idlethreat

Hi everyone! A friend of mine convinced me that I should be putting technical items up on a blog. So without further ado:

Everyone knows that transmitting private data using https is far more secure than using http. But how secure is it, really? There are many different encryption methods that https has available to it, especially in a default configuration. Sometimes, however, you may not have the configuration available to check. And even if you have access, even when you’ve modified your default configuration to be secure, rogue included configuration files may change the ciphers settings on a site-per-site basis. The best way to be sure that your website is configured to use strong ciphers is to test it.

There are many fine tools out there that already fill this need. Some of them, such as Foundstone’s SSLDigger, can even generate and save attractive reports to hand to the administrators. (Red ink is optional.) The fastest way to test your cipher strength, though, is right within your reach at the command line.

There are two applications I’m going to cover here, curl and openssl.

openssl

openssl has many useful commands when it comes to using ciphers. Right now, I’m only going over the two we’re concerned with. The first, of course, is the ‘openssl ciphers’ command, which can fetch you a list of ciphers available on the server. If the cipher isn’t in this list, you can’t even configure your system to use it, so doublecheck what LOW, MEDIUM, and HIGH ciphers you have available first!

openssl cipers -v 'HIGH'

The second command is the openssl s_client. It has a couple quirks. Here’s an example:

echo 'GET HTTP/1.0' | openssl s_client -connect gmail.com:443

Notice that the line starts with an ‘echo’. When s_client connects to a host, it then waits for user input for what it sends to the remote host. It needs to send an appropriate ‘GET’ string in order to fetch data. So we feed that input to it in a pipe, it’s happy, the remote server’s happy, and everybody gets what they’re looking for.

This little command is quite versitile and robust. For instance, you can fetch a remote certificate and check the dates on it like this:

echo 'GET HTTP/1.0' | openssl s_client -connect www.google.com:443 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -subject -dates

What we’re interested in, though, is testing out ciphers.

echo 'GET HTTP/1.0' | openssl s_client -cipher HIGH -connect gmail.com:443

The -cipher option takes a cipherlist and uses only those ciphers. For the the nitty gritty details about what constitutes a cipher list, check ‘man ciphers’ – but you should already have a good idea on this. Remember to make sure and use ‘openssl ciphers’ to check your server specifically if you’re having problems!

curl

One thing that’s important to note is that we’ve found through testing on multiple servers that the curl command does not always use the ciphers given in the arguments. Sometimes it fails and simply continues on with the strongest ciphers available instead. That said, if it DOES use the proper ciper (and you can tell if it does in the verbose output!) it’s more convenient since you don’t have to pipe things at it.

curl --ciphers HIGH -v https://www.google.com

Note that if you’re trying to pipe output to a file, more or less, curl uses STDERR for all its verbose output, and STDOUT for all the. You’ll need to redirect both of them in order to get the whole story.

curl --ciphers HIGH -v https://www.google.com &> test.txt

Using the pipe is even more fun. This redirects STDERR to STDOUT and then lobs them both through the pipe:

curl --ciphers HIGH -v https://www.google.com 2>&1 | less

There are many more options available to curl that can be found in the manual, including authenticating with usernames and passwords, POST variables, change the user agent and even limit the speed to simulate real user scenarios.

Using these commands, you can quickly and easily test your webpage performance under realistic scenarios and record results from ciphers on the command line directly, without having to break out your GUI and get your hands dirty.

After recovering from a particularly nasty crash and migrating my sites and data over to a new server, I became curious at the number of networking connections that it received, and what was going where. Sure, there’s a lot of tools out there to give me that sort of information, but sometimes you would really just like a pretty (if informative) picture of information instead of dry old text scrolling across the screen.
Read the rest of this entry »

On the heels of my previous app which used Apple's Spotlight searching capabilities to create your own personal search engine, I have written a new application to create your own web photo gallery from a Spotlight search.

Read the rest of this entry »

Spotlight is one of the more interesting, and (for me), useful features of Apple's Mac OSX. While it's superb with locating documents, programs, and the like, it really shines when it comes to the number if built-in and freely available plugins for use.

So, basically, you have an inbuilt system on Mac OS X which will allow you to search text files, html files, images, Word documents, PDF's, the list goes on and on. The really interesting bit (to me, at least) is that there's nothing to configure or tweak. If you are running a Mac, then everything copied over to the file system is automatically indexed, and made quickly available for searching- even from a web browser.

Read the rest of this entry »

Well, it looks like it's been a while since I updated the site with any new content. A lot of that has to do with work, and things on the weekends crowding all the wonderful time that I used to have dedicated to screwing around on the computer.

Nevertheless, here's a bit of an app that I managed to stop messing with and actually prep for release.

Late summer / early fall always gets me interested in the weather a lot more than other times of the year. I poke around at noaa.gov for weather reports, temperatures, humidity, and all that crap. This year I looked into just pulling the raw information down from noaa, parsing it how I like it, and then working on my local copy of the data.

Read the rest of this entry »