Category: Articles

Protecting node.js from BEAST TLS attack

By , Friday 7th June 2013 6:56 pm
Copyright Disney, I don't think they'll sue me. Thanks for the image.

Copyright Disney, I don’t think they’ll sue me. Thanks for the image.

After reading Eric Martindale‘s very useful blog post on “Mitigating TLS BEAST attack in node.js” I decided to implement this for pinitto.me in order to increase security of the site.

After implementing the suggested code I then attempted to test the SSL setup via SSLLabs.  Sadly the report came back showing that pinitto.me was still vulnerable to BEAST attacks.

A BEAST (or Browser Exploit Against SSL/TSL) attack is an attack where a third party can silently decrypt communications between a browser and a server. This is performed by attacking a weakness in CBC (cipher block chaining) discovered back in 2006 but with a practical exploit not found until late 2011.

BEAST attacks are not possible on TLS versions greater than 1.0 but as this version is currently the most predominant on the internet such attacks are possible on most unprotected servers.

The documentation on SSLLabs.com suggested a different set of ciphers to those suggested by Eric and so after implementing these pinitto.me is now reported to not be vunerable to these attacks, yey!

The code for setting up a HTTPS server on node.js therefore becomes:

var https = require('https')
  , fs = require('fs')

var options = {
   key: fs.readFileSync(config.ssl.key, 'utf8'),
   cert: fs.readFileSync(config.ssl.cert, 'utf8'),
   ca: fs.readFileSync(config.ssl.ca, 'utf8'),
   ciphers: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
   honorCipherOrder: true
}

https.createServer(options, function (req, res) {
  res.writeHead(200)
  res.end("Hello World!")
}).listen(443)

Notes

XMPP-FTW now supports Superfeedr

By , Sunday 12th May 2013 5:07 pm

Summary

As of version 0.9.0 xmpp-ftw now supports the Superfeedr XMPP API. If you don’t know what Superfeedr is then read this shamelessly stolen description from Crunchbase:

Superfeedr fetches and parses RSS or Atom feeds on behalf of its users and then pushes them the new entries in these feeds. Superfeedr implements most of the current Real-time technologies and guarantees an entry detection time inferior to 15 min. Superfeedr has both an XMPP and a PubSubHubbub API.Read more: http://www.crunchbase.com/company/superfeedr#ixzz2T6A0Grml

The XMPP-FTW interface to Superfeedr is built off their documentation which can be found here: http://superfeedr.com/documentation#pubsubhubbub.

Continue reading 'XMPP-FTW now supports Superfeedr'»

Expose github README.md at a path using express middleware

By , Sunday 24th March 2013 10:33 pm

I’ve just published the first version of a new middleware package I’ve written to expose your project’s README.md via express.

To install simply run:

npm i --save express-middleware-readme.md

Continue reading 'Expose github README.md at a path using express middleware'»

Talking at London Node User Group (LNUG) – Feburary 2013

By , Wednesday 27th February 2013 8:18 pm

At the Feburary London Node User Group (LNUG) I had a chance to speak about one of my new projects pinitto.me. Pinitto.me is an open source infinite virtual corkboard application that I created over a weekend around christmas to help with planning days for myself and colleagues at Surevine.

Continue reading 'Talking at London Node User Group (LNUG) – Feburary 2013'»

Oauth / Twitter Auth Adapter for Zend Framework

By , Saturday 23rd April 2011 3:57 pm

Work continues (slowly) on my new Twitter-based application. Over the next couple of bank holidays I hope to get the momentum going again on the project (in-spite of the wonderful weather at present). Anyway, my next task was to create an authentication adapter for the Zend Framework. I had a working login implementation, but having a drop in Auth adapter for Zend Framework seemed like an attractive proposal, so I created it….

(I’m not going to go through Oauth or registering your application with twitter, there’s hundreds of guides and its a fairly straightforward process anyhow.)
Continue reading 'Oauth / Twitter Auth Adapter for Zend Framework'»

“Sign in with Twitter” using Zend Framework

By , Thursday 17th March 2011 1:07 am

Despite all the twitter hate at the moment, I’ve set out to create a new twitter-based application. Being someone who manages several accounts (both personal and for my charity work) I’ve been needing a tool for sometime that I’m just getting around to writing (more of that in the near future…).

I’ve read up on Zend_Oauth_Consumer and how it can be used to get authorisation for interacting with twitter using oauth. All well and good, I have my access key and I can merrily post away on a user’s behalf. There’s plenty of resources out there to do this so I won’t bore people.

