Difference between http amp https . MUST read FIRST, MANY PEOPLE ARE UNAWARE OF The main difference between http and https lt HTTPS gt is. It s all about keeping you secure HTTP stands for HyperText Transport Protocol, which is just a fancy way of saying it s a protocol a language, in a manner of speaking for information to be passed back and forth between web servers and clients. The important thing is the letter S which makes the diffe… read more>>

Even search engines can get suckered by Internet scams.

With a little sleight of hand, con artists can dupe them into giving top billing to fraudulent Web sites that prey on consumers, making unwitting accomplices of companies such as Google, Yahoo and Microsoft.

Online charlatans typically try to lure people into giving away their personal or financial information by posing as legitimate companies in “phishing” e-mails or through messages in forums such as Twitter and Facebook. But a new study by security researcher Jim Stickley shows how search engines also can turn into funnels for shady schemes.

Stickley created a Web site purporting to belong to the Credit Union of Southern California, a real business that agreed to be part of the experiment. He then used his knowledge of how search engines rank Web sites to achieve something that shocked him: His phony site got a No. 2 ranking on Yahoo Inc.’s search engine and landed in the top slot on Microsoft Corp.’s Bing, ahead of even the credit union’s real site.

Google Inc., which handles two-thirds of U.S. search requests, didn’t fall into Stickley’s trap. His fake site never got higher than Google’s sixth page of results, too far back to be seen by most people. The company also places a warning alongside sites that its system suspects might be malicious.

But even Google acknowledges it isn’t foolproof.

Some recession-driven scams have been slipping into Google’s search results, although that number is “very, very few,” said Jason Morrison, a Google search quality engineer.

On one kind of fraudulent site, phony articles claim that participants can make thousands of dollars a month simply for posting links to certain Web sites. Often, the victims are asked to pay money for startup materials that never arrive, or bank account information is requested for payment purposes.

“As soon as we notice anything like it, we’ll adapt, but it’s kind of like a game of Whac-A-Mole,” he said. “We can’t remove every single scam from the Internet. It’s just impossible.”

In fact, Google said Tuesday it is suing a company for promising “work at home” programs through Web sites that look legitimate and pretend to be affiliated with Google.

Stickley’s site wasn’t malicious, but easily could have been. In the year and a half it was up, the 10,568 visitors were automatically redirected to the real credit union, and likely never knew they had passed through a fraudulent site.

“When you’re using search engines, you’ve got to be diligent,” said Stickley, co-founder of TraceSecurity Inc. “You can’t trust that just because it’s No. 2 or No. 1 that it really is. A phone book is actually probably a safer bet than a search engine.”

A Yahoo spokeswoman didn’t respond to requests for comment. Microsoft said in a statement that Stickley’s experiment showed that search results can be cluttered with junk, but the company insists Bing “is equipped to address” the problem. Stickley’s link no longer appears in Bing.

To fool people into thinking they were following the right link, Stickley established a domain (creditunionofsc.org) that sounded plausible. (The credit union’s real site is cusocal.org.) After that, Stickley’s site wasn’t designed with humans in mind; it was programmed to make the search engines believe they were scanning a legitimate site. Stickley said he pulled it off by having link after link inside the site to create the appearance of “depth,” even though those links only led to the same picture of the credit union’s front page.

The experiment convinced Credit Union of Southern California that it should protect itself by being more aggressive about buying domain names similar to its own. Domains generally cost a few hundred dollars to a few thousand dollars each — a pittance compared with a financial institution’s potential liability or loss of goodwill if its customers are ripped off by a fake site.

“The test was hugely successful,” said Ray Rounds, the credit union’s senior vice president of information services.

Stickley’s manipulation illuminates the dark side of so-called search engine optimization. It’s a legitimate tactic used by sites striving to boost their rankings — by designing them so search engines can capture information on them better.

But criminals can turn the tables to pump up fraudulent sites.

“You can do this on a very, very broad scale and have a ton of success,” Stickley said. “This shows there’s a major, major risk out there.”

Robert Hansen, a Web security expert who wasn’t involved in Stickley’s research, said ranking high in search engine results gets easier as the topic gets more obscure. An extremely well-trafficked site such as Bank of America’s would always outrank a phony one, he notes.

