Freek.dev

Varnish is a piece of software that, amongst other things, can make your website much faster. In a new post on his blog, Mattias Geniar tells you all about it.

Varnish can do a lot of things, but it's mostly known as a reverse HTTP proxy. It brands itself as an HTTP accelerator, making HTTP requests faster by caching them. ... Varnish is usually associated with performance, but it greatly increases your options to scale your infrastructure (load balancing, failover backends etc) and adds a security layer right out of the box: you can easily let Varnish protect you from the httpoxy vulnerability or slowloris type attacks.

https://ma.ttias.be/varnish-explained/

Be sure to watch Mattias' excellent talk he gave at this years Laracon:

Read more

In the beginning of the summer the Belgian company PHPro held a cool hacking contest. The persons the could hack a special site that they had set up could win a prize. Yesterday they published an interesting article on how that site could be hacked. The site was also hacked in ways that the developers of the company did not anticipate.

Since this contest started out as an internal project, we've put a lot of focus on the flow on how to hack the website. It was just a little side project to inform our colleagues that some small mistakes can end up in a big catastrophe. By focussing on the flow of the hackme contest, we forgot to secure the application for malicious contestants. Off course, this was something that fired back to us on the first days of the competition. Here is a little write-up of the problems we've encountered and how we fixed them.

http://phpro.be/news/hackme-results

Read more

On his blog Simone Carletti gives a good overview of everything Let's Encrypt has to offer (and he also touches on what the service doesn't offer)

Let’s Encrypt is a new certificate authority that entered the internet scene at the end of 2015. ... However, Let’s Encrypt is not only free. Quoting the homepage: Let’s Encrypt is free, automated, and open.

But what does it mean? In this article I’ll share some of the direct consequences of that quote to help you better understand how Let’s Encrypt (currently) works. My goal here is not to judge or advertise the service offered by Let’s Encrypt (either in a negative or positive way), rather provide an overview of what you should expect if you use this service, and let you decide whether Let’s Encrypt is a good fit for you or not.

https://simonecarletti.com/blog/2016/02/things-about-letsencrypt/

Read more

With vanilla PHP it's possible to check of if the SSL certificate of a given site is valid. But it's kinda madness to do it. Let's look at the code required:

<br />// Step 1: downloading the certificate from the site
$streamContext = stream_context_create([
    'ssl' => [
        'capture_peer_cert' => true,
    ],
]);

$client = stream_socket_client(
    "ssl://spatie.be:443",
    $errorNumber,
    $errorDescription,
    $timeout,
    STREAM_CLIENT_CONNECT,
    $streamContext);

$response = stream_context_get_params($client);

$certificateProperties = openssl_x509_parse($response['options']['ssl']['peer_certificate']);

// Step 2: parsing the certificate

/*
* I'm not even going to type out the further code needed.
*
* `$certificateProperties` has two keys `validFrom_time_t` and `validTo_time_t`. 
* Those keys contain the UTC representation of the date.
* You will need to check if the current date is between those dates.
*/ 

What. The. Actual. F. Let's fix this!

We've released a new package named spatie/ssl-certificate that makes checking the SSL certificate of a site laughably easy. Let's take a look at the code:

$certificate = SslCertificate::createForHostName('spatie.be');
$certificate->isValid(); // returns true if the certificate is currently valid

Boom, done.

The package has a few more methods that makes working with an SSL certificate a breeze:

$certificate->getIssuer(); // returns "Let's Encrypt Authority X3"

$certificate->getDomain(); // returns "spatie.be"

//A certificate can cover multiple (sub)domains. Here's how to get them.
$certificate->getAdditionalDomains(); // returns ["spatie.be", "www.spatie.be]

$this->certificate->validFromDate(); // returns an instance of Carbon

$certificate->getExpirationDate(); // returns an instance of Carbon

You can also use isValid to determine if a given domain is covered by the certificate. Of course it'll keep checking if the current datetime is between validFromDate and expirationDate.

$this->certificate->isValid('spatie.be'); // returns true
$this->certificate->isValid('laravel.com'); // returns false

The source code of the package is available on GitHub. My company has made many more PHP framework agnostic, Laravel and JavaScript packages in the past. Take a look at the open source page at our site to see if we've made anything that could be of use to you.

Read more

Jordi Boggiano investigated if there are pundits actively abusing typos in package names.

Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.

... I wanted to take a look at our repository data and see if I could spot any bad actors.

https://seld.be/notes/typo-squatting-and-packagist

Read more

On his blog Chris White explains how to upload files directly to S3. Pretty cool!

Most of us know of Amazon S3, a cloud based storage service designed to store an unlimited amount of data in a redundant and highly available way. For most situations using S3 is a no brainer, but the majority of developers transfer their user's uploads to S3 after they have received them on the server side. This doesn't have to be the case, your user's web browser can send the file directly to an S3 bucket. You don't even have to open the bucket up to the public. Signed upload URLs with an expiry will allow temporary access to upload a single object.

https://cwhite.me/avoiding-the-burden-of-file-uploads/

Read more

Over at the CloudFlare blog John Graham-Cumming wrote an interesting article on SQL injection attacks via http request headers.

