visit that has the cookie will re-establish itself and it cleared up the redirect issue. I still need to get a new certificate, but that can wait for another day.

Windows and Linux folk should be able to find that file pretty easily in their home directories if they are experiencing any similar issue. If you can’t find it, drop a note in the comments and I’ll dig out the locations.

Quick Hits :: 2011-01-07

2011-02-07 – 19:35
Posted in HTML5, Information Security, Javascript, Programming
Tagged algorithm, botnet, canvas, canvas applications, Computer network security, Computing, CUDA, DDoS, DoS, HTML, HTML 5, HTML5, javascript, JavaScript programming language, mathematics, Multi-agent systems, node.js, Password, programming, Roberto Bicchierai, Spamming, V8 engine
Leave a Comment

Security

Smart Servers spot & block botnet attacks [NewScientist]
Passwords are *so* 2010 – Building the ultimate bad arse CUDA cracking server… [SecManiac]

Programming

Interesting points/counterpoints on the efficacy of Node.js being tied so closely to the V8 javascript engine:

NodeJS: To V8 or not to V8 [bruno fernandez-ruiz]
On Bruno’s Concern About the Current Coupling of node.js and V8 [jason @ Joyeur]

HTML5

A snippet-packed presentation of what it takes to makes object-based & event-driven HTML5 canvas applications :: Lenscape, a canvas interaction tutorial [Roberto Bicchierai]

AwesomeChartJS Meets Microsoft Security Bulletins

I wanted to play with the AwesomeChartJS library and figured an interesting way to do that was to use it to track Microsoft Security Bulletins this year. While I was drawn in by just how simple it is to craft basic charts, that simplicity really only makes it useful for simple data sets. So, while I’ve produced three diferent views of Microsoft Security Bulletins for 2011 (to-date, and in advance of February’s Patch Tuesday), it would not be a good choice to do a running comparison between past years and 20111 (per-month). The authors self-admit that there are [deliberate] limitations and point folks to the most excellent flot library for more sophisticated analytics (which I may feature in March).

The library itself only works within an HTML5 environment (one of the reasons I chose it) and uses a separate <canvas> element to house each chart. After loading up the library iself in a script tag:

<script src="/b/js/AwesomeChartJS/awesomechart.js" type="application/javascript">

(which is ~32K un-minified) you then declare a canvas element:


<canvas id="canvas1" width="400" height="300"></canvas>

and use some pretty straighforward javascript (no dependency on jQuery or other large frameworks) to do the drawing:

var mychart = new AwesomeChart('canvas1');

mychart.title = "Microsoft Security Bulletins Raw Count By Month - 2011";

mychart.data = [2, 12];

mychart.colors = ["#0000FF","#0000FF"];

mychart.labels = ["January", "February"];

mychart.draw();

It’s definitely worth a look if you have simple charting needs.

Regrettably, it looks like February is going to be a busy month for Windows administrators.

rud.is

Tag Archives: Computing

“Repairing” Strict Transport Security in Chrome on OS X

Quick Hits :: 2011-01-07

AwesomeChartJS Meets Microsoft Security Bulletins