English - 13

A big problem with web security in the past was that it was impossible to have https-hosts with more than one certificate per IP. This is due to the protocol design of https, which needs to establish an ssl-connection with the certificate before the hostname is transferred.

There is a solution though, called Server Name Indication (SNI) and part of TLS. Strange enough, client compatibility isn't that much of a problem. Firefox, Opera and IE already support it in their current versions, konqueror will with kde4, I've no information when it'll hit safari. Oh, and I haven't testet w3m, lynx, links and wget yet, but if you want, feel free to add your experiences to the comments :-)

The problem was that until some weeks ago, openssl didn't support SNI, apachen mod_ssl didn't, lighttpd didn't. Only GnuTLS, but mod_gnutls is considered unstable by it's authors. With OpenSSL 0.9.8f, TLS Extensions and with them SNI landet in openssl, apache still needs patches.

We've now implemented SNI on schokokeks.org, which you can test:
https://www.schokokeks.org/
https://www.hboeck.de/
https://www.fabian-fingerle.de/

If your browser supports SNI, you should see different certificates, all on the same IP. All certs are cacert-signed, they also have a Wiki page from the VhostTaskForce for SNI and alternative solutions.

I know you've been waiting far too long for that. Now that Compiz and Compiz Fusion 0.6 are out, I've added them to portage.

The background: Compiz and Beryl, the two famous 3D-composite/windowmanagers for Linux, have merged forces. Main Compiz still resides in the package x11-wm/compiz, many additional plugins and tools are fetched in by the x11-wm/compiz-fusion metapackage.

The ebuilds are all based on the xeffects overlay, with some cleanup by me.

Happy window-wobbling!

As you know, I'm using a planet (several blogs aggregated to one feed) as a kind of link list for my sidebar. I just bumped harvester to the latest svn, corrected some feed urls and added gulli as another source for the sidebar news (sometimes quite interesting news). Beside I wrote some blog authors to look for their invalid feeds. So you're gonna see some more blogs aggregated again.
The planet uses harvester by astro.

Short tip (although I mentioned this before): You can check if your feed is valid by executing

wget -O - -q http://hboeck.de/feeds/atom10.xml | xmllint --noout -

One of the biggest threats in computer security today are web applications. There's a vast number of issues found in popular web apps, mostly cross site scripting, cross site request forgery and sql injection. For a long time I had the idea of a tool scanning through webroots and looking for popular web applications, comparing them with a database of their latest security issues. In the past weeks, I finaly managed to get some code done.

It's a quite simple python-script (don't cry about the source quality, I haven't done real coding for ages), together with a database of some popular applications. I'm looking forward to hear feedback. The usage is simple, just do something like this:
freewvs /home/joe/websites/foo /home/guest/websites/bar
Typical output looks like this:
WebsiteBaker 2.4.3 (2.6.5) CVE-2007-0527 /home/hanno/freewvs/test/websitebaker
Drupal 5.1 (5.3) CVE-2007-5416 /home/hanno/freewvs/test/drupal
PhpWebGallery 1.5.1 () CVE-2007-5012 /home/hanno/freewvs/test/phpwebgallery
Mostly self explaining. The found app at the beginning, the version where the issue was fixed in brackets, the CVE-ID (or some other vulnerability id, in doubt an URL) and the path.

The biggest work to do is probably to get more applications added to the database and to keep the database updated. It's format is pretty self-explaining, so I'm waiting for your patches.

Get it here: https://freewvs.schokokeks.org/

Today I found a note about the movie The Codebreakers. It's a free-licensed (cc-by-sa) documentary about free software in development countries.

It brings up different examples about successful usage of free software in different parts of the world. Worth watching.

Recently, I did a bit of »modding« to my homeserver (an old P30 laptop, you may know that if you're regularly reading this blog).

I removed the case, which enabled me to remove some unneeded hardware to save energy. The touchpad, the internal modem and the front LEDs could easily be disconnected. The soundcard and the wireless card could also be removed, but they'll stay. The wlan will become a FreiFunk-node (stupid question: what's the english term for freifunk?). The soundcard makes it a perfect webradio player (and, for their mini-size, the quality of the speakers is quite acceptable).

Beside, the whole system now runs from a memory stick. A HD is still attached, but not used on normal operations. It tended to spin up without a reason, till I noticed that I still had smartd running. Now, the nice thing is, this device is now completely silent as long as I don't use the HD. Even if I run compile processes, the processor fan doesn't run. Seems that enough fresh air is sufficient to cool a Pentium M.

Another attractive feature is that I have three freely usable acpi-buttons, plus the three normal LEDs (caps, num, scroll). 3 LEDs, that makes 8 different LED-status combinations. My plan is now to use the three buttons, have 8 pre-programmed webradio channels and use one button for start/stop, one for switching channels. One is still left for creative purposes, volume control would be obvious, but that doesn't make much sense with one button. An idea would be to use the wlan-button and find a way to disable it's ability to switch the wlan-card on/off (at least a simple/hacky approach would be setting it back on as soon as it's switched off).
But that's not implemented yet, so don't ask for it. I'll publish it as soon as I've done that.

I recently added some stuff to gentoo for openstreetmap and gps-related work.

