Thu, 29 Nov 2012
Secure Login at Alza.CZ
Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:
In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.
3 replies for this story:
dan wrote:
I agree, their login form is weird. I checked it with firebug and fortunately the credentials are not sent over in plaintext - it's still HTTPS. It seems that something in the way they are sending them confuses the browser - they are not using a standard HTML form, they are sending the credentials using XHR request. The login doesn't even work with JS turned off.
toto wrote:
Ty máš co kritizovat...spíš si oprav CSS. http://imgur.com/PBm7C
Yenya wrote: Re: toto
Well, the "official" URL of my blog does not start with https, so it is not my problem that it contains http-only images or whatever when accessed over https. Also, there are no private data sent over the net during communication with my blog (as opposed to Alza.cz).
Reply to this story:
Wed, 28 Nov 2012
SOAP::Lite
Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.
For example, look at this:
HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
BEGIN {
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
}
So apparently the only way how to use Basic authentication is to override
a global function in some foreign namespace. And what to do when I want to
use two SOAP servers with two sets of credentials inside a single application?
There are more similar "features" in SOAP::Lite. For example, tracing can
only be set up globally in compile-time, or by manually calling ->import().
My dear lazyweb, is there a SOAP module with cleaner design?
UPDATE 2012/11/28: Tracing
FWIW, it is probably easier and cleaner to do both basic authentication
and tracing at the transport level - the transport module here is
LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:
$soap->transport->add_handler(
request_prepare => sub {
shift->authorization_basic($login, $pass);
},
);
$soap->transport->add_handler(
request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
response_done => sub { print STDERR shift->content; },
);
I wonder why the SOAP::Lite manpages suggest such dirty ways
of handling this (and I have not even started mentioning things
like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global
variable; ugh)
3 replies for this story:
Adelton wrote:
From man page: Because "SOAP::Client" inherits from "LWP::UserAgent", you can use any of "LWP::UserAgent"'s proxy settings. Can't you really apply the same to the ->credentials call? Eg, $soap->transport->credentials($netloc, $realm, $uname, $pass); ?
Adelton wrote:
By the way, who is holding a gun to your head to force you to use SOAP?
Yenya wrote: Re: Adelton
Well, why TF they have "redefine the get_basic_credential" in the POD as their prefered way of handling basic auth then? (ISDS is the gun holder there, but fortunately this is not my job, I just tried to help one of my colleagues :-)
Reply to this story:
Tue, 27 Nov 2012
Cookies Auth and 403 Forbidden
In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.
When the yet-unauthenticated user accesses an URL for authenticated users only,
Apache2::AuthCookie returns the HTTP response with "403 Forbidden"
status code, and with text/html body containing the login
form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive.
So the user fills the login form, submits it, and the server returns the real
page for that URL, this time with "200 OK" status code.
This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with
the following two use cases:
- Nokia Symbian-based phones. After receiving 403 from the server, they display their own error message, and ignore the returned HTML altogether (except for the page background :-).
- Microsoft Word. When the link to the authenticated page is embedded inside the Word document, and user ctrl+clicks it, Word apparently starts MSIE to get the page. However, in this special case MSIE does not display the login form after getting the 403 status, but reports the error to its caller (MS Word) instead. So Word displays a generic error pop-up to the user, without the user being able to log in.
What to do now? The problem is clearly in the HTTP status code 403, and in its
mis-interpretation by some clients. I don't want to return the login form
in a 200 OK response, because I need e.g. the web crawlers to know that this
is not actually the page they tried to access. As for Symbian, they can be
clearly identified by their User-Agent string, so I can
return 200 OK only for them. But as for MS Word, I have no clue: what I see
is the request made by MSIE (and again, I probably don't want to return
200 OK to every unauthenticated MSIE request).
Any other suggestions, my dear lazyweb?
2 replies for this story:
Adelton wrote:
I'm not sure about that 403: "Authorization will not help and the request SHOULD NOT be repeated". Since you are using cookies for something it's not technically supposed to be used (authentication), I wouldn't worry about that 200 that much. I'd either make it 200 or 302 to some login page, ideally with some Pragma: no-cache so that spiders don't index/cache it.
Yenya wrote: Re: Adelton
Well, the request after 403 is not repeated (by the browser itself). Apache2::AuthCookie returns a login form in that request, and the action of this form is some different URL (which, by coincidence, returns 302 to the original URL, if correct credentials are submitted). So I still think 403 is a perfectly legal way of returning the login form.
Reply to this story:
Tue, 20 Nov 2012
SMD Soldering
For the first time in my life, i have tried to solder SMD components (as I have written before, I am working on DYI LED lights for my bike). The component side looks OK, and soldering through-hole components went without problems. The SMD parts were a bit tricky, though.
I have used an ordinary soldering station with temperature regulation, but the results are not pretty. I wonder what is required to achieve this level of quality (watch from 14:10). One possible problem might be that some components on my board (especially the smallest sensing resistors) are connected to the highest-current and thus thickest paths, which suck great amounts of thermal energy when soldering.