SQL injection is a perennial favorite of attackers and can happen anywhere input controlled by an attacker is processed by a web application. It's easy to imagine how an attacker might manipulate a web form or a URI, but even HTTP request headers are vulnerable. Literally any input the web browser sends to a web application should be considered hostile.

Read more

In security-sensitive situations, performance can actually be a bug rather than a feature. This presentation covers timing attacks on the web, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact.

Mathias Bynens — Front-End Performance: The Dark Side from Fronteers on Vimeo.

Read more

Jens Segers wrote an interesting little article about fail2ban. This piece of software prevents unauthorized pundits from accessing your server. You'll be happy to know that is installed by default on Forge.

The first thing I do on every server is set up the firewall so that all ports except for the SSH port are blocked from incoming requests. But with the SSH port unprotected, you still want it to be protected from illegitimate access, right? This is where fail2ban comes in. Fail2ban will automatically ban IPs that show the malicious signs such as too many password failures, seeking for exploits, etc.

Read more

Let’s take a look at a PHP script used to send spam. These types of scripts run on servers all over the world and might give you some insight into a spammer’s dedication to annoy the hell out of you. ... One of the WordPress sites on a shared hosting web server I manage was infected by a spam script. Fortunately, the script was unable to do any real damage and was detected within half an hour of infection. I thought it would be fun to show you the script and dissect it, to find out exactly how these things work and make thousands of email administrators’ lives a living hell.

Read more

Imagine you are working on new app. Your client wants to see the progress that you've made. However your site isn't ready for prime time yet. Sure, you could create some login functionality and display the site only to logged in users. But why bother creating users when there is a more pragmatic approach?

At Spatie we often instruct a client to visit /demo. Visiting that url will unlock access to the entire front site. Because creating packages has many benefits we decided to open source our solution.

Our newly released laravel-demo-mode package blocks your work in progress from prying eyes. After it is installed you can use a route macro to register a route that grants access to the protected routes:

Route::demoAccess('/demo');

Routes can be protected by using the demoMode-middleware on them:

Route::group(['middleware' => 'demoMode'], function () {
    Route::get('/secret-route', 'SecretController@index');
});

Unless a user has first visited /demo first, he or she will be redirected to /under-construction. This url can be changed in the config file.

A word to the wise: do not use this package to restrict access to sensitive data or to protect an admin section. For those cases you should use proper authentication.

You can take a look at the package on GitHub. If you like it, you might like some of our other Laravel packages as well.

Read more

I use Slack for many things and it's great to see how many integrations are available out of the box. But building integrations yourself is extremely easy using Incoming Web Hooks.

Wouldn't it be nice if you could see a message in Slack each time a user connects to one of your machines over SSH? Yes it would!

(I found this via cron.weekly. If you haven't subscribed yet, you're missing out)

Read more

In 2015 web developers understand more about SSL than they ever have. If you read Hacker News you should know:

• You can get domain validated (DV) certs from Let's Encrypt for free.
• You can get extended validation (EV) certs from CertSimple with checks before you pay. That's us by the way!
• The Mozilla SSL Config Generator can set up your server as secure as possible for the browsers you want to support.
• When you're done, use SSL Labs to check everything. Make sure you get an A, otherwise people will pick on you.

What about the rest?

Read more

If you have a form on your website where one of the fields is of the `type="password"`, the page will now be marked as insecure in your browser if it is served over a plain HTTP connection.

Read more

"Password must contain 1 uppercase letter, 1 lowercase letter, and 1 number."

With a rule like that, the password Abcd1234 would pass your validation, but mu-icac-of-jaz-doad would not.

Ryan makes an excellent suggestion to replace password rules by an entropy estimator like Zxcvbn.

Read more

In this video Tom Scott explains why Chrome couldn't handle http://a/%%30%30 :

https://www.youtube.com/watch?v=0fw5Cyh21TE

Read more

In this excellent post Matthias explains why you can't put all your trust in cat when inspecting a file:

https://ma.ttias.be/terminal-escape-sequences-the-new-xss-for-linux-sysadmins/

Let's all agree to never trust anything that has been posted on the internet without very thorough inspection. And let's especially agree to never run an arbitrary command or script found on the internet, without really close inspection.

Read more

Garrett St. John wrote a clear example on how to use UUIDs in Eloquent models. This kind of logic could go in a trait so it can be reused across multiple models.

By default, Eloquent uses an auto-incrementing integer as the primary key for its tables. While most of the time this is totally acceptable, sometimes there is a need for primary keys to be less predictable.

EDIT: Kirk Bushell has made a trait for this functionality. Take a look at his Eloquence package on GitHub.

Read more