Author: vxst

Posted on

danger to HTTPS, doom to SPDY

Since the BREACH attack, it seems that there is no way to transport content securely in the HTTP world.

The BREACH arrack is an HTTP version of CRIME, which recovers encrypted messages by analyzing the compress ratio of different media. It is well-know that people can see distinct pictures from the text by the compress ratio; however, before CRIME, there is no easy way to detect what exactly the information is by the ratio only. But the breach always exists. The word “faster” and “sunoru” have the same length. However, the entropy(binary) of “faster” is 2.58496, and the entropy of “sunoru” is 2.25163. So, if you know the original length(6) of the words, and also get access to the entropy of the words, you can easily obtain rich information from the results. For a “perfect” compress algorithm with an observe-only way to get information, you can get how much time different alpha is included in each word, which, generally, is not so useful(But shouldn’t be public even so). But real-world compress algorithm is NOT perfect, and real-world environment is NOT observed only. You can send a message to the server to determine which real-world compress method the server is using, and you can obtain much more information form the simple ratio if multiple requests are made by the CRIME attack.

For HTTPS, it represents a danger for web pages with simple information. For example, some banks in China using a number in a picture to show how much money you have, when the picture is compressed, it is pretty easy to obtain the real number the picture shows by compress ratio. By using a precomputed table, you can decrypt millions of those “money pictures” per second with a Macbook Air. So if you find your bank is transport money number in the picture, you should be aware it may be a deliberate way to publish that information to the whole net.

However, for SPDY, your app may be cracked even without deliberate setups. SPDY’s speed is based on compressed headers, which include URL, cookie, and authorization token. As the client will send the header wherever people visit the same site, you just need to XSS the client to a static page(e.g., a 404-page ~), then you can obtain all the information in the header without any painful struggle. And when you get the header, you get the URL(so the complete browsing history is public), the cookie and authority token(so the log-in status of the personal), and all the content of the page. So, it’s just like that you are visiting the page using HTTP without S.

Not only HTTPS and SPDY are effected, Tor, which uses gzip as it’s compression algorithm, is also affected. But it may be not so easy to crack Tor as it reuses TCP tunnel… SSH with compress can also be decrypted this way. However, it needs some small skill and luck to do the gzip guess as you cannot easily make the user resend things.
In conclusion, SPDY is just like clear text for a careful attacker, and HTTPS is not so secure anymore…

The good news is that the network working group finally finds the danger in compression, and decides not to support compression any more in TLS 1.3 draft-02. Have I said that is good news? It seems not like a pleasant change for those who only have limited network bandwidth…

Posted on

HTTPS SNI

SNI means Server Name Indication, which is a technology to let the server know which domain the client is linking to and return the certification correspondingly, which makes a single IP possible to serve multiple HTTPS sites. It is defined in RFC 6066 section 3.

The protocol extension changes the handshake process in the TLS. The client should include a struct array of the DNS name of the server the client wants to link to. And if the server has the certification, the handshake goes on normally. If not, the server should send a fatal level error and drop the connection, or just go on as if nothing happened(and give out the default certification).

The protocol also influenced the session cache of the TLS server. The TLS server which supports the extension will never give out any session to the client if the server_name mismatches. Even if the client has all the outer things qualified.

Some people think that SNI will add security risks as the client will transport the server name in cleartext. However, if a site is a TLS site(without SNI), anyone can know who the client is talking to by linking to the server. Essentially means the IP in traditional TLS servers gives out the information of the domain. Telling the domain will not add security risk to the protocol.

In fact, as the protocol provides another way to check session cache, it actually reduces the risk(though seems impossible&useless already in traditional TLS server) if the server uses the wrong TLS session which is opened by an attacker to send message to the user.

Posted on

Now lab to 6.5

After altering some files in gitlab, the upgrade process becomes not an easy and happy job. Every new version comes out, dozens of files need to merge manually in order to upgrade gitlab successfully. So, after hours of mental struggle, I finally decide to upgrade it. The process is not as terrible as I thought it would be. But still, DOZENS of files to edit……

And now the update process has been finished. All things seem to be good. If anything went south, please email me~

Posted on

Is Meg Jay Right?

