SHIM Security Improvements

The other day I noticed that SHIM was vulnerable to CSRF attacks, so I decided to fix that. To do this I used nosurf. It ended up being pretty simple: just plug in nosurf as middleware for your requests, and then plug the token values in a hidden <input> element somewhere inside your <form>. While implementing this, I also saw that SHIM’s Delete Post page had a security vulnerability: it didn’t follow the HTTP specification.

Identity Hijacking: A Social Engineer's Tool

In today’s age, your identity is one of the most precious things you have. An identity has a reputation, which impacts what resources it may access. For example, your identity (John Doe) has a FICO score, which directly affects the capital you may raise in a loan. Your identity can also affect your ability to obtain a security clearance or pass a background check. But what happens when your identity isn’t yours?

The Insecure of Things

So weev had some fun with printers recently. With 6 lines of shell, weev not only trolled hundreds of people from across the Atlantic Ocean, but also showed how screwed IT security is. If any of the affected organizations used even the most basic security measures, all of this could have been prevented. It’s sad that in $CURRENT_YEAR companies still can’t be bothered to implement the simplest of security measures. But this post isn’t about anything Andrew Auernheimer has done, it’s about something worse – the Internet of Things (hereafter referred to as IoT).

Lets Encrypt (This Website)!

Looks like I got in to the Let’s Encrypt Beta Program. As of now, camconn.cc, files.camconn.cc, and www.camconn.cc now use a certificate from Let’s Encrypt. I had to do some work to make sure everything works with Lighttpd, but so far so good. This included concatenating the cert.pem and privkey.pem together to create a single lighttpd.pem file that lighttpd could handle. I’ll start using the cert with Postfix soon too. I’m now going to start redirecting HTTP requests to HTTPS, as well as fixing links within this website.

TLS on the Top 500 Websites

I recently watched a talk by Jacob Appelbaum about how Tor does TLS certificates, and how a bunch of users using certificates that expire in 2 hours is suspicious. So I wondered, what does the average TLS certificate look like? And since I’m a programer, I decided to go and gather some data. Thus, I wrote a tool to gather the information I wanted. “Make the data you want to see in the world.” That’s how it goes, right?