Firefox Overzealous… Or Is It?

Posted on November 10, 2008 by Sander

Man In The Middle is defeated by context. — Bruce Schneier

As has been widely discussed, Firefox 3.0 is a little over-zealous when it encounters an unknown certificate on an SSL website. Where previous versions would just warn the user about the observed irregularities, the new version requires that the user add an exception for every certificate that has an unknown certification chain, is expired or for which the hostname does not match the information in the certificate.

Adding an exception takes four clicks, most met with a stern warning that will deter anyone but the most determined user. Folks who use self-signed certificates as a matter of habit are howling, because they have to tediously make exceptions for all of them. This Firefox features seems over the top, but is it? Continue reading →

Be Sociable, Share!

Security Roadmap for ApacheCon US 2008

Posted on November 5, 2008 by Sander

At the end of my conference presentations, I usually put a Conference Roadmap slide. This slide shows sessions at the conference that are related to mine, and that attendees may find worth while to check out. For my Hardening Enterprise Apache Installations session this coming Thursday, I would suggest the following related conference content:

Training: Web Application Security Bootcamp by Christian Wenz
Thursday, 9AM: Hardening Enterprise Apache Installations Against Attacks by yours truly
Thursday, 10AM: Web Intrusion Detection with ModSecurity by Ivan Ristic
Thursday, 2PM: (In)secure Ajax and Web 2.0 Web Sites by Christian Wenz
Thursday, 3PM: Geronimo Security, now and in the future by David Jencks
Thursday, 4:30PM: Securing Apache Tomcat for your Environment by Mark Thomas
Thursday, 5:30PM: Securing Communications with your Apache HTTP Server by Lars Eilebrecht

Besides the training (which happened on Monday), this means that you can pretty much stay in the same room all Thursday and catch all the Security-related talks. In addition, of course, this track will be streamed live for a modest fee, so you can watch from the comfort of your own office if you find yourself unable to make it to ApacheCon this year.

Be Sociable, Share!

Celebrating Obama Victory

Posted on November 5, 2008 by Sander

This is the Next Generation Brass Band in New Orleans, celebrating Barack Obama’s presidential election victory on the corner of Bourbon Street in New Orleans.

This was more fun than all the Bourbon Street craziness combined.

Be Sociable, Share!

SQL Considered Harmful

Posted on November 4, 2008 by Sander

According to the Web Hacking Incidents Database 2007 Annual Report, SQL Injection is still the most common attack vector for security breaches on websites. Consider the following cartoon:

Why is it that our websites almost universally use a data access language whose statements can be completely subverted by the parameters fed into the queries? The problem is that Continue reading →

Be Sociable, Share!

ApacheCon New Orleans, day 1

Posted on November 3, 2008 by Sander

Flew into New Orleans late last night for ApacheCon US 2008. The taxi booth at the airport actually has a flat rate posted: $28 for travel to Downtown or the French Quarter. Our cabbie charged us $30, which is close enough. We went for coffee and beignets at Cafe Du Monde, which is part of New Orleans, The Ride. Beignets are like donuts, except with more powdered sugar and slightly undercooked which may not be intentional.

Be Sociable, Share!

ApacheCon Jack-o-Lantern

Posted on November 1, 2008 by Sander

Last night we made an ApacheCon US 2008 Jack-o-Lantern! It projects “ApacheCon 2008” on the wall behind it if there is enough light inside: a Mini-Maglite did the trick, with the lens taken off to make for a nice point source and a crisp image.

Meanwhile, I’ve been working on the slide deck for this week’s presentation at the conference. I think it’s shaping up pretty nicely, although I’m going to have to put a ton of content in the handout. There is simply too much to talk about. However, by putting some of the technical details in the paper handout, I can keep the slides themselves cleaner and improve the flow of the story.

Be Sociable, Share!

SF Chronicle Special on New Orleans

Posted on October 12, 2008 by Sander

With ApacheCon US 2008 fast approaching, a weekend special on New Orleans in the San Francisco Chronicle might be of interest. Note that the conference is organizing its own volunteer day on the Saturday after, in cooperation with one of the organizations listed in the Chronicle article.

Be Sociable, Share!

SSL Now Enabled

Posted on October 2, 2008 by Sander

I have turned on SSL on my site, primarily to be able to log into the management interface of the blog engine over a secure connection. You are welcome to read the blog over SSL. The certificate was signed by Cacert.org, so you will want to download their root certificates and install them into your browser.

No guarantees that using SSL will make me post more often. Life has been busy.

Be Sociable, Share!

ApacheCon US 2008

Posted on August 1, 2008 by Sander

Registration is now open for ApacheCon US 2008. There will be an Early Bird discount, so register early and Save! The schedule is up and I’m very happy to see the return of the schedule grid that shows the entire conference on one page. J. Aaron has done a great job on the site.

I will be presenting one session at the conference: Hardening Enterprise Apache Installations Against Attacks will discuss security issues with the Apache Web Server and how the developer team reacts to issues as they are found. We’ll also talk about protecting applications that are served by the Apache server and may be the target of attacks that do not subvert the web server itself, but the code behind it.

The first time I did this talk, at AacheCon EU 2008, I ran out of time. There’s so much to talk about! The feedback forms submitted by the attendees did, however, identify some spots I can tighten up, so I’m looking forward to present a new, updated version of the talk this fall.

Hope to see you, first week of November, in New Orleans!

Be Sociable, Share!

Sonoma: Cafe La Haye

Posted on July 19, 2008 by Sander

Cafe La Haye does not need another write-up. However, I have to mention them because we couldn’t remember when last we had a meal out where every course, every dish, was so on the mark.

From the Grilled Peach and Prosciutto Salad to the Hand-Torn Papardelle, to the Angus Hanger Steak you could cut with a fork, everything was delicious. The desserts were simply to die for: the Blackberry and Raspberry Fruit Crisp was a simple concept, but so, so well executed. The Chocolate Silk Cake was in delightful harmony with its pecan and walnut crust and the salt accent does amazing things to bring out the flavors. We were hard pressed to not lick our plates.

Finally, it was all very reasonably priced. If you plan to hit downtown Sonoma, Cafe La Haye comes warmly recommended.

Be Sociable, Share!

Sander's Weblog

Open Source, Apache, Apple, Cloud and maybe even some Crypto stuff

Firefox Overzealous… Or Is It?

Security Roadmap for ApacheCon US 2008

Celebrating Obama Victory

SQL Considered Harmful

ApacheCon New Orleans, day 1

ApacheCon Jack-o-Lantern

SF Chronicle Special on New Orleans

SSL Now Enabled

ApacheCon US 2008

Sonoma: Cafe La Haye