Barnaby Walters • Notes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Posting my first note over HTTPS, #taproot now at indiewebcamp.com/https level two with a self-signed certificate.

I’ve also enabled HTTPS for Shrewdness (currently optional, will be required once I have a StartSSL cert) — if you want to add an exception, the signature is:

02:55:68:37:c9:b2:32:89:f7:c7:b5:65:6e:20:b0:87:af:f6:
1b:9e:c7:bb:2f:5b:0f:f5:23:04:74:47:76:78:7b:38:49:91:
4b:c5:3e:66:16:32:67:5e:4c:e9:75:c5:b0:52:91:c9:67:cd:
15:56:53:11:a2:38:5a:39:0e:1e:dd:f9:ec:2d:8e:aa:0f:78:
47:af:87:48:66:22:7f:35:eb:6f:84:b5:fb:0c:75:c9:84:04:
fc:c7:80:bf:71:f7:bb:b7:35:df:9c:8d:9f:1d:45:2c:93:a4:
fe:5d:6a:b2:f5:a5:e5:87:71:6d:91:2d:04:a2:55:7f:a2:8c:
5d:c6:1d:df:42:14:ea:f2:a6:6c:be:60:0a:88:5b:e8:e0:ed:
1c:5e:41:63:bc:af:06:16:b8:32:49:d9:9d:c7:28:93:a6:f6:
d9:18:43:37:bc:54:32:73:f8:ef:38:39:72:46:fa:bc:bc:57:
19:0d:54:e6:22:a6:b2:93:85:64:3f:4c:f4:ad:91:ae:05:00:
2a:7e:ff:43:55:01:eb:39:7d:bf:b3:39:17:d9:25:f7:a3:8c:
11:06:d3:cd:4f:dd:c4:77:b7:b8:48:c6:cb:60:87:5c:ec:75:
10:4b:88:3e:29:02:70:c1:b5:56:77:55:ec:29:63:48:d5:e0:
ac:ff:02:fe


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJUCXg5AAoJEI6GztMrK7tlnmAH/i+WbzD1gv0sgQs3di74bLL8
W4Enkl6Nnc/raTC5Vd7G2QJ0+84x4+6r8uSG0cJln6S/VSo1zzb9sSKUZkZTX6Vd
mDE9elfF60UqKTBKNWyzfSlcDPRgumwjWtHxwsAM80sJ0kX335XSTIIuKvsXePIq
Kfx9hT6aYiXOZkf4yEUrviCZJp2qCaXJHtOMSusaFm6WvwsI4Wa3Go0IJPqLH9rA
3rjA6YRGBT9gWn1UTel0Bu1xxvXtt92rjuCDbeyyfvkkSRZl9xrggV4pP79qtxm0
n2SvbuDBN+f9U/6pxXopVm7AVigQK+xVl6wdjK4Nw3++1sqH4r5l/OW1QbKkYRI=
=7E1S
-----END PGP SIGNATURE-----

↪

Marcus Povey: Spying on a website using Webmention and MF2

@mapkyca good point, I hadn’t considered this problem with hotlinking profile photos before. I think some webmention implementors have started doing this, and I intend to do it within Shrewdness.

It’s worth noting that the attack is not at all limited to profile photos though, rather any photo or otherwise automatically loaded content in the comment e.g. images or audio. Whilst caching profile photos is feasible, caching any media in comments is more difficult, and therefore a good reason for text-only comments.

Text-only content is not an option in Shrewdness, but perhaps instead images could be cached, and other media loaded upon demand, removing the ability to arbitrarily spy on people.

Released php-mf2 v0.2.9 with GPG signed tags and verification guide (blogpost coming soon), hProduct backcompat support. packagist.org/packages/mf2/mf2#v0.2.9 github.com/indieweb/php-mf2#v029

My GPG key fingerprint: CBC7 7876 BF7C 9637 B6AE 77BA 7D49 834B 0416 CFA3

Fixed a simple security hole in #taproot, uncovered unintentionally by an attack mounted ≈5hrs ago — intent appeared to be to create new user accounts, unintended result was the creation of a new, empty article.

Hundreds of requests were made against URLs similar to these:

/articles/do.php
/articles/modules.php?app=user_reg
/articles/index.php?app=home&mod=public&act=register
/action/sign_up
/articles/sign_up.html
/articles/?page=login&cmd=register
/articles/tiki-register.php
/articles/index.php?page=register&action=register
/index.php?page=item&action=item_add
/articles/index.php?user/create_form/
/articles/join.php
/articles/index.php?dll=register
/articles/index.php?option=com_community&view=register
/articles/register.php
/articles/signup.php

Presumably these URLs are compromised on other systems — needless to say they are far too ugly to exist in #taproot! I’m unsure exactly why /articles was used as the base URL for the attack in all cases apart from two.

As these URLs don’t exist, and will never exist, it should be safe enough to add server- or application-level filters immediately closing any requests which include them.

Prepping an old machine for demoing crypto tech at the cryptoparty tonight, windows being a complete pain. I have a feeling I’m going to be spending most of the evening apologising for other people’s bad UI decisions.

↪

Micah N Gorrell: @BarnabyWalters Those would work as well but would limit it's use to an actual browser. What is wrong with an HTTP header for this?

@_minego links with the rel semantic can be used both in human-visible markup for improved back-compatibility and quick error-spotting (as well as layering on top of existing solution) and also in HTTP headers for machine-only use

↪

Micah N Gorrell: @BarnabyWalters It should be an HTTP header, so that existing clients aren't broken by the change.

@_minego which existing clients would be broken by adding a classname or rel value to the HTML page someone downloads something from, or a Link header to the download itself?

↪

Barnaby Walters: #idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use shasum or gpg --verify

Of course the more significant thing is UI considerations: how to offer this info to the downloader, how to explain what the various possible outcomes mean and what action the user should take as a result of them

#idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use shasum or gpg --verify

Amazed to see that “send[ing] your password file to the server” is one of the examples in the curl manpage. wat. curl.haxx.se/docs/manpage.html#-F