Daniel Lange's blog - Comments

Adult Ühler: Seredipity default event_s9ymarkup plugin breaking URLs that contain underscores

nospam@example.com (Adult Ühler) — Mon, 30 Jun 2008 14:10:27 +0200

Nasty. A while back I spent some days writing what I think is a near-bulletprtoof string to URL function that can even turn Chinese characters to the roman equivilent.

Daniel Lange: kloeri announces Exherbo, another source based Linux distribution

nospam@example.com (Daniel Lange) — Fri, 23 May 2008 08:25:49 +0200

Works here with eroyf-exherbo-x86-2008-05-21.tar.bz2 and my (up-to-date) Gentoo install. But you're right, base systems need to be able to both fulfill the same dependencies (i.e. libs etc).

Ciaran McCreesh: kloeri announces Exherbo, another source based Linux distribution

nospam@example.com (Ciaran McCreesh) — Fri, 23 May 2008 08:13:57 +0200

I'm not even sure that that would work... Gentoo and Exherbo have a different base system, so generated binaries aren't in general transferable.

Daniel Lange: kloeri announces Exherbo, another source based Linux distribution

nospam@example.com (Daniel Lange) — Fri, 23 May 2008 07:32:07 +0200

Thats why I said "Ebuild-builds ... i.e. take a Gentoo build result and package it for importing into the Exherbo system". Build-result = directory tree after src_install.

Ciaran McCreesh: kloeri announces Exherbo, another source based Linux distribution

nospam@example.com (Ciaran McCreesh) — Thu, 22 May 2008 23:03:05 +0200

Your importare comment doesn't really make sense -- importare is for installing hand-built things and things that need no build. There's no special migration path from Gentoo any more than there is one from Ubuntu or Fedora.

Daniel Lange: Multiple Apache VHosts on the same IP and port

nospam@example.com (Daniel Lange) — Wed, 13 Feb 2008 11:23:12 +0100

You need to have a VHOST section that encapsulates your proxy settings. Each VHOST can have different SSLCert* settings, thus a different certificate offered to the client.

Oliver: Multiple Apache VHosts on the same IP and port

nospam@example.com (Oliver) — Wed, 13 Feb 2008 11:06:43 +0100

hmmmmm... i have just activated the sni use flag on a reverse proxy where the certificate issue has always bugged me. does not seem to do anything.....

ServerName internal.myserver.org
ServerAdmin root@myserver.org

ProxyRequests Off
ProxyPreserveHost On

SSLProxyEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/internal.myserver.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/internal.myserver.org.key

ErrorLog /var/log/apache2/ssl_error_log
TransferLog /var/log/apache2/ssl_access_log

Order deny,allow
Allow from all

ProxyPass /sharedfiles/ https://internal.myserver.org/sharedfiles/
ProxyPassReverse /sharedfiles/ https://myserver.org/sharedfiles/

ProxyPass /myapp/ https://internal.myserver.org/myapp/
ProxyPassReverse /myapp/ https://myserver.org/myapp/

am i doing something really wrong here?

hans: Google Pagerank fuss

nospam@example.com (hans) — Sun, 10 Feb 2008 20:02:18 +0100

Excellent essay. It is very useful for me. Thank you very much

Gregory Kohs: Wikimedia Fundraiser Analysis III

nospam@example.com (Gregory Kohs) — Mon, 07 Jan 2008 20:42:08 +0100

Thank you for this critique, Daniel. I am increasingly convinced that the fish rots from the head down, and for the past 18 months, Jimmy Wales has not demonstrated to me that he has very much legitimacy to lead this project any more.

The fact that tens of thousands of accounts are blocked and banned from editing Wikipedia, the fact that the Board has commingled personnel with Wikia, Inc. without declaring it fully on the Form 990, the utter disparagement of critics... all tell me that the Wikipedia "mission" is not thriving.

