Connecting to an HTTP/2-enabled webserver using Firefox

Even though this website [and the other sites hosted on this server] isn't very sensitive, I try to maintain the highest possible security by using up-to-date and secure software, as well as strong ciphers for the connection. After all, it's nobodys business what you read here, but yours.

I also try to use new technology whenever possible, so it makes sense, that I offer HTTP/2 connections.

Unfortunately, it turns out that combining the two isn't always as easy as it should be. My nginx cipher suite is configured as follows:

ssl_ciphers ECDH+AESGCM:ECDH+AES256:!AES128:!DH:!RSA:!3DES:!aNULL:!MD5:!DSS;

This is generally considered close to ideal security [let me know if you disagree], so I figured it should work with HTTP/2 - which emphasizes security greatly - without any problems.

The issue

Unfortunately, I was wrong. After enabling HTTP/2 in nginx, Firefox fails to connect to the server. Even worse, it did not display an error message, log an error to the console, or show any issue in the network debugger.

It turns out, that I missed, that the HTTP/2 standard has a hard requirement on AES-128 support, specifically TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Apparently firefox ...

read more

Other articles

Blogofile -> Pelican
So 02 März 2014
By Thomas Gstaedtner
Category: misc , Tags: other
After running blogofile for four years (who knew it was that long with the little posting i've done :) and getting less done with it than I hoped, I finally decided to move on again. The main reason is, that Blogofile is basically unmaintained and writing custom controllers was harder than it should be (and documentation clearly lacking).

So I looked around for alternatives and found surprisingly few that were interesting to me. The requirements were:
- simple static blog compiler
- solid templating engine
- python
- markdown support
The only one that fit well was Pelican so I decided to give