Freek.dev

Scott Helme, creator of securityheaders.io, wrote a good introduction to certificate transparency.

Certificate Transparency is an open framework for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. By requiring a CA to log all certificates they generate, site owners can quickly identify mis-issued certificates and it becomes much easier to detect a rogue CA.

https://scotthelme.co.uk/certificate-transparency-an-introduction/

Oh Dear!, my side project leverages certificate transparency logs to send you a notification as soon as a new certificate is issued for your domain.

Read more

For years I've used Google's public DNS service. It's famous IP address is 8.8.8.8. It's a resolves addresses faster that my internet provider.

Yesterday Cloudflare launched their DNS service which promises to be faster and better for your privacy. It has an awesome IP address: 1.1.1.1. Here are some benchmarks.

Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads. We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1

The announcement: https://blog.cloudflare.com/announcing-1111/

More info + how to set it up on your device: https://1.1.1.1/

Read more

Almost a year ago, Scott Helme, creator of securityheaders.io and report-uri.com, wrote a blogpost on a not well known http header: Referrer-Policy.

Regular readers will know how fond I am of the existing security headers so it's great to hear that we're getting another! Referrer Policy will allow a site to control the value of the referer header in links away from their pages.

https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Read more

In a new article on his blog Ian Carroll shows that it's quite easy to trick users into thinking that they're connected to the right site.

Extended validation ("EV") certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name. ... Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for "Stripe, Inc", that was legitimately issued by Comodo.

https://stripe.ian.sh/

Read more

In an article at Hackernoon, David Gilbertson warns about the dangers of trusting 3rd party packages on npm. He goes into how a package can make unwanted http requests in the browser and how you can protect yourself against that.

It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability. It’s been a real struggle for me personally to pretend like I understand what’s going on when asked about it by family members.

Seeing people close to me get all flustered at the prospect of being “powned” has really put things in perspective for me.

So, it is with a heavy heart that I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years.

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Read more

Aaron Saray recently found some rogue code on a hacked website and investigated what it actually does.

It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.

This obfuscated code is doing something bad, but we don’t know what at first glance. Obviously, the solution is to remove it - but - aren’t you a little curious what it was doing? Let’s take a look.

https://aaronsaray.com/2017/anatomy-of-a-php-hack.html

Read more

iTerm2, a populair terminal app, contained a very bad security issue. Everything you hover over was being checked if it was a clickable url. To determine if it's a valid url, the hovered over string was being checked against DNS server. So if you hover over a password, or a secret key or whatever it sent out to the internet. Obviously this is a big problem. It's fixed in the latest version. So if you use iTerm2 and haven't updated it recently, be sure to do it now! The problem is fixed in version 3.1.1.

iTerm2's leak issue was first discovered ten months ago. iTerm2's creator initially reacted by adding an option to iTerm 3.0.13 that allowed users to disable DNS lookups. The feature remained turned on by default for new and existing installations.

Dutch developer Peter van Dijk, software engineer for PowerDNS, a supplier of open-source DNS software and DNS management service, re-reported this feature and this time around, he pointed out some of the severe privacy leaks not included in the first bug report.

"iTerm sent various things (including passwords) in plain text to my ISP's DNS server," van Dijk wrote flabbergasted in a bug report he filed earlier today.

This time around, George Nachman, iTerm2's maintainer, understood the severity of the issue right away and released iTerm2 3.1.1 to fix the problem within hours. He also apologized for enabling this feature by default without analyzing possible consequences in more depth.

https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-hover-in-your-terminal-via-dns-requests/

Read more

The HTTP specification says that status codes should be three digits integers, but what happens if they are not? April King, head of website security at Mozilla, did some fun experiments to find out.

While it is easy to create test cases for conditions that don't satisfy this requirement, it is somewhat more difficult to determine how third-party libraries will handle HTTP requests that fall outside this constraint. I looked around the internet for websites to help me test weird status codes, but most of them only let me test with the known status codes. As such, I decided to add arbitrary HTTP status codes to my naughty httpbin fork, called misbehaving.site.

What I discovered is that the various browser manufacturers have wildly different behavior with how they handle unknown HTTP status codes.

https://pokeinthe.io/2017/09/14/http-status-code-handling/

Read more

PHP 7.2 is just around the corner. In new blogpost Martin Hujer walks us through the changes.

PHP 7.2 is planned to be released on 30th November 2017 (see the timetable). And it comes with two new security features in the core, several smaller improvements and some language legacy clean-ups. In the article, I will describe what the improvements and changes are. I read the RFCs, discussions on internals and PRs on Github, so you don't have to.

https://blog.martinhujer.cz/php-7-2-is-due-in-november-whats-new/

Read more

If you need a free SSL certificate Let's Encrypt seems like the obvious way to go. But the installation and renewal process of Let's Encrypt surely has it's caveats. An alternative to Let's Encrypt is to use a free certificate issued by Cloudflare. On his blog Taylor Otwell published a post explaining how to request and install such a certificate.

I personally prefer to use Cloudflare, another service that offers free SSL certificates, as well as a variety of other free and paid services that are useful for web developers. I prefer Cloudflare because: - Cloudflare doesn’t require any renewal process to ever run on my server. LetsEncrypt renewals must run on my server at least every 3 months and that’s just one more thing that sometimes can (and does) go wrong. - Cloudflare supports wildcard sub-domains.

https://medium.com/@taylorotwell/free-wildcard-ssl-using-forge-cloudflare-ab0ebfbf129f

Read more

Scott Arciszewski debunks the commonly given advice on securing your PHP installation by setting some php.ini values.