YellowLed: Serendipity plugin livesearch does not work with bulletproof template

nospam@example.com (YellowLed) — Tue, 11 Dec 2007 23:02:36 +0100

Just for the record: It is (as far as I know, Don was more involved in that particular issue) working in BP v1.2, the latest version at the time of writing this comment.

Daniel Lange: Multiple Apache VHosts on the same IP and port

nospam@example.com (Daniel Lange) — Thu, 22 Nov 2007 11:29:33 +0100

Your assuming a safe set-up. That's quite often not the case. Apache servers are used to serve many applications in parallel. That makes SNI so attractive in a corporate environment. Not another IP to allocate to the Apache host(s) once a new project needs SSL. But: There are usually no access rules to shield VHosts from the internet IPs or the gateway proxy IPs. I've not seen a single company use them "by default". The intranet is assumed "safe".

Luckily a lot of reverse proxies terminate SSL connections on the proxy and open a new connection to the destination host. This will break all SNI functionality (as the proxies don't even know about this functionality yet) but will also only allow access to the default SSL VHost as the SNI tag does not get through to the destination host.
Those who have saved on computing power and forward SSL connections without interim termination or use port forwarding, are at risk though.

The "servername" is determined from a callback out of the TLS library to Apache ("ssl_servername_cb"), then a patched Apache sets the context ("ssl_set_vhost_ctx") and finally checks the hostname that came from the client against the available vhosts ("set_ssl_vhost").
Thus separate (name based) VHosts won't help you, separate certificates won't either (the attacker will see the other certificate as his/her first indication of success). Access rules will help, but as stated above, I've not seen them being used as a default anywhere. That has to change, if one deploys SNI in a DMZ scenario.

Strahler: Multiple Apache VHosts on the same IP and port

nospam@example.com (Strahler) — Wed, 21 Nov 2007 20:58:47 +0100

"Let's assume a system serves both Intranet and Internet traffic. A client contacts the Internet IP with SSL but specifies the Intranet Hostname in it's TLS SNI entry. Guess what will happen?"

I don't see the problem. That host has one Virtual Host for each hostname, each has its own certificate and its own access rules.
The Intranet Virtual Host should already be filtering out incoming traffic from the internet.

If it isn't, there was a security issue previous to the use of SNI, just as serious and exploitable as before.

Casey Abell: Wikimedia Fundraiser Webpage now cuts off at the last 10.000 donations

nospam@example.com (Casey Abell) — Sat, 10 Nov 2007 03:29:34 +0100

By the way, while I'd like to take credit for unearthing the donate.wikimedia.org/en/node/22 website, the link was published in the Wikipedia Signpost. The foundation hasn't publicized the site, which has spawned a few conspiracy theories. I'm keeping an updated graph of the daily contributions at http://en.wikipedia.org/wiki/Image:2007_Fundraiser_By_Day.JPG.

Casey Abell: Wikimedia Fundraiser Webpage now cuts off at the last 10.000 donations

nospam@example.com (Casey Abell) — Fri, 09 Nov 2007 15:14:56 +0100

There's a daily tracker at donate.wikimedia.org/en/node/22. Contributions ticked up after the new, even uglier begging ad was introduced. But the effect looks to be wearing off. Maybe we'll get an even bigger, more obnoxious ad pretty soon.

I wish the site would sell a few ads and stop begging. The ads on Veropedia are far less annoying. If Wikipedia keeps jacking up its budget to ridiculous levels, paid advertising is the least irritating way to go. It beats constant begging, anyway.

Pete Prodoehl: Google Pagerank fuss

nospam@example.com (Pete Prodoehl) — Fri, 26 Oct 2007 00:09:43 +0200

I've been creating unique content on a site for 10 years, and for the last 4 years or so it's been a PR7 but just dropped to a PR4. Yes, it does have sponsored text links on it. Another site I almost never update, and gets nowhere near as much traffic is still a PR5, and it has no ads. Seems weird.