Still, Hansen said, criminals have been able to game Google’s system well enough to carve out profitable niches. He says one trick is to hack into trusted sites, such as those run by universities, and stuff them with links to scam sites, which makes search engines interpret the fraudulent sites as legitimate.

“I don’t think we’re anywhere near winning” the fight against such frauds, said Hansen, chief executive of the SecTheory consulting firm.

Roger Thompson, chief research officer for AVG Technologies, who also wasn’t involved in the research, said search results can be trusted, for the most part.

“But the rule is, if you’re looking for something topical or newsworthy, you should be very cautious about clicking the link,” he said. That’s because criminals load their scam sites with hot topics in the news, to trap victims before the search engines have a chance to pull their sites out of the rankings.

“The bad guys don’t have to get every search,” he said. “They just have to get a percentage.”

Consumers can protect themselves from scam sites by looking up the domain at http://www.whois.com, which details when a site was registered and by whom. That can be helpful if the Web address of a phony site is similar to the real one.

Looks like search engine optimization (SEO) can be put to fraudulent uses too, as shown by Stickley and his fake site. It’s scary to know that your favourite search engine Google or Yahoo is delivering scam sites to you when you search with them. Who’s going to take the blame when the user gets scammed? Surely the search engine will have to take some of the responsibility as well, for not ensuring that they do not index phishing sites in their databases. Of course, the bulk of the responsibility still lies on the user to ensure that they are on the correct website before entering sensitive information such as bank account information or usernames and passwords.

Some simple things to look out for:

1. Check the address bar – is the URI familiar?
2. Look out for the https protocol – this shows that you’re on a secure connection. While even this may be faked, there’s a higher probability that you’re on a genuine site if https is being used.
3. Look out for SSL when doing online banking. There should be a lock icon in the bottom right corner of your internet browser. If you’re using Firefox, you can also look at the address bar, where they will identify the owner of the SSL certificate.

This blog expands on a previous entry, Protect Your Credit Card Online.

Most of us are familiar with the letters “HTTP,” which precede the web address for virtually every site on the World Wide Web. HTTP stands for hypertext transfer protocol, and without getting overly technical, it serves basically as a call out to information or a location on the Web, and it awaits a response from the requested source. When the reply comes back, a connection is made.

When shopping online, HTTP is not considered safe enough to exchange sensitive information, such as credit card numbers. Sites that require personal information use HTTP Secure, or HTTPS. HTTPS provides encryption and secure identification of the server to ensure that the information sent won’t be compromised by eavesdroppers or man-in-the-middle attacks, which we’ll cover in future blogs.

When submitting sensitive information on the Web, and especially when using your credit card to shop online, always check the Web address in the browser window. Make sure it starts with HTTPS to keep your online shopping experience safe and secure.

By: AJP Enterprise

There are some ways to do that, in this examples let’s use the module mod_rewrite.

Make sure that the module mod_rewrite is being loaded by your apache

We need tell apache the condiction to execute the redirect, edit the file $APACHE_HOME/conf/httpd.conf and add the following lines:

#Turn on the rewrite
RewriteEngine on

#Condiction and rule for redirect
RewriteCond %{REQUEST_URI} ^/(<YOUR URL>)
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Sample:
Let’s suppose you need to redirect the URL http://youserver/login.php to https://youserver/login.php, our configuration would be the follwing:

RewriteCond %{REQUEST_URI} ^/(login\.php)
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

If there are a need to set up more than one URL, just copy and paste the 2 lines above and replace the name of the page.

Once the user request the url http://youserver/login.php he will remain in https even in pages that are not configured in httpd.conf, That happened because that configuration tell apache to get in https when the page login.php is requested, so we need tell Apache to get in http when some other page is requested, this is configured in the file $APACHE_HOME/conf.d/ssl.conf, do the same configuration done in file http.conf

Sample:
Let’s suppose that after the user pass througt the login he will get the home.php page, so add the following lines in the file $APACHE_HOME/conf.d/ssl.conf:

RewriteEngine On

RewriteCond %{REQUEST_URI} ^/(home\.php)
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [R,L]

Don’t forget to restart the apache service

It’s done, !!!

Overview

A quick and easy way to eliminate javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target without making dangerous changes to your default trust store.