The next step was to allow people to return to the website, log in and modify their account. This is where I reached a slight problem. Using the code examples on websites meant that I’d have twitter asking me for access authorisation again for each login, not good. Scanning through the framework I couldn’t see anything which would allow me to just request authentication. That isn’t to say its not there, but there didn’t seem to be an authentication mechanism that could be invoked without knowing the access token already.

The alternatives were to implement a site-based log in or somehow store the user’s access token on the client (encrypted of course). Neither of these seemed like a good/suitable solution.

Continue reading '“Sign in with Twitter” using Zend Framework'»

Zend Certified Engineer (ZCE) 5.3

By , Thursday 30th September 2010 9:00 pm

With the official release of the Zend Certified Engineer (ZCE) programme for 5.3 I thought I’d give  my quick impression of what I thought of the exam.

A little background on myself: I was first introduced to PHP about 7 years ago and have worked professionally in PHP since 2006. I currently work for an exciting start-up called Brightpearl based in Bristol, UK, producing integrated CRM, accountancy, and ecommerce software. I haven’t previously obtained any of the previous ZCE qualifications. I currently develop in the 5.2.X series and haven’t really used any of the specific 5.3 features (I’m waiting for Zend Framework 2 and Doctrine 2) in my development projects.
Continue reading 'Zend Certified Engineer (ZCE) 5.3'»

Quick Start Symfony DI (Dependency Injection) Tutorial

By , Saturday 14th August 2010 2:21 pm

What is Dependency Injection (DI)?

Dependency injection is a technique that allows for loosely coupled objects within a software application. Generally if an object requires access to the functionality of another it would be instantiated internally leading to tightly coupled systems. By implementing dependency injection we inject the required objects ready for use (sometimes also referred to inversion of control – IOC). Take the following example:

<?php
class DecisionMaker {
    public function makeDecision(array $parameters) {
        // Need the database adapter
        $dp = new DecisionParameters();
        $parameterScore = $dp->getScore($parameters);
        /* ... Some more decision logic ... */
        return ($parameterScore > 50);
    }
}

This piece of code is said to be tightly coupled to the DecisionParameters object. Rewriting the above in a loosely coupled fashion we’d have something like….

<?php
class DecisionMaker {
    private $_dp;
    public function __construct($dp) {
        $this->_dp = $dp;
    }
    public function makeDecision(array $parameters) {
        $parameterScore = $this->_dp->getScore($parameters);
        /* ... Some more decision logic ... */
        return ($parameterScore > 50);
    }
}

Whilst gaining the benefits of loosely coupled code we are adding complexity such that each time an object is instantiated we also have to instantiate its dependencies and pass these in too. For example, this:

$choice = new DecisionMaker();
echo $choice->makeDecision(array('effort' => 'low', 'return' => 'high'));

now becomes:

$dp = new DecisionParameters();
$choice = new DecisionMaker($dp);
echo $choice->makeDecision(array('effort' => 'low', 'return' => 'high'));

This situation becomes more painful as the number of dependencies for a class is increased, and what if the dependencies themselves have dependencies? This can quite quickly become an object administration nightmare! Enter dependency injection containers (or frameworks)…
Continue reading 'Quick Start Symfony DI (Dependency Injection) Tutorial'»

Naked Zend_Layout and Zend_View

By , Tuesday 10th August 2010 11:47 pm

In this article I look at using Zend_Layout and Zend_View along with a simple front controller to show how it is possible to start separating business logic and presentation within your application. All code is available on github:
Naked Zend_Layout and Zend_View on GitHub.

Continue reading 'Naked Zend_Layout and Zend_View'»

Zend Framework Per Module Layout Settings – Follow Up

By , Tuesday 16th February 2010 8:48 pm

As a follow up to my previous post on per module based layout settings for Zend Framework, I’ve updated the code to require less configuration then before (not that it required more that a few lines in your application configuration!).
Continue reading 'Zend Framework Per Module Layout Settings – Follow Up'»

Panorama Theme by Themocracy

5 visitors online now
4 guests, 1 bots, 0 members
Max visitors today: 8 at 07:11 am UTC
This month: 15 at 12-11-2017 04:06 pm UTC
This year: 45 at 02-01-2017 10:28 pm UTC
All time: 130 at 28-03-2011 10:40 pm UTC