Uber 在倫敦將會被停業

Uber 在倫敦將會被停業:「Uber has license to operate in London revoked」、「London regulator announces Uber ban」、「Uber London loses licence to operate」。

更精確的說是不再續發 license,舊的 license 只到 9/30:

Transport for London (TfL), which operates public transport in the capital, has made the decision not to renew the app-based taxi’s license in the city.

The license was renewed in May, but for a period of only five months. It will run out on 30th September, though the company will be allowed to continue to operate during the appeal process.

看起來主要原因是圍繞於 Greyball (利用演算法躲避執法人員的工具):

According to the TfL regulatory board, the ‘approach and conduct’ of Uber showed a lack of corporate responsibility, which could have resulted in public safety and security issues. It also raised concerns with the company’s ‘approach to explaining the use of Greyball, software that could be used to block regulatory bodies from gaining full access to the app.’

新任 CEO 則是出來道歉:「Uber CEO apologizes for “mistakes” in London」。

其實是利益團體之間的衝突... 這戲還在繼續演。

Gmail 要開始導入 SMTP Strict Transport Security 了

SMTP MTA Strict Transport Security 算是 SMTP STARTTLS 裡的 HSTS 機制,而 Google 的人在 RSA Conference 上提出要開始用了:「SMTP STS Coming Soon to Gmail, Other Webmail Providers」。

Elie Bursztein, the head of Google’s anti-abuse research team, said at RSA Conference that SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted. Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.

補上去後對於 SMTP 的隱私保護就會更好了...

貨運公司每次都把腳踏車弄壞...

在「Our secret’s out.」這邊看到 VanMoof (腳踏車生意) 對於托運公司每次都把腳踏車給弄壞的解決方法 XDDD

因為包裝很像平板螢幕,就掛個平板螢幕的圖片上去,然後運送的損壞率就下降 70%~80%:

Earlier this year our co-founder Ties had a flash of genius. Our boxes are about the same size as a (really really reaaaally massive) flatscreen television. Flatscreen televisions always arrive in perfect condition. What if we just printed a flatscreen television on the side of our boxes?

And just like that, shipping damage to our bikes dropped by 70–80%.

然後文末偷偷爆破了是哪家負責運送 XDDD

We were hoping to keep this small tweak quiet, but thanks to Twitter, the secret’s out.

Just don’t tell FedEx.

Stripe 所提到的 TLS 1.1 不安全

Stripe 在宣佈要淘汰 TLS 1.0 與 TLS 1.1 的計畫公告中 (「Upgrading to SHA-2 and TLS 1.2」) 提到了:

Why SHA-1, TLS 1.0 and 1.1 are insecure

但在文章裡面還是沒有提到為什麼 TLS 1.1 不安全。

在維基百科的「Transport Layer Security」條目中試著找內容,發現應該是 Data integrity 這段,TLS 1.1 不支援 HMAC-SHA256/384 與 AEAD,只支援比較弱的 HMAC-MD5 或是 HMAC-SHA1。

利用 HSTS 資訊得知網站紀錄的 sniffly

看到「sniffly」這個工具,可以利用 HSTS 資訊檢測逛過哪些網站,程式碼在「diracdeltas/sniffly」這邊可以找到:

Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.

測試網站則可以在這邊看到,作者拿 Alexa 上的資料網站來掃,所以熱門網站應該都會被放進去...

主要是利用 HSTS + CSP policy 的 timing attack (有逛過網站而瀏覽器裡有 HSTS 時的 redirect 會比較快,沒有逛過的時候會因為有網路連線而比較慢):

Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.

When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.

由於這個技巧,HTTPS Everywhere 必須關閉才會比較準確。

HTTP Header 裡與安全相關的 Header 的分析...

還是在 Zite 上看到的,對最大的一百萬個網站分析與安全有關的 HTTP Header:「Security Headers on the Top 1,000,000 Websites: November 2013 Report」。

數字大致上都有增加,不過對我來說的重點在於有列出所有與安全有關的 HTTP Header...

可以看到有這幾個:

  • Access-Control
  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Content-Security-Policy
  • X-Frame-Options
  • X-Webkit-CSP

剛好可以拿來 review 設定...