In Meg Jay’s New York Times article “The Downside of Cohabiting before Marriage” publishes on April 14, 2012, the author suggests that cohabiting may not be a good factor in marriage like many people assume, actually, it may enlarge the possibility for couples to divorce after marriage. She argues that cohabiting couples may just slide into marriage without serious conversations about why they should live together, and, unfortunately, people’s standards of a live-in partner are lower than their standards of a spouse in most cases, which leads to unhappiness after marriage and therefore enlarges the risk of divorcing. Meg also suggests that people may have different views toward cohabiting: Women are more likely to think cohabiting as a step towards marriage, while men are more likely to see it as a way to test a relationship. These asymmetry ideas may lead to low quality of understanding and may eventually lead to the break of a marriage. She argues that cohabiting is filled with high switching cost, which may make people be “locked in” by cohabiting, and miss their true love because of it. Finally, Meg concludes that because of the high risk of cohabiting before marriage, young people should discuss the commitment level and motivation before sliding into cohabiting to prevent the cohabitation effects.

Unfortunately, there aren’t many real examples in Meg’s article, and the examples Meg gives in her article do not support her conclusion solidly. Firstly, she suggests that there are some risks lie in cohabitation itself, and gives examples which show that heedless cohabitation which leads to unhappy life and eventually leads to break up of the relationship. However, all those examples only suggest that a heedless relationship will end badly, which is a common knowledge. So that those examples are not incontrovertible evidence of the risks lie in cohabitation. She also mentions in her article that cohabitation is loaded with switching cost, which makes it difficult to break up and finds a more suitable partner. But in fact any close relationship will bring switching cost, and will make people have a hard time to make right choices. It is true that cohabitation is hard to break up, but breaking up a marriage is even harder. In this case, I believe marriage is even more dangerous than cohabitation. The author assumes that a never-breaking marriage is the ultimate goal. However, this is a false supposition. There are many stories about unhappy couples who live together for lifelong time. They waste all their life to endure each other, and miss all the opportunity to find a better partner. It’s more tragic than those who divorce and then find a better partner. So that I think a right partner is much better than an unbreakable marriage.

As for the statistic, she suggests that there are some researches which show that couples who have cohabiting experience have a higher divorce rate than those who have no cohabiting experience. However, she fails to give us the exact numbers. But according to a longterm research carried out by U.S. government which has a sample base of 22682 people, the couples who have cohabitation experience have a divorce probability of nineteen percents, and the probability of divorce for those who did not have cohabitation experience is twenty percents. So, according to this research those couples who cohabit before marriage are not more likely to get divorce. Because of the fact that most cohabiting couples are more open-minded compare to those who have no cohabiting experience, they are more open to choose divorce if their marriage doesn’t work out. So the lower possibility of divorce actually suggests that couples who cohabit before marriage have a better marriage quality than couples who do not. And there is indeed a research that shows cohabitors who marry report greater happiness, fewer disagreements, and less instability in their unions and are more able to resolve their relationship conflicts through nonviolent means. So that I believe that cohabiting experience may help people live a better life after marriage.

In her article, Meg Jay has given us some evidence which cannot fully support her ideas. The real world statistics also suggest that cohabitation may have a good effect on marriage. Therefore I believe “Cohabitation Effect” only exists on some special clients of Meg Jay. For most other people, cohabitation actually has a good effect.

Posted on

Television-Driven Social Revolution: The Box Behind a Stormy Age

The 1960s is one of the most interesting period in American history. In that period the American new generation creats a new culture which never existed before.  It brings the liberty, some creative art styles, along with some extreme violence. It is an age of selfishness and extreme. No one knows why all these would happen. However, a possible reason of the stormy sixties may be the wide deployment of televisions.

In mid-1950 , the U.S. has become increasing urbanized, and the modern technology has gone everywhere from urban to suburban area. Televisions are widely deployed across all American homes by 1960s. Virtually every home has one television set at that point of time. People, for the first time in the history, are able to see what was happening all around the world while sitting comfortably in their sofas. While people spending more and more time watching television shows, a new culture based on television raises naturally.

At first, the television is nothing more but a radio with the function of transport image. However, with the rapid developing of TV industry, people has found more and more ways for televisions to extend into people’s lives. In 1960s, televisions has already conquer all American homes. From news reporting to president election, all of the public events has been shaped by this little box. The candidates go to TV show, debate and advertisement in order to attract the public. Kennedy, which starts as one of the “greenest” candidates in American history, can never win the presidency at the age of 42 without the power of television debate. It is said at that time the candidates’ election groups look like trying to sell president like toothpaste. So that without TV, the idea of “New Frontier” would only be a personal thought of Kennedy, not an idea that influence the next few decades. Televisions also shape many popular cultures. Without TV, Elvis Presley’s music would not affect such a big audience; Hippies would not lead to a nationwide stream of counterculture movement. Televisions are the beacon network that spread the fire of human right movement. Martin Luther King may not be able to draw so much attention and take such a big step to the change of American society. Malcolm X can hardly reach so many people if all he could do is speak to people face to face. It is television that makes all those revolutions possible.