Steps

1. Create a new keystore and associated key entry by executing the following command (N.B. The password values for the -keypass and -storepass options must be identical for Tomcat to work):

   keytool -genkey -alias tomcat -keyalg RSA -keypass <password> -keystore <user-home>/tomcat.jks -storepass <password>
   

2. Enter and confirm your details.
3. Uncomment the “SSL HTTP/1.1 Connector” entry in $CATALINA_BASE/conf/server.xml.
4. Add keystoreFile and keystorePass attributes with the appropriate values. The result should now resemble the following:

   <!-- Define a SSL HTTP/1.1 Connector on port 8443
   	This connector uses the JSSE configuration, when using APR, the
   	connector should be using the OpenSSL style configuration
   	described in the APR documentation -->
   
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
   	maxThreads="150" scheme="https" secure="true"
   	keystoreFile="${user.home}/tomcat.jks" keystorePass="<password>"
   	clientAuth="false" sslProtocol="TLS" />
   

5. Restart Tomcat and deploy your HTTPS constrained resources.
6. Add a @BeforeClass method to any tests generating HTTPS requests. Use this method to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties. For example:

   @BeforeClass
   public static void setUp() {
   	System.setProperty("javax.net.ssl.trustStore", "<user-home>/tomcat.jks");
   	System.setProperty("javax.net.ssl.trustStorePassword", "<password>");
   }
   

7. JSSE now uses the new keystore created in steps 1 and 2 as opposed to the default, <java-home>/jre/lib/security/cacerts, trust store.

My Liferay application was running on the domain www.pojoe.ca and resided on Tomcat 6 in its own VM while my SSO server was running on another Tomcat 6 instance on another VM under the domain sso.pojoe.ca. I wanted to establish an SSL connection between the two over a self-signed certificate.

I started by setting up HTTPS on my SSO server.

• Create the keystore and private key in some directory. I use /opt/tomcat/security

keytool -genkey -alias mykey -keypass changeit -keyalg RSA -keystore server.keystore

• Answer the prompts.  Use sso.pojoe.ca (your domain) when asked for first/last name.  This is critical.

NOTE: From http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

I am using name-based virtual hosts on a secured connection which can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most client browsers will compare the server’s domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client user. In general, only address-based virtual hosts are commonly used with SSL in a production environment.

• server.keystore is generated.

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see the PrivateKeyEntry named mykey in the listing.

• This should be sufficient to begin receiving connections using HTTPS.

• Generate the certificate.

keytool -export -alias mykey -keypass changeit -file mycert.crt -keystore server.keystore

• mycert.crt is generated.

• Import the certificate into the keystore.

keytool -import -alias mycert -keypass changeit -file mycert.crt -keystore server.keystore

• You receive a warning that it already exists in the keystore.  Ignore it.  It is because Java expects separate keystore and trust store files and we are using only one.

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see a TrustedCertEntry named mycert in the listing as well as the PrivateKeyEntry named mykey.

Next I configured Tomcat to use the keystore I just setup. In server.xml uncomment the SSL connector port 8443. I’ve added the keystore file we created.

<Connector port=“8443″ protocol=“HTTP/1.1″ SSLEnabled=“true” maxThreads=“150″ scheme=“https” secure=“true” clientAuth=“false” sslProtocol=“TLS” keystoreFile=“/opt/tomcat/security/server.keystore” keystorePass=“changeit”/>

My SSO server is now ready to rock over HTTPS.

Next I’ll enable HTTPS on my Application server running Liferay.

Create the keystore and private key in some directory. I use /opt/tomcat/security

keytool -genkey -alias mykey -keypass changeit -keyalg RSA -keystore server.keystore

• Answer the prompts.  Use www.pojoe.ca (your domain) when asked for first/last name.  This is critical. See notes from above.

• Copy the mycert.crt certificate from the SSO server to /opt/servers/tomcat/security

keytool -import -alias mycert -keypass changeit -file mycert.crt -keystore server.keystore

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see a TrustedCertEntry named mycert in the listing as well as the PrivateKeyEntry named mykey.

Next we’ll set the JVM parameters to tell the application to use the trust store.

-Djavax.net.ssl.trustStore=/opt/servers/tomcat6.0.18/server.keystore

-Djavax.net.ssl.trustStorePassword=changeit

My Liferay application server and my CAS SSO server can now talk over HTTPS.

