SecFault

Random thoughts about software and security

HTTP/2 Security Implications

HTTP/2 is a major revision of HTTP protocol. RFC of HTTP/2 was published in May 2015. Currently most client-server communications is done via HTTP/1.1. In practice, HTTP is de facto transport layer for almost all application-level network traffic - even for non-web-applications. HTTP/2 specifies some fundamental changes to the protocol. Hence, once HTTP/2 will be widely adopted, these changes may reflect on all software development, and also security which is in focus in this article. This is not a low-level protocol analysis, but a high-level overview of practical security concerns related to HTTP/2.

Understanding TLS

This is an article I’ve meant to write for last two years. Getting TLS right seems to be a major challenge for many admins. And I do not mean only some random startup company websites, but also large commercial web services and Fortune 500 companies.

The problem is not only poorly configured servers and expired certificates, but in many cases the whole concept of TLS is misunderstood. I try to be here short and clear, and state what TLS is and what TLS is not. Later on, I provide some tips and links to resources that I’ve found useful.

Rowhammer.js - Memory Corruption via JavaScript

Recently I stumbled into an interesting paper. This paper introduces a bug / vulnerability called “Rowhammer.js”. In short: Rowhammer.js enables hardware-level memory corruption (bit flips) via web browser. Yes, it sounds insane, it is insane, and yet it seems to be a real thing. I believe this may become a major client-side web security issue.

Hackers Gonna Hack, or Get Hacked

Italian based company Hacking Team suffered a major security breach earlier this week. Hacking Team provides offensive cyber security capabilities mainly for governments and law enforcement. Web is already full of analysis and stories about this case. I summary here some of the most important and interesting points.

Onko Internet Rikki?

Exceptionally I write in Finnish, since this is my comment on article by Jussi Pullinen (@JussiPullinen) at nyt.fi.

Helsingin Sanomien uutispäällikkö Jussi Pullinen julkaisi maanantaina ansiokkaan kolumnin, jossa julisti Internetin olevan rikki. Kirjoituksessa on paljon hyviä pointteja, ja monelta osin allekirjoitan sen sanoman.  Kolumnissa oli kuitenkin joitakin väitteitä, jossa ei mielestäni ollut otettu huomioon muutamia Internetin toimintaan ja tietotekniikkaan liittyviä lainalaisuuksia. Tämä on toki ymmärrettävää, sikäli jos kirjoittaja ei ole taustaltaan tekninen henkilö. Kommentoin tässä muutamia kohtia kolumnista.

Bypassing Browser anti-XSS Filters With Header Injection

Currently, most modern browsers provide built-in protection against reflected cross-site scripting (XSS) vulnerabilities. In practice, if a snippet of JavaScript /HTML code that appears in HTTP request, is detected in the corresponding response as well, that code is never executed. This is a nice way to protect users against malicious links or redirects. Let’s see how to bypass this feature.

Asus RT-N56U Router Security

I recently bought a new home router, Asus RT-N56U. It is a consumer level basic wireless router with some “advanced” features, such as file sharing and print server. Actually I am pretty happy with the features of the router. Security is the problem. Or lack of security, to be more precise.

Overview of PHP.net Hacking Case

Most security/technology guys are probably aware by now that PHP’s website php.net was compromised and injected with JavaScript malware this week. The malware was originally detected by Google Safe Browsing. On Thursday 24 Oct 2013, Google began to warn that PHP.net contains malware. This post basically describes the case on high level and refers to another articles which provide further details.

Is Crypto Broken, or Is NSA Just Cheating?

For some time, I have had to write down some of my thoughts about this NSA/PRISM/Network surveillance/spying case. For me, the most interesting question is what NSA can do in practice, and what they can not. This blog post by professor Matthew Green is pretty complete, and it sums up my thoughts and assumption about this case quite comprehensively.