Grounded -
geerdet, erdgebunden.
Das da oben sind meine Füße, beim Paragliding zu dem ich in Hamburg recht wenige Gelegenheiten habe. Schade. Aber die Welt hat genug andere interessante Aspekte - einige davon gibt's hier.
(
HTTP and HTTPS - mixed mode configuration
why it doesn't work and how to fake it
tl;dr: Are you tasked with setting up a webserver that must be accessible in both http and https?
When somebody demands that this mixed mode must be possible, here are some arguments why you shouldn't give in (because in general it does not work - at least not as it is expected to work) and how to use a neat workaround that can help you sleep better when you can't make the argument to go https only.
Ersatz wofür?
Ich dachte ja, dass sich im einheimischen Supermarkt-Gemüseregal nichts mehr findet, was ich nicht kenne. Ja - es gibt Märkte und Anbieter von alten, unbekannten Gemüsesorten, die ungewöhnlich aussehen, aber die Sorten kennt man dann doch (lustig gefärbte Möhren, Tomaten etc.).
Ich weiss aber bis jetzt nicht, was ich heute im Regal gefunden habe... Lieber wieder Wochenmarkt, solange es noch nicht zu kalt und ungemütlich ist...
TNO - Trust No One.
Exploring firefox sync
First of all: This is not a security analysis, and no statement about the actual security of firefox sync. It's merely an analysis of the description given in the FAQ and my conclusion from that. And a brief one as well. I do not want to downplay the security of Firefox Sync. It's merely an example of how to read and judge claims of security features - documentation! I did not even look at the technical background of sync, I didn't try to use it - and I don't want to. Read on to know why.
[Update: From the comments below it seems that technically everything is well designed: Keys get generated on the client. Still, as this is about reading security information literally, the comment holds. I hope the FAQ will be updated to state this sooner or later]
Handling passwords
I know that I can save my passwords in firefox. In fact, I use this feature for certain sites. I implicitly trust the algorithm that's used for encrypting the password vault with the passphrase that I have to enter (the so called master password). Of course, this is the first thing I do after installing Firefox to a new machine. And I trust my passphrase to provide enough security for the purpose of the passwords that I save in there. And I trust that my passphrase never leaves my computer.
However, now, on a new system with the latest and greatest Firefox, Firefox not only offers to store my password, but also to sync it to Mozilla's servers. This is from a component called Sync, has been a plugin previously, but is now in the core. I guess many people might use it due to this fact.
Being the security conscious wisenheimer (why do I want my passwords to be stored on a third party computer?), I looked up "firefox sync", and got directed to Mozilla's FAQ. There it states, among other information
What is a Sync Key and why do I need one?
When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.
Where's all my data?
It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.
Sounds good? Well, very convenient at least. Let me emphasize the parts that caught my attention:
What is a Sync Key and why do I need one?
When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.
Where's all my data?
It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.
As I said, I never analyzed sync! I only read the linked FAQ article. And these two paragraphs make me want to uninstall it immediately. But I can't - it's in the core now. Well, at least I can "not use" it.
Just in case there is someone who didn't get my point from the emphasis above, here's some reasoning:
Mozilla generates a key, and nobody who does not have it can access my data. This should imply that nobody but me can access my data. But what keeps the party that generates such a key to keep a copy? I have been somewhat wary even before I started to listen to the Security Now netcast, but from Steve Gibson I learnt the term "Trust No One" (TNO), which give a name to my suspicions.
Well, and being never vulnerable is probably a bit too far fetched and would need a few disclaimers. But this is merely a small detail, not the core of my problem.
It's not that I don't trust Mozilla (I'm running their software loyally since the Netscape age, and you know that software running locally can do), but this description is hiding the underlying problems from the ingenuous reader. I know that the FAQ is a wiki - I could edit it or the discussion - but the underlying problem is not so much in this documentation, it's rather the principle that's broken (if the documentation is correct). Yes, it's a convenient solution, but no, there's no way I accept the described mode of operation as a security feature for knowingly storing data like my passwords on any third party server. I know that other's might accept this, but it really turns me down and away from this.
Even if the FAQ is incorrect ant the Sync Key is generated locally and never leaves my computer (unless I install it on another computer myself), this article shall still ask for reading such documentations accurately.
And, to finish this with another disclaimer: For the foreseeable future Firefox will stay to be my preferred browser. I'm a geek of habit, and it's easy to work around this issue by not using sync. After all, it takes some work to activate it. And I love Firefox (and the plugin zoo that I have assembled and that I'm trusting implicitly). Oh, and did I mention that I love Security Now?
Radio Liferay
the people, the project, the product and the company
I've started podcasting again. It's all on liferay.com and feedburner. The current working title is "Radio Liferay" and it covers all things noteworthy about Liferay.
It's been a while
revitalizing an orphan homepage
It's been a while since I updated this blog. During this time James Roper has been busy with a few more pebble releases. At the time of this writing, we're at 2.6.2, see the change log on open.jira.com for a summary on what's new and noteworthy.
Also, James has taken over the lead developer role for pebble. It was obvious for a while - I didn't find enough time to quickly answer to issues that he typically jumped on immediately. A big thanks for this, now I'll just need to set aside the time to upgrade this installation here. Luckily all versions of pebble have shown to be quite more stable than some (php-based) blog engines, so there's no immediate need to upgrade - one of the reasons I chose pebble in the beginning.
Finding time is a nice reminder: Being on the road quite often now (for Liferay), I've started to do Liferay community meetings where I'm travelling to. They are announced on my Liferay Blog, feel free to subscribe there to get a chance to meet, typically somewhere in europe. Even if you're not (yet?) working with Liferay, feel free to show up.