The television might not be the most obvious factor in 1960s revolution, but the television is surely the root that supports the revolution’s blossom. With televisions, information can spread all across the country vividly. With televisions, moviemaker, music writer, singer and dancer can gain more audience across a wider area. With televisions, reporter can choose more ways to process and spread their news across the entire nation. And, the most important of all, because of the wide deploy of televisions, common people will spend more time on political events, which greatly changes the politics in early 1960s, therefore changes the relationship between government and people, which is the beginning of the revolution. The television changes the way people sell their products, and it also make all the experiments in sex revolution possible to spread, which in turn influence the new generation. In a word, it is the television that kindles the fire of the revolution of 1960s.

Posted on

SQL’s not end

Today, in a distributed cloud environment, there is no good DB that can have both ACID and SQL support, at the same time keep the performance scale. So, there is NoSQL.

NoSQL means Not Only SQL. It does not means NO SQL. MongoDB-like applications have set up a bad example for its followers. A NoSQL DBMS might not use SQL as its base query language, but it at least should support SQL as a higher layer query language, just like what FoundationDB tries to do. Of course, the problem is ACID with the flexibility of SQL language, which is a rather difficult problem for a sharding DB, who becomes more and more common since cloud computing is conquering the server world. SQL language itself is not difficult to carry out, ACID with the ability to support complex SQL is.

But ACID is a must-have feature in many apps, not only bankers needs ACID, all app developer who wants to make a robust app must have transaction as one of their basic tools. No one can accept an app if it only acts normally when the user is lucky. Those who want to throw away ACID will only find they are implementing their own ACID solutions later.

There are many ways to overcome ACID implement problem. In the cloud, locking is an unacceptable way, unless there is some way to lock and sync at a very small, accurate level, which is not an easy job for 100+ sharding servers. Log and check(MVCC) is another way, which is easier than locks, and implemented in many DB solutions.

If ACID is possible in a cloud, SQL will be, too. But it may exist as a layer on an ACID system based on some simpler API. Whatever, SQL will not be ended by NoSQL and cloud, it will still be used in many places for whoever wants to keep data update easy(or even possible). Maybe one day there will be only copied and not reference in DB world, but I think the day has not come yet.

Posted on

Book review homework

“Pride and prejudice” is an impressive classical English literature that tells a story about the relationship around the dutiful Jane, the quick-witted Elizabeth, the rich gentleman Darcy, and his friend Bingley.

The book tells a story about Darcy, who is the one that split Jane and Bingley because of his worries about their marriage, falls in love with Elizabeth, but is refused by her because of his pride attitude. Mr. Darcy then leaves a letter for Elizabeth in order to explain himself. After some incidents, Elizabeth forgave Mr. Darcy’s pride, and her prejudice disappeared. She accepts Mr. Darcy’s marriage proposal, and they live happily ever after.

It’s a book full of charm in which the author has picturized the capitalist society of England during the seventeenth century, in which people’s life was controlled tightly by the money and status. But the author selected a unique view, which showed people that below the cold surface of a man, there could be a warm heart. The story is awesome and full of surprises. And though it, we can find the power of true love can never be stopped by pride, prejudice, or any other thing. It will always surpass those emotions and finish their purpose.

Posted on

DoS defense

Now, this site is free from small DoS attack. I use iptables, evasive, and some other techs to protect this site. Iptables will kill most DoS links after it reached some condition. I think any DoS attacker with only one IP can’t flood my site now. Cheers!

Posted on

New server for new app

Well, a new Linode server with LUKS has been build to support this website and a branch of new applications. Build a LUKS encrypted system on a VPS is an exciting experience. However, sometimes, it seems stupid to do so. Since an admin who records every keystroke will easily record the password for LUKS. But my password is not for Linode, but for its hardware maintainer. I do not think Linode will record custom’s keystroke in their Lish console, at least not publicly. If they record it privately, it will only be available to a little part of their organization. So that if a disgraceful programmer wanted to record every file created in all Linode systems, he/she would not get my password to do it, though I’m not sure.

Of course, everyone who wants to get the LUKS key can do it by analyzing the memory. But it needs time and attention. So, hopefully, if people can put very sensitive like customers’ credit card numbers on Linode server without any encrypt, perhaps I can put my diary on it too.