Posts tagged: node.js

Protecting node.js from BEAST TLS attack

By , Friday 7th June 2013 6:56 pm
Copyright Disney, I don't think they'll sue me. Thanks for the image.

Copyright Disney, I don’t think they’ll sue me. Thanks for the image.

After reading Eric Martindale‘s very useful blog post on “Mitigating TLS BEAST attack in node.js” I decided to implement this for pinitto.me in order to increase security of the site.

After implementing the suggested code I then attempted to test the SSL setup via SSLLabs.  Sadly the report came back showing that pinitto.me was still vulnerable to BEAST attacks.

A BEAST (or Browser Exploit Against SSL/TSL) attack is an attack where a third party can silently decrypt communications between a browser and a server. This is performed by attacking a weakness in CBC (cipher block chaining) discovered back in 2006 but with a practical exploit not found until late 2011.

BEAST attacks are not possible on TLS versions greater than 1.0 but as this version is currently the most predominant on the internet such attacks are possible on most unprotected servers.

The documentation on SSLLabs.com suggested a different set of ciphers to those suggested by Eric and so after implementing these pinitto.me is now reported to not be vunerable to these attacks, yey!

The code for setting up a HTTPS server on node.js therefore becomes:

var https = require('https')
  , fs = require('fs')

var options = {
   key: fs.readFileSync(config.ssl.key, 'utf8'),
   cert: fs.readFileSync(config.ssl.cert, 'utf8'),
   ca: fs.readFileSync(config.ssl.ca, 'utf8'),
   ciphers: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
   honorCipherOrder: true
}

https.createServer(options, function (req, res) {
  res.writeHead(200)
  res.end("Hello World!")
}).listen(443)

Notes

Expose github README.md at a path using express middleware

By , Sunday 24th March 2013 10:33 pm

I’ve just published the first version of a new middleware package I’ve written to expose your project’s README.md via express.

To install simply run:

npm i --save express-middleware-readme.md

Continue reading 'Expose github README.md at a path using express middleware'»

XMPP For the Web (XMPP-FTW)

By , Wednesday 20th March 2013 9:12 pm

I’d like to introduce you to my latest project XMPP-FTW. The name is a (hopefully) clever play on “For The Win” (FTW) but actually I call it “XMPP For The Web”.

Essentially XMPP-FTW tries to make XMPP in the browser as quick and painless as many of the other solutions for realtime web by translating XML to JSON and back and using named events to help fill in the missing pieces.

The project is open source and the code is available on github at XMPP-FTW source code, you can also view the manual or play with a demo on XMPP-FTW website.

Continue reading 'XMPP For the Web (XMPP-FTW)'»

New demo system for XMPP-FTW

By , Sunday 10th March 2013 6:39 pm

Originally seen on http://awesome-wildlife.blogspot.co.uk/2009/12/aardvark.html

I’ve spent most of the day writing a new demo system for XMPP-FTW and despite it looking ugly as sin (I am no god with design) I’m quite pleased with how it works, so I thought I’d write up a little piece about it…

Continue reading 'New demo system for XMPP-FTW'»

Running your own open federated social network from your home for just $25

By , Monday 3rd September 2012 9:00 am

What is the RaspberryPi?

Raspberry Pi image from wikipedia – http://en.wikipedia.org/wiki/Raspberry_Pi

The Raspberry Pi is a small (credit card) sized computer which costs around the £25 mark. Originally envisioned to help bring back proper IT skills to schools (rather than just how to use Microsoft Office suite and alike), just like when children of the 70’s – 90’s were growing up (I just caught the tail end of it).

The ability to not only see the hardware but to mess around with the software running it without fear of breaking it. I learned many of my computer skills from continually breaking my father’s beloved PCs as a child and then hurriedly fixing them before he found out, I’m sure if I tried I could still even run off some MSCDEX lines :)

These little devices, since launch, have been near impossible to get hold of on a short timescale for they have been gobbled up by the developer community and those who remember playing with computers in the long distant past. There is a huge number of projects coming out using this little board and, more importantly, there’s even 8-year old kids generating their own programs (read: games) using it.

My first board is used to run a media server using xbian but one of the projects I was really looking forward to was running the software for an open source project I help out on (professionally and personally) and get my own open-federated social network running from the depths of my basement (more on that below).

For more information please see: Raspberry Pi – About Us

Continue reading 'Running your own open federated social network from your home for just $25'»

Panorama Theme by Themocracy

2 visitors online now
0 guests, 2 bots, 0 members
Max visitors today: 5 at 03:25 am UTC
This month: 11 at 16-04-2017 11:37 pm UTC
This year: 45 at 02-01-2017 10:28 pm UTC
All time: 130 at 28-03-2011 10:40 pm UTC