Anyway, from the preliminary testing, it seems that my board works. So far I have found the following problems:
- The programming connector is bigger than I expected. I have solved this by using the angled variant instead, and adjusting it using knife :-)
- The silk layer labels marking the polarity of components (electrolytic capacitors, diodes, etc.) can be placed under the components, except for the labels of connectors, which are needed even after the components are soldered!
- I should have added low-pass filters to the A/D converter inputs, at least for the feedback of the PWM-regulated converters. I think I would be able to overcome this in the firmware, though.
- Next time, I would probably design the board with round corners :-)
Now it's time to finish the firmware and to start adjusting the mechanical parts. I have already made the front spotlight and rear spotlight, and I want to make a LED string. Any tips about making a waterproof LED string out of 3mm through-hole LEDs will be appreciated. Should I use silicon, shrink-wrap tube, or what?
0 replies for this story:
Reply to this story:
Thu, 15 Nov 2012
Printed Circuit Boards
For my bike lights I needed a PCB. Out of several services for manufacturing PCBs, I have chosen Itead Studio PCB prototyping service (the other candidate was Seeed studio). Here are the preliminary results:
I have placed my order on October 29th evening (Central European Time), according to Hong Kong post, the package was received by them on November 7th, it left Hong Kong on November 11th, and I have received it today, on November 15th.
They also have an interesting "Open source" program - the customer declares that his design is open source (mine is anyway), they make few more boards in addition to those the customer has ordered, and they send them to their other customers. The original customers gets his orderd boards, and in addition to that, two more boards from other open source projects. I have in fact got their demo board (on the right side), and one open source board (the white one). Apparently, it is Arduino 512KB SRAM expansion board. I currently don't use Arduino, so if any Arduino user is interested in this PCB, just let me know.
Okay, now it's time to take a soldering iron and play more with the hardware :-)
0 replies for this story:
Reply to this story:
Mon, 12 Nov 2012
Desktop Environment-Specific Apps
I have recently came across this two years old bug report, filled to the bug tracker of Transmission (a Bittorrent client) where a GNOME developer suggests removal of the notification area icon from the application on the basis that GNOME 3 does not support notification area at all.
So if I understand it correctly, we are now living in a world where all the GUI applications have to be dependent on the particular desktop environment, and it should be no longer supported to run - say - Transmission under XFCE, or GIMP under KDE, at least according to GNOME developers. "We GNOMErs do not support notification area icons, so this application should not use it" (even though the application is not used exclusively under GNOME)? Where are the freedesktop.org cross-DE interoperability recommendations?
That said, notification area as such sucks - what I liked most was the original approach of X11: using on-desktop icons for minimized applications (instead of applications and documents shortcuts), and applications displaying their own status in their icon (handled by every window manager using the same ICCCM specification).
3 replies for this story:
Martin Putniorz wrote:
GNOME devs are just a bunch of guys who think of themselves as the team of Steves (Jobs). More about it here https://igurublog.wordpress.com/2012/11/05/gnome-et-al-rotting-in-threes/
Yenya wrote: Rotting in threes
Yep. I have also discovered that blog post yesterday. Quite disturbing read, isn't it? And it is not only GNOME, but Ubuntu and others as well.
Milan Zamazal wrote:
Interesting reading, it explains a lot. I'm pretty happy and quite stable with simple and highly customizable environments (StumpWM + Emacs + uzbl) last years. The problem is that such environments are not suitable for nonprogrammers. It seems that Xfce is still going in the right direction, i.e. being easy to use, easy to set up and running well on old hardware. So I'm going to replace GNOME and KDE desktops of my users with Xfce on the next upgrade. Other users may have other needs. E.g. one of positive effects of Ubuntu was that some developers and users preferring smaller and unstable distribution with frequent updates and more buzz have left Debian in favor of a somewhat similar distribution better suited to their needs. This is all right and there has been less tension in Debian since then as there are less attacks on its principles -- I think both Debian and Ubuntu users and developers are happier now.
Reply to this story:
Tue, 06 Nov 2012
DNS Lookup :-)
It seems my registrar will
discontinue their "free" hosting (as in "bundled with the domain
registration") soon,
so I will have to move my domain yenya.net mail and WWW servers
elsewhere. There is no problem with that - I have a 24/7 running computer at
home with good connectivity. There is one challenge, though:
The new DirectNIC service allows only one A record in the registered domain, when the domain is hosted on their DNS servers (no AAAA and no DNSSEC). So I am considering running my own DNS server in addition to mail and WWW servers. This would allow me to have A and AAAA records, SSHFP, and possibly the new DANE records. So I need someone to host a secondary DNS server. The requirements are:
- Static IP address, running 24/7
- IPv6 connectivity, if possible
- DNSSEC enabled
- Hourly update interval if possible
- Preferably outside the SmartComp/Nebox network
Of course, I am willing to provide the same service to the other party. Is anybody interested? Thanks in advance.
1 replies for this story:
Adelton wrote:
I use freedns.afraid.org as my secondary DNS, for two(?) years now. IIRC it's IPv4 only. They should be DNSSEC compliant thou I don't use DNSSEC. I don't think there is hourly update option but you can just send notify and have the transfer initiated when something on your primary DNS server changes.