Reference:

http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

Um verschlüsselte Verbindungen über SSL bzw. HTTPS zu ermöglichen, benötigt man als Server-Betreiber ein SSL-Zertifikat. Diese werden von Zertifizierungsstellen, sogenannten CAs, ausgegeben. Die CA überprüft, ob der Bestellende wirklich berechtigt (also Inhaber der Domain) ist, und stellt dann meist gegen viel Geld das Zertifikat aus. Damit kann sich die Website gegenüber einem Browser “ausweisen” und eine sichere, verschlüsste Verbindung wird möglich. Details gibt es in meinem ausführlichen SSL-Artikel, wo auch noch ein paar Worte über die Sicherheit von SSL stehen.

Nur Zertifikate von CAs, die der Browserhersteller als vertrauenswürdig in den Browser eingebaut hat, werden als gültig erkannt. Deswegen ist es schwierig, eine neue CA aufzubauen, denn die Kriterien für eine Aufnahme sind streng und es gibt viele Browserhersteller, die man zur Aufnahme bewegen muss. Aus diesem Grund gab es bis vor kurzem keine CA, die kostenlos Zertifikate ausgegeben hat und von allen gängigen Browsern akzeptiert wurde. CAcert und StartCom/StartSSL vergeben seit langem kostenlose Zertifikate. CAcert ist jedoch weder in Firefox noch im Internet Explorer als vertrauenswürdig enthalten. Somit kann man CAcert nicht für Seiten benutzen, die von Normalnutzern besucht werden, denn diese würden eine hässliche Sicherheitswarnung erhalten. StartSSL war schon länger in Firefox enthalten, jedoch nicht im Internet Explorer, und war für ernsthafte Nutzung mit unerfahrenen Nutzern daher auch ungeeignet.

StartSSL hat es jetzt aber endlich geschafft, in den Internet Explorer aufgenommen zu werden. Der Internet Explorer akzeptiert die kostenlosen StartSSL-Zertifikate somit seit kurzem als gültig. Dank einer eingebauten Auto-Update-Funktion funktioniert das auch mit veralteten Versionen des IE! Ein IE 6.0 aus meiner Sandbox-VM, Stand Anfang 2008, hat das Zertifikat anstandslos akzeptiert. Mozilla Firefox, Apple Safari (inkl. dem iPhone-Browser), Opera, Google Chrome und einige andere akzeptieren StartSSL schon länger, damit sind alle gängigen Browser abgedeckt. (Lediglich Konqueror unter einer aktuellen (K)Ubuntu-Version hatte Probleme damit.) StartSSL ist somit endlich eine voll einsetzbare CA geworden, und somit gibt es endlich kostenlose SSL-Zertifikate für alle! (StartSSL bietet übrigens auch EV-Zertifikate zu relativ humanen Preisen an.) Edit: Opera (etwa 5% Marktanteil) unterstützt StartSSL scheinbar leider doch noch nicht.

Als Serverbetreiber muss man übrigens der CA nicht besonders vertrauen (solange man nicht irgendwelche sehr besonderen Sachen macht wie Client-Zertifikate, aber das weiß man dann), wichtig ist nur, dass die Browser die CA akzeptieren. Eine bösartige, aber in Browsern als vertrauenswürdig eingetragene CA kann sich jederzeit für jede Website ein Zertifikat ausstellen lassen, unabhängig davon, ob der Websitebetreiber dort Kunde ist oder nicht. Die eigene CA könnte höchstens das eigene Zertifikat widerrufen und somit ungültig machen, aber mehr auch nicht. Darüber hinaus hat die CA noch ein paar persönliche Angaben, die aber bei einfachen Zertifikaten nicht über das hinausgehen, was die meisten Online-Shops auch wissen. Insbesondere den privaten Schlüssel des Zertifikats hat die CA normalerweise nicht! Es gibt zwar oft die Möglichkeit, die CA diesen Schlüssel generieren zu lassen, aber man kann es auch richtig machen und das selbst tun und den eigenen Schlüssel zertifizieren lassen. Selbst wenn man der CA also aus welchem Grund auch immer nicht vollständig vertrauen sollte, kann man sie als Serverbetreiber dennoch nutzen.

