Mac 版的 Java 安裝 Ask Toolbar...

Posted on March 6, 2015 by Gea-Suan Lin

在「Oracle has just given you another reason not to install Java on your Mac」這篇看到 Mac 版的 Java 居然會試著安裝 Ask Toolbar:

Oh my god,這太厲害啦~

還是想貼一下這則 tweet...

Posted in Computer, Murmuring, Network, Security, Software | Tagged , , , , , | Leave a comment

CVE-2015-0204:OpenSSL 的弱點攻擊 (Android 與 iOS)

Posted on March 5, 2015 by Gea-Suan Lin

CVE-2015-0204 的說明:

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.

本來是被 OpenSSL 標成低危險性 (出自 secadv_20150108.txt):

RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
Severity: Low

不過新的攻擊利用這個弱點放大,叫做「FREAK Attack」,可以強制使用 RSA_EXPORT suite 所列的 cipher,而這些 cipher 通常長度都不夠,於是就可以解:

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

影響的範圍主要是支援 RSA_EXPORT suite 的 server:

Websites that support RSA export cipher suites (e.g., TLS_RSA_EXPORT_WITH_DES40_CBC_SHA) are at risk to having HTTPS connections intercepted.

應該是把 !EXPORT 設上去就可以解掉,不過還是花點時間 review,把可以關掉的舊技術都拔掉會比較好。

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , | Leave a comment

CloudFlare 的 HTTPS 支援 HSTS 設定

Posted on March 5, 2015 by Gea-Suan Lin

CloudFlareHTTPS 支援 HSTS:「Enforce Web Policy with HTTP Strict Transport Security (HSTS)」。

目前可以設 max-ageincludeSubDomains。至於 preload 還在規劃。不算複雜的功能 (加上 HTTP header),不過對於安全性的幫助很大。

不過 origin 好像也可以送,不知道 CloudFlare 會不會濾掉...

Posted in CDN, Cloud, Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , | Leave a comment

Amazon Redshift 的 Query 效能調教

Posted on February 28, 2015 by Gea-Suan Lin

Amazon Redshift 在 Web Console 上推出的新功能:「Custom ODBC/JDBC Drivers and Query Visualization for Amazon Redshift」:

會把 query 的步驟拆成多個步驟,針對比較吃資源的步驟標出來,讓設計的人可以思考要怎麼改。

Posted in AWS, Cloud, Computer, Database, Murmuring, Network, Software | Tagged , , , , , , | Leave a comment

Firefox 成為第一個預設啟用 HTTP/2 的主流瀏覽器

Posted on February 25, 2015 by Gea-Suan Lin

Firefox 36 的 Release Notes 內宣佈預設啟用 HTTP/2

Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.

另外 Firefox 36 也拔除 RC4

No longer accept insecure RC4 ciphers whenever possible

接下來應該是 Google Chrome 預設啟用,以及 nginx 的 server implementation...

Posted in Browser, Computer, Firefox, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , | Leave a comment

CloudFlare 的 Universal SSL

Posted on February 25, 2015 by Gea-Suan Lin

CloudFlare 這幾天的動作頗多:「Universal SSL: Encryption all the way to the origin, for free」。

Universal SSL 要保護的是右邊 CloudFlare 到 Origin Server 這段:現在可以讓 CloudFlare 簽 SSL certificate,而不用到外面買了。

這邊的 SSL certificate 只有 CloudFlare 認得,一般的瀏覽器預設值不會認:

The CloudFlare Origin CA is currently not trusted by browsers, so these certificates should not be used on sites that are not behind CloudFlare.

Posted in CDN, Cloud, Computer, Murmuring, Network, Security, WWW | Tagged , , , , | Leave a comment

用 jq 操作 JSON 文件

Posted on February 25, 2015 by Gea-Suan Lin

jq 用一陣子了 (因為配合著 AWS 官方的 AWS Command Line Interface 一起用),剛好看到有人介紹:「jq is sed for JSON」。

現在 Ubuntu 的 package repository 內都有 jq 了 (Ubuntu – Package Search Results -- jq),雖然版本舊了一點,不過基本功能都穩定了,除非有特別的需求,不然應該夠用。

照原文章的範例,假設 1.json 是這樣:

[
  {
    "type": "message",
    "user": "U024HFHU5",
    "text": "hey there",
    "ts": "1385407681.000003"
  },
  {
    "type": "message",
    "user": "U024HGJ4E",
    "text": "right back at you",
    "ts": "1385407706.000006"
  }
]

而你下這樣的 command 就可以抽出來:

$ jq "[.[] | { the_user: .user, the_text: .text }]" 1.json
[
  {
    "the_user": "U024HFHU5",
    "the_text": "hey there"
  },
  {
    "the_user": "U024HGJ4E",
    "the_text": "right back at you"
  }
]

很好用的工具 :o

Posted in Computer, Murmuring, Software | Tagged , | Leave a comment

IRCCloud 的檔案上傳功能...

Posted on February 25, 2015 by Gea-Suan Lin

IRCCloud 宣佈的新功能:「File Uploads」。

CloudFront 擋在前面,而且不是 Price Class 100 (因為 mtr 時至少有看到亞洲區的 PoP),不過看起來後面不是 S3...

在公告的文章裡有提到 Imgur,現在 Imgur 的 CDN 品質好像不是很好?台灣連過去用的是 Fastly 美國的點,但選點好像不太行啊?不過算是堪用...

Posted in AWS, CDN, Cloud, Computer, Murmuring, Network, WWW | Tagged , , , , , , | Leave a comment

innodb_file_per_table 對於 CREATE TABLE 與 DROP TABLE 的速度

Posted on February 25, 2015 by Gea-Suan Lin

雖然平常應該不會常常用到 CREATE TABLEDROP TABLE,不過還是很有趣的 benchmark:「Is MySQL’s innodb_file_per_table slowing you down?」。

重點在這段:

  • With innodb_file_per_table=ON
    • Schema and table creation = 1m54.852s
    • Schema drops = 1m21.682s
  • With innodb_file_per_table=OFF
  • Schema and table creation = 0m59.968s
  • Schema drops = 0m54.870s

不過作者測試時沒有用 ENGINE=COMPRESSED (必須在 innodb_file_per_table 打開時才支援,而且這也是選擇打開 innodb_file_per_table 的重要因素),不知道壓縮開起來以後會差多少...

不過就算再怎麼慢,相較於 CREATE TABLEDROP TABLE 的效能,還是比較計較壓縮換來的 I/O 效能。(尤其是資料量超過記憶體大小時)

Posted in Computer, Database, Murmuring, MySQL, Software | Tagged , , , , , , , , , , , | Leave a comment

Comodo 的 PrivDog 更厲害:直接關掉 CA Certificate 檢查

Posted on February 24, 2015 by Gea-Suan Lin

感覺接下來的整個月會拿有無窮無盡的 Superfish-like 新聞,下次如果出現 NSA 或是 GCHQ 已經在用這些漏洞的話也不太意外就是了:「Adware Privdog worse than Superfish」。

PrivDogComodo 發行的 adware,比起 Superfish 更厲害,直接把 CA Certificate 的檢查關掉:

It will turn your Browser into one that just accepts every HTTPS certificate out there, whether it's been signed by a certificate authority or not.

而 Comodo 是發行 SSL certificate 的公司,很多便宜的 SSL certificate 都是由他們家發出來的... (包括我的 blog)

Posted in Computer, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , | Leave a comment