Posts tagged: http

Protecting node.js from BEAST TLS attack

By , Friday 7th June 2013 6:56 pm
Copyright Disney, I don't think they'll sue me. Thanks for the image.

Copyright Disney, I don’t think they’ll sue me. Thanks for the image.

After reading Eric Martindale‘s very useful blog post on “Mitigating TLS BEAST attack in node.js” I decided to implement this for pinitto.me in order to increase security of the site.

After implementing the suggested code I then attempted to test the SSL setup via SSLLabs.  Sadly the report came back showing that pinitto.me was still vulnerable to BEAST attacks.

A BEAST (or Browser Exploit Against SSL/TSL) attack is an attack where a third party can silently decrypt communications between a browser and a server. This is performed by attacking a weakness in CBC (cipher block chaining) discovered back in 2006 but with a practical exploit not found until late 2011.

BEAST attacks are not possible on TLS versions greater than 1.0 but as this version is currently the most predominant on the internet such attacks are possible on most unprotected servers.

The documentation on SSLLabs.com suggested a different set of ciphers to those suggested by Eric and so after implementing these pinitto.me is now reported to not be vunerable to these attacks, yey!

The code for setting up a HTTPS server on node.js therefore becomes:

var https = require('https')
  , fs = require('fs')

var options = {
   key: fs.readFileSync(config.ssl.key, 'utf8'),
   cert: fs.readFileSync(config.ssl.cert, 'utf8'),
   ca: fs.readFileSync(config.ssl.ca, 'utf8'),
   ciphers: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
   honorCipherOrder: true
}

https.createServer(options, function (req, res) {
  res.writeHead(200)
  res.end("Hello World!")
}).listen(443)

Notes

Update a buddycloud channel when events take place on your github repository

comments Comments Off on Update a buddycloud channel when events take place on your github repository
By , Thursday 27th September 2012 7:40 pm

As of this evening it is now possible to have Github post to a buddycloud channel when a push is made to a repository. This allows you to get (amost) real-time repository change information in your buddycloud channels.

Background

I’ve talked about work I’ve done with buddycloud before, but briefly buddycloud is an exciting new federated social network built upon open-source and open-standards. The buddycloud team has recently come back from San Francisco where they were involved with Mozilla’s WebFWD programme getting some great mentoring and guidance from luminaries in their fields. I don’t think I need to really introduce github, they are awesome too :)

If you’re not aware of them github has a set of service hooks that as a repository owner/admin you can utilise in order to push event information (be it commits, pushes, pull requests, branching, etc) to a 3rd party service. There’s a whole set of these services that you can already push to from Jenkins CI right through to Yammer, and now buddycloud!

If you have a service that you’d like to push event information to then github make the code available. All you have to do is fork the service-services repository, knock up some ruby code and submit a pull request. Once it’s been accepted you can then setup github to push information to your favourite information system each time something happens to your repository.

Continue reading 'Update a buddycloud channel when events take place on your github repository'»

Panorama Theme by Themocracy

4 visitors online now
2 guests, 2 bots, 0 members
Max visitors today: 7 at 04:53 pm UTC
This month: 16 at 07-08-2017 06:57 am UTC
This year: 45 at 02-01-2017 10:28 pm UTC
All time: 130 at 28-03-2011 10:40 pm UTC