Ich erhalte für diesen Artikel keine Vergütung o.ä. von StartSSL/StartCom. Diesen Artikel habe ich geschrieben, weil es mich ankotzt, dass Firmen für das simple Ausstellen eines einfachen domain-validierten Zertifikats horrende Preise (oft sogar dreistellig!) verlangen, und weil ich froh bin, das es endlich eine kostenlose Alternative gibt und ich auf diese hinweisen möchte. Ich selbst habe von der Aufnahme in den IE auch erst heute erfahren. Nutzt diese kostenlose Möglichkeit, um die Datenübertragung zu euren Webseiten zu sichern! Macht diese Möglichkeit bekannt, damit die kommerziellen CAs ihre überzogenen Preise endlich etwas realistischer machen müssen.

A lot has been written about how Firefox’s stupid dialog is a big step backwards for the web.

But is there a way to disable it? Ideally I’d like it to work like ssh – give me a simple single-click warning and display the certificate the first time, and after that don’t say anything at all unless the certificate changes unexpectedly.

Update

This paper on phishing [PDF] is excellent.

65% shopping cart abandonment rate w/ an average cart value of $109.

This practical presentation is the one-stop-shop guide with data, best practices and latest trends in Checkout Flow Optimization.

Areas covered includes:
- Checkout process KPIs for retailers
- Top 20 reasons for cart abandonment
- Retailer checkout investment priorities for 2009
- 12 tips to minimize the drop-off spots
- 2 methods to re-engage customers
- Supposedly good ideas, think twice!

I have a domain mydomain.com with some sub level domains like

• nexus.mydomain.com
• svn.mydomain.com
• www.mydomain.com

Now I need a self signed certificate for all these domains because I want to use them over HTTPS. There are some steps to do this. First of all: you don’t need for this propose your own root certificate. You should replace all occurence of mydomain.com with your own domain name and sub domains.

On the gentoo server where the apache should host the domains, I have to create the certificate. I do following steps:

1. Generate a private key

   openssl genrsa -des3 -out server.key 1024
   

2. Generate a CSR (Certificate Signing Request)

   openssl req -new -key mydomain.key -out mydomain.csr
   
   Country Name (2 letter code) [DE]:DE
   State or Province Name (full name) [Sachsen]:Sachsen
   Locality Name (eg, city) [Leipzig]:Leipzig
   Organization Name (eg, company) [My Company Ltd]:mydomain.com
   Organizational Unit Name (eg, section) []:Information Technology
   Common Name (eg, your name or your server's hostname) []:mydomain.com
   Email Address []:thomas dot wabner at mydomain dot com
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   

3. Remove Passphrase from Key

   cp mydomain.key mydomain.key.org
   openssl rsa -in mydomain.key.org -out mydomain.key
   

4. Generating a Self-Signed Certificate

   To include all required subdomains a extensions file must be used. For example I have created a file /home/waffel/ssl/mydomain_extensions with following content:

   [ mydomain_http ]
   nsCertType      = server
   keyUsage        = digitalSignature,nonRepudiation,keyEncipherment
   extendedKeyUsage        = serverAuth
   subjectKeyIdentifier    = hash
   authorityKeyIdentifier  = keyid,issuer
   subjectAltName          = @mydomain_http_subject
   [ mydomain_http_subject ]
   DNS.1 = www.mydomain.com
   DNS.2 = nexus.mydomain.com
   DNS.3 = trac.mydomain.com
   DNS.4 = svn.mydomain.com
   

   The last command to create the certificate is:

   openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt -extfile /home/waffel/ssl/mydomain_extensions -extensions mydomain_http
   

In the apache configuration for the ssl host’s I have enabled the ssl module with following content:

...
ServerAlias svn.mydomain.com trac.mydomain.com nexus.mydomain.com

        ErrorLog /var/log/apache2/ssl_mydomain_error_log
        <IfModule log_config_module>
                TransferLog /var/log/apache2/ssl_mydomain_access_log
        </IfModule>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
        SSLCertificateChainFile /etc/ssl/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_mydomain_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>
...

For exmaple if you need such certificate to connect your maven with a self installed nexus repositiory over https you can follow the article from ahoehma.

A more detailed description with some beckground information about the certificate creation can be found here.

On 11/05/09 the notice of Renegotiation vulnerabilities within SSL/TLS protocols became public.  The vulnerability allows for injection of arbitrary plain-text allowing for HTTP requests, or impersonate the victim, as well as other consequences.

~Opinion~

While the known possible outcomes of this vulnerability seem similar to many of the run-of-the-mill exploits we’ve seen, the ramifications behind this vulnerability are monumental.