For one, the java openstreetmap editor josm now has ebuilds. josm and josm-plugins, the first only installs the program itself plus language packs, the second installs most of the josm-plugins available. They can be enabled within the configuration.
I was a bit unsure how to handle it, as I first thought about adding some basic plugins to the josm-package itself. But as the opinions on what »basic« plugins are seem to differ a lot, I decided to do it this way.
Another new package is gebabbel, a gui-frontend for gpsbabel. gpsbabel is a commandline-tool that implements various proprietary gps coordinate formats and allows access to many gps-devices (e. g. garmin). Beside it can be used to filter and convert gps-tracks.

More to come. Probably also interesting stuff in portage is gpsdrive (which has some osm-stuff in svn, but not yet in a release), marble (world-view-tool for kde, osm-support is planned within the next months). Other stuff not yet in portage, I plan to make packages in the future: tiles@home, qlandkarte, mapnik and probably everything it takes to run an osm-server.

A bit offtopic, as gentoo doesn't run on mobiles (yet): Mobile Trail Explorer is the only free (as in freedom) software I found for J2ME-mobiles to create gps-tracks. It's a bit alpha, lacking some features and unstable, but it's free, so I hope it'll become better soon. It's a cheap way to get gps-tracks, assuming that you already have a java/bluetooth-mobile and you can get a gps-mouse starting at about 50 €.

If you have more suggestions for gps/osm-related stuff, feel free to open requests on the gentoo bugzilla and add me to the cc.

Today I managed to map the last few streets missing in the »west«-part of my hometown. I was very active in the last days and it makes lot's of fun (and is good for my health, driving up and down the mountains).

Beside that osm can make you addicted, it also seems to be epidemic. A friend of mine started mapping the nice city Veringenstadt (ok, to be honest, I never was there) and another one can't wait to get his hands on an own gps-device to continue mapping Köchersberg.

My next plans for osm are
a) map the rest of Murrhardt (at least the inner part)
b) get some more gps/osm-related stuff into gentoo (josm, tiles@home)

I'm happy to announce that I mentored Christian Hoffmann to become a new Gentoo Developer.

Christian did some PHP-security work for Gentoo recently, which is very important due to the high amount of security issues php had recently. Welcome on board and continue your good work.

Maybe you've read that I did some coordination on relicensing the old GATOS TV-Out code to make inclusion into the radeon driver possible (gatos was gpl, while xorg uses mit-license).

Now, shortly after that Alex Deucher started implementing tv-out in the randr-1.2-branch of the ati driver based on that code. randr-1.2 is the new and shiny stuff that will make future versions of xorg manage resolutions and output connectors much better. As you can see on the picture, today I played around with the new code and got it working (get Gentoo git-ebuild here).

As a short howto, on some cards (including mine), autodetection of the connector status doesn't work yet. You'll have to manually force the connector:

xrandr --addmode S-video 800x600
xrandr --output S-video --mode 800x600

This is especially exciting as it is the last features of my laptop that was missing for »full linux-compatibility« (some minor issues left, as the cardreader only reads sd at the moment, the modem needs a binary driver).

I thought I'd give you some more (all have been informed months ago):

http://thepiratebay.org/search/"><script>alert(1)</script>
http://www.gruene.de/cms/default/dok/144/144640.dokumentsuche.htm?execute=1&suche_voll_starten=1&volltext_suchbegriff="><script>alert(1)</script>
http://www.terions.de/index_whois.php?ddomain="><script>alert(1)</script>
http://www.eselfilme.com/newsletter/newsletter.php?action=sign&email="><script>alert(1)</script>
http://www.region-stuttgart.de/sixcms/rs_suche/?_suche="><script>alert(1)</script>
http://reports.internic.net/cgi/whois?whois_nic="><script>alert(1)</script>&type=domain

I still have some unresolved xss vulnerabilities around. It seems to be common practice by many web application developers and web designers to ignore such information.

This time we have gobi, a cms system based on the quite popular javascript application server helma.

http://int21.de/cve/CVE-2007-3693-gobi.txt

More to come. As this xss stuff is far too easy (try some common strings in web forms, inform the author, publish some weeks later), I think about doing some kind of automated mechanism to search and report those vulnerabilities.

On osm-dev, there was a discussion how to name the download location for the whole data. Some people seem to think forward:
»Since there is more than one planet, and someone might want to map the canals of Mars one day, I think we should call our planet by its proper name. +1 for earth.«

(now, the real reason is that there was discussion about having a planet osm for blog aggregation)

I recently wrote that I'm sometimes a bit unhappy how security issues are handled in free software project.

Now, to have some contrast, today I'll talk about an example how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day, they announced it and provide updated packages. The finder of the vulnerability is also mentioned. Now, it is only able to get password-hashes, many other projects probably would've treated this vulnerability as »low-impact« or something like that.
But beside that, they also provide some tipps how to check if the vulnerability has already been exploitet and suggest to change user passwords.

A while back, there was another vulnerability reported in serendipity. The authors said they don't think that it's really a vulnerability and it probably can't be used for anything evil. But anyway, an update was released and announced just to be sure.

Now, that's good security-work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.

Finally I managed to upload some pictures of the protest at the g8-summit in heiligendamm.

Due to some damn circumstances, I deleted a bunch of images. Some of them could be restored (using the great rescue-suite sleuthkit - not really easy to use, but powerful).

Some more pictures (of the police action against the media activists bus) are uploaded at indymedia.