There have been countless examples posted in various places (Reddit, Hacker News, Twitter, Facebook, Slashdot, and even LinkedIn group discussions), and while a handful occasionally contain one or two tips that might be beneficial towards securing your PHP applications, almost all of the advice they contain is either wrong, a huge waste of time, downright silly, or all of above.

As part of a team that specializes in application security (in particular: securing PHP applications), I feel it's high time someone cleared the air about this advice.

https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful

Read more

In a post on Sitepoint Christopher Pitt demonstrates some cool usages of eval and exec.

I want to look at two PHP functions: eval and exec. They’re so often thrown under the sensible-developers-never-use-these bus that I sometimes wonder how many awesome applications we miss out on.

Like every other function in the standard library, these have their uses. They can be abused. Their danger lies in the amount of flexibility and power they offer even the most novice of developers.

Let me show you some of the ways I’ve seen these used, and then we can talk about safety precautions and moderation.

https://www.sitepoint.com/the-delicious-evils-of-php/

Read more

Varnish is a piece of software that, amongst other things, can make your website much faster. In a new post on his blog, Mattias Geniar tells you all about it.

Varnish can do a lot of things, but it's mostly known as a reverse HTTP proxy. It brands itself as an HTTP accelerator, making HTTP requests faster by caching them. ... Varnish is usually associated with performance, but it greatly increases your options to scale your infrastructure (load balancing, failover backends etc) and adds a security layer right out of the box: you can easily let Varnish protect you from the httpoxy vulnerability or slowloris type attacks.

https://ma.ttias.be/varnish-explained/

Be sure to watch Mattias' excellent talk he gave at this years Laracon:

Read more

In the beginning of the summer the Belgian company PHPro held a cool hacking contest. The persons the could hack a special site that they had set up could win a prize. Yesterday they published an interesting article on how that site could be hacked. The site was also hacked in ways that the developers of the company did not anticipate.

Since this contest started out as an internal project, we've put a lot of focus on the flow on how to hack the website. It was just a little side project to inform our colleagues that some small mistakes can end up in a big catastrophe. By focussing on the flow of the hackme contest, we forgot to secure the application for malicious contestants. Off course, this was something that fired back to us on the first days of the competition. Here is a little write-up of the problems we've encountered and how we fixed them.

http://phpro.be/news/hackme-results

Read more

On his blog Simone Carletti gives a good overview of everything Let's Encrypt has to offer (and he also touches on what the service doesn't offer)

Let’s Encrypt is a new certificate authority that entered the internet scene at the end of 2015. ... However, Let’s Encrypt is not only free. Quoting the homepage: Let’s Encrypt is free, automated, and open.

But what does it mean? In this article I’ll share some of the direct consequences of that quote to help you better understand how Let’s Encrypt (currently) works. My goal here is not to judge or advertise the service offered by Let’s Encrypt (either in a negative or positive way), rather provide an overview of what you should expect if you use this service, and let you decide whether Let’s Encrypt is a good fit for you or not.

https://simonecarletti.com/blog/2016/02/things-about-letsencrypt/

Read more

With vanilla PHP it's possible to check of if the SSL certificate of a given site is valid. But it's kinda madness to do it. Let's look at the code required:

<br />// Step 1: downloading the certificate from the site
$streamContext = stream_context_create([
    'ssl' => [
        'capture_peer_cert' => true,
    ],
]);

$client = stream_socket_client(
    "ssl://spatie.be:443",
    $errorNumber,
    $errorDescription,
    $timeout,
    STREAM_CLIENT_CONNECT,
    $streamContext);

$response = stream_context_get_params($client);

$certificateProperties = openssl_x509_parse($response['options']['ssl']['peer_certificate']);

// Step 2: parsing the certificate

/*
* I'm not even going to type out the further code needed.
*
* `$certificateProperties` has two keys `validFrom_time_t` and `validTo_time_t`. 
* Those keys contain the UTC representation of the date.
* You will need to check if the current date is between those dates.
*/ 

What. The. Actual. F. Let's fix this!

We've released a new package named spatie/ssl-certificate that makes checking the SSL certificate of a site laughably easy. Let's take a look at the code:

$certificate = SslCertificate::createForHostName('spatie.be');
$certificate->isValid(); // returns true if the certificate is currently valid

Boom, done.

The package has a few more methods that makes working with an SSL certificate a breeze:

$certificate->getIssuer(); // returns "Let's Encrypt Authority X3"

$certificate->getDomain(); // returns "spatie.be"

//A certificate can cover multiple (sub)domains. Here's how to get them.
$certificate->getAdditionalDomains(); // returns ["spatie.be", "www.spatie.be]

$this->certificate->validFromDate(); // returns an instance of Carbon

$certificate->getExpirationDate(); // returns an instance of Carbon

You can also use isValid to determine if a given domain is covered by the certificate. Of course it'll keep checking if the current datetime is between validFromDate and expirationDate.

$this->certificate->isValid('spatie.be'); // returns true
$this->certificate->isValid('laravel.com'); // returns false

The source code of the package is available on GitHub. My company has made many more PHP framework agnostic, Laravel and JavaScript packages in the past. Take a look at the open source page at our site to see if we've made anything that could be of use to you.

Read more

Jordi Boggiano investigated if there are pundits actively abusing typos in package names.

Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.

... I wanted to take a look at our repository data and see if I could spot any bad actors.

https://seld.be/notes/typo-squatting-and-packagist

Read more