Just the number of vendors, and their products effected by this alone show that there will soon be a revolution.  The affect on everyday lives of so many will undoubtedly negative.

Either a major overhaul of the protocols is necessary, or we are in for a new breed of security focus.  An overhaul is most likely to occur; however, if it doesn’t we will have to be prepared to move into a security stance which covers security in both a pre- and post- environment.

Our previously hardened infrastructure would have to be analyzed, and protected during use.  Protecting our protection if you will.

While all this seems goofy, given the fact that we will most likely just patch and move on, it seems to beckon the time for more intuitive security measures is nearing, or hear.  Security measures that… think.

Packets with guns.  Headers with secret handshakes. Connections that conspire against their own existence.

~/Opinion~

As usual, if you want to hear more information, visit the link below… And I am very interested in hearing comments on this one… Maybe I am just blowing it out of proportion, but it seems big.

Vulnerability Note VU#120541 (New Window)

How to make conference calls with Skype.

Turn on HTTPS for Gmail sessions.

What is Net Neutrality

Dropbox is like a on-line drive that can be accessed on any computer anywhere. It appears in a window just like any other folder. Install the Dropbox on multiple computer and your stored documents will be shared with all the computers. You may also access the files on-line. They can even be shared with other. This service is free for the first 2 Gigabytes. For Windows, Macs and Linux.

Microsoft’s Skydrive gives you 25 gigabytes absolutely free but you need a third party program to make it a virtual drive. “Skydrive Explorer” is a free program that does this.

For all you Ubuntu users there’s Ubuntu One that is much like Dropbox.

En HTTPS Data Exposure – GET vs POST un resumen rápido de la exposición de los datos que se transmiten mediante el protocolo cifrado https considerando GET, POST, si la conexión va cifrada o no y los diversos participantes en la transmisión y recepción.

Pretty similar to setting up SSL on unix/linux and actually not that hard to do. Just a few things to remember as a checklist.

If your Apache install didn’t include openSSL then you’ll need to download a few things:

Normally you can find mod_ssl.so in your apache install directory in modules.
In conf/extras you’ll find httpd_ssl.conf

Or just download Apache with openSSL here. Next step is to create a certificate. Only thing to look at really is your server name in your httpd.conf file (found in the conf/ directory). You use your server name in your certificate setup – these must match otherwise you’ll get errors (it’ll still work though).

Setting SSL with Apache 2.x on Windows

A security flaw that has been identified in the Transport Layer Security (TLS) protocol could open the door for man-in-the-middle (MITM) attacks against HTTPS communication. All implementations are said to be vulnerable because the flaw is in the protocol itself. Security researchers are taking steps to resolve the problem.

The flaw was originally found in August by researchers Marsh Ray and Steve Dispensa from security company PhoneFactor. They chose not to widely publicize the issue and began working in secret with other security experts and industry leaders to develop solutions. The flaw became known to the public this week when Martin Rex of SAP discovered it independently and posted a disclosure to the mailing list of the Internet Engineering Task Force.

Question: What is the difference between:

http://
https://

When should I be looking for that “s”?

Answer: when you are viewing a web page with a web browser, you’ll see the web page’s address in the address bar. It will always begin with http:// or https://.  When the address begins with https, you can be assured that the contents of the page was encrypted when it was sent from the web site to your computer.

To be sure, however, you want to also look for the little padlock symbol that is usually in the lower left corner of the browser window, on the status bar.

Some malicious web sites try to fool users by displaying a “status bar” that resembles a browser’s status bar, in order to try and fool the user. It is important to know for sure that you see a real padlock and not a fake one.

Newer browsers also provide a region (just to the left of the address in Firefox) that you can click on to view security information about the site you are visiting.  You should find and practice using this feature, and be familiar with how this looks for web sites that you know are legitimate. That way you will be more apt to recognize when you are on a site that is not legitimate.

I’m currently trying to scrape CAPTCHA images over Tor (my own personal botnet ) for certain sites that maintain aggressive forms of rate limiting (i.e. Yahoo/Ebay). Strangely enough Google and Microsoft do not care as much. They probably spend more time solving problems like…having a good search engine?

Most CAPTCHA’s appear on https:// protected pages, hence the need for a https proxy to use with Tor. I tried Polipo, which doesn’t support https proxying (which I soon found out). However, Privoxy does.

