By 2015, HTTPS Will Be Everywhere

Public WiFi connections are often unsecured, leaving their connections open to being hijacked or “sniffed” by malicious people. To protect users from data and privacy loss due to insecure and untrusted connections, web sites and applications are increasingly being run entirely over secure connections (HTTPS).

My prediction is that by 2015, it will be bad practice to access web sites via HTTP, and users will increasingly demand HTTPS. This has interesting implications for hardware manufacturers and software development teams alike.

Continue reading

Verified by Visa Confirmed Dangerous

New research from the University of Cambridge supports the view that Verified by Visa is deeply flawed and unsafe. I first came across this mess of an implementation a while back, and the situation has only become worse since then:

the scheme has become a target for phishing, partly because inconsistent authentication methods can leave customers confused.

It’s time to insist that Visa, MasterCard and other payment gateway providers take some responsibilty for this, and stop pushing risk onto the customer.

PayPal "cart upload" – much smoother than "Add to cart"

We have just finished some custom PayPal integration for Eaton Square Concerts (ESC). On the ESC booking page, you can now select all the tickets you want before heading to PayPal, thanks to the PayPal “cart upload” feature. Previously, the site was using the single-item “Add to cart” which is a bit clunky, and means the user heads back and forth between the ESC site and PayPal.

We handle the form submission on the ESC site, work out what the user want to buy, read their response to the optional questions, and then send the form off to PayPal. The intermediate step is needed because PayPal refuses to accept a zero-count for items, forcing us to check the item count before POSTing to PayPal.

How to encrypt passwords in the Tomcat server.xml file

By default, Tomcat stores passwords in server.xml in clear text, which can lead to obvious security lapses.

The easiest way to mitigate against user account compromise is to use a password digest (SHA, MD2 or MD5 are supported).

With $CATALINA_HOME/lib/catalina.jar and $CATALINA_HOME/bin/tomcat-juli.jar on your class path, just use the following to generate the digested passwords:

java org.apache.catalina.realm.RealmBase \
   -a {algorithm} {cleartext-password}

The digest technique works by having the incoming clear text password (as entered by the user) digested, and the results compared to the stored digested password. If the Two digests match, the password entered by the user must be correct, and the authenticate() method of the Realm succeeds.

Microsoft Application Blocks

Microsoft Application Blocks form a collection of ready-built ‘clumps’ of code which solve common problems such as security management, data access, logging, etc. They are the tangible result of the Microsoft Patterns and Practices advice: all of it sound and solid.

John Jakovich, one of the 4 Guys From Rolla, gives a useful An Introduction and Overview of the Microsoft Application Blocks. He summarises the utility of the Application Blocks thus:

…you don’t have to worry about the tedious details required to return a DataReader or write an exception to the System Log. This allows us to concentrate on the business logic in our applications.

I have written too many logging frameworks in the past: it’s boring above all else. I just want to log exceptions in a thread-safe manner, with a unique ID.which I can display to the user if necessary. If someone (i.e MS) has already written code to do (most of) this, then fine – I’ll use it.

The Security block is particularly useful for ASP.NET 1.1, where security and profile management is not as simple as in version 2.0. All that boring stuff about storing Role information in cookies? Solved! Better still, any security holes will be fixed by MS. Again, more time to concentraste on business logic.

Design Guidelines for Class Library Developers

The Application Blocks tie in nicely with a set of guidelines from MS on class library development. They include advice on:

  • array usage
  • exposure to COM
  • casting
  • threading

and several other subjects. This is basically just a gloop of Common Sense, but well worth a read.

MBR BootFX Application Framework

An alternative to the MS Application Blocks comes from Matt Baxter-Reynolds (he of DotNet247) in the form of BootFX:

The MBR BootFX Application Framework is a best-of-breed application
framework that we offer to all our clients who engage us to develop
software applications or software components for them. It’s designed
to give us a “leg up” on new projects by providing a tried and tested
code base for common software development activities.

There are lots of goodies there, including Object Relational Mapping (ORM), and support for SQL Server, Oracle, and MySQL databases. To top it all, it’s open source, via the Mozilla Public Licence 1.1. I met Matt 18 months or so back at a seminar run by Iridium; very personable guy.

Secunia

Secunia is an excellent site, listing outstanding and historic vulns for all major (and many minor) software products. For exmaple, compare security flaws for DotNetNuke with the flaws for PHP-Nuke. There is clearly no competition there. Alarmingly, Firefox has 12% unpatched vulns since 2003, but of course stats can lie.