Once I setup the actual proxy itself to connect to my Tor router, I find out that currently, most linux packages of python (and Mac OS X Snow Leopard) do not contain the necessary patch to support opening urls over an https proxy. You need svn revision numbers 72880 and up (any version released roughly after July of 2009) for python 2.6. The patch is also somewhere in 3.x. Linux package management maintainers really need to push up to date versions with backported fixes more frequently or quickly.

Details on the bug reporting and fix are here:

http://bugs.python.org/issue1424152

Note that the correct way of using the https proxy code is to call

proxy_support = urllib2.ProxyHandler({“https” : “https://127.0.0.1:8118″})

opener = urllib2.build_opener(proxy_support)

Why is https proxying so poorly supported? It boggles my mind. I guess open source developers don’t run into this problem often.

This has been a public service announcement by the Foundation for Annoyed Programmers (FAP).

In order to configure your Tomcat for HTTPS, you must first generate a server certificate for your web site. To do this, you can use the keytool command, which comes with your JDK or JRE. You’ll need to open a command shell, and your shell will need to know how to find your Java runtime environment properly. To do this on Windows, type the following commands into your command shell if you have a JDK installed:

C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16

C:\> set PATH=%JAVA_HOME%\bin;%PATH%

or, if you have a JRE, type these commands:

C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16

C:\> set PATH=%JAVA_HOME%\bin;%PATH%

On Linux, it’s very similar. For the JDK (as root):

# export JAVA_HOME=/usr/java/latest

# export PATH=$JAVA_HOME/bin:$PATH

Make sure you change /usr/java/latest to the root directory path of your JDK. For a JRE, type:

# export JRE_HOME=/usr/java/latest

# export PATH=$JRE_HOME/bin:$PATH

Then, test it by running:

keytool

You should see the keytool command’s help text. If not, you probably have the wrong path to your Java runtime, or it is not installed properly.

Next, type these commands to generate a self-signed server certificate:

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -dname “CN=localhost, OU=Organization, O=Company Name, L=City, S=State, C=US”
-validity 365 -keystore keystore
Enter keystore password: <enter a new password here>

Enter key password for <tomcat>

(RETURN if same as keystore password): <just hit enter here>

The password you enter in the first password prompt will be the password for the keystore where your server certificate is stored.

Next, edit your Tomcat’s conf/server.xml to enable the HTTPS connector. Look for a connector that looks like this:

<!–
<Connector port=”8443″ protocol=”HTTP/1.1″
SSLEnabled=”true”
maxThreads=”150″ scheme=”https”
secure=”true”

clientAuth=”false” sslProtocol=”TLS” />

–>

By default, it is commented out. To uncomment it, remove the line just before the element, and also the line just after it. Then, add the attributes keystoreFile and keystorePass, so that it looks like this:

<Connector port=”8443″ protocol=”HTTP/1.1″
SSLEnabled=”true”

maxThreads=”150″ scheme=”https”
secure=”true”

clientAuth=”false” sslProtocol=”TLS”

keystoreFile=”conf/keystore” keystorePass=”your password”
/>

If you’re running Tomcat on Windows, you may set the port number to 443, which is the default HTTPS port number. On non-Windows operating systems you can only do that if you run Tomcat as root, which we don’t recommend.

Once you’ve completed the steps above, restart Tomcat, and try connecting to Tomcat over HTTPS with a URL such as https://localhost:8443 (you have to specify both “https” and port 8443 if you have configured it to listen on port 8443). Your web browser will warn you about the self-signed certificate, but otherwise it should work.

To fix that warning you’ll need to purchase a commercial HTTPS certificate and install it. See the instructions on how to do this in Chapter 6: Security of the book Tomcat: The Definitive Guide (O’Reilly).

I’ve been having trouble with my Internet connection at home – from time to time the connection stalled and I had to make router renew IP via DHCP to get connection back (any my router is Linksys WRT54GL).

Don’t know whose fault it is – router or provider (I blame provider because this tends to happen more often at night, and I don’t think my router has a clock in it (-; ), but I’m not that good at networks to find the problem and fix it (especially if it’s at provider side – I can never convince them that something that happens “once in a while… oh wait, it just happened, yes!” (-: is their fault).

So I decided to make a little program that would do this for me - check Internet connection on timely basis, and make router renew IP if connection is dead (by sending POST request to it’s web interface page), so I wouldn’t have to do it myself (and also could leave downloads for night (-: ).

Which language/technology to choose? (Under Linux you could’ve think of some shell or Perl script for this, but for Windows the choice is not so obvious. And for OS X?) Of-course I’ve chosen Java – because I like it and I write mostly in it, but also for crossplatformness (-:

And as my router is configured to present it’s web interface on HTTPS this is also a good opportunity to learn/tell a bit about working with HTTPS and security certificates in Java.

So, the main tasks were:
- write Java code that could do authentication on Router web-interface via HTTPS and sending POST request with some params to “apply.cgi” page there (most tricky);
- code for checking Internet connection (getting Google’s main page and checking it for HTTP status 2xx and “Google” seems Ok way);
- glue code for this all + GUI and related stuff (necessary but irrelevant for our little lesson).

Getting ahead, here’s the final code: http://mvmn.pastebin.com/f3db229e7
It uses Commons HTTP Client 3.1, and thus depends on commons-httpclient-3.1.jar and it’s dependencies, which are apache-mime4j-0.6.jar, commons-codec-1.3.jar and commons-logging-1.1.1.jar.

If you’re not a developer but you need this stuff, you can get ZIP with the program packaged in JAR file here. But you’ll have to download the four abovementioned JARs and put in same folder where you’ll unzip the wrt54gl-resetter.jar. To make it easier, here are the links:
1. commons-httpclient-3.1.jar
2. apache-mime4j-0.6.jar
3. commons-codec-1.3.jar
4. commons-logging-1.1.1.jar
(note: links link to ZIP files, you’ll have to unzip JARs out of them).

So what about SSL certificates and Java? If your certificate is not recognized you’ll have to download install certificate in keystore, but this is not what we want to do, right? Any dirty and ugly way to skip SSL certificate check is good for us – we just want this little utility work without other hassle.

Well, this is described already for example in this article – you have to make your own instance of javax.net.ssl.X509TrustManager, let’s say acceptAllX509TrustManager, which will trust everything. OK so far, but what’s next?

Next comes something like this:
javax.net.ssl.SSLContext context = javax.net.ssl.SSLContext.getInstance("SSL");
context.init(null, acceptAllX509TrustManager, new SecureRandom());
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

We’re making javax.net.ssl.SSLContext with our acceptAllX509TrustManager, so far so good, and then we register it’s SocketFactory as javax.net.ssl.HttpsURLConnection’s DefaultSSLSocketFactory. Not good – we’re supposed to use Commons HTTPClient, so this socket factory won’t be used. What to do?

The way that I’ve found is to create new org.apache.commons.httpclient.protocol.Protocol that will use org.apache.commons.httpclient.protocol.ProtocolSocketFactory instance as wrapper for above mentioned javax.net.ssl.SSLSocketFactory, and register it using Protocol.registerProtocol().

The code is:
Protocol myhttps = new Protocol("https", new ProtocolSocketFactory() {
SSLSocketFactory socketFactory;public ProtocolSocketFactory setSocketFactory(SSLSocketFactory socketFactory) {
this.socketFactory = socketFactory;
return this;
}public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return socketFactory.createSocket(host, port);
}

Ok, looks like complete equivalent of abovementioned code but for HTTPClient’s SSLSocketFactory. And it works as expected – great!

Final words: nicely packaged as JAR file with MANIFEST.MF mentioning all dependencies this util+libs can be easily (re)distributed and used under all J2SE 5 supporting platforms. Enjoy.

When using WebSphere Application Client (J2EE, thin or pluggable) to access EJBs on WebSphere Application Server, an optional ORB trace file may be created. You can specify trace file location and name, but if you do not, default file name is orbtrc.timestamp.txt (e.g. orbtrc.10112009.1815.37.txt)
Of course, oftentimes you do not want any trace, and you certainly can turn tracing off. Well, with one exception. If you are using HTTP tunneling with SSL (HTTPS tunneling), trace file will be created automatically with the default name. This behavior has been known to affect several versions of WAS. I last confirmed it in WAS 6.1.
This may be annoying or inappropriate in some client environments. As a workaround, redirect trace output to null device by adding the following parameters to your client JVM command line:
for Windows
-Dcom.ibm.CORBA.Debug.Output=nul:
for Unix/Linux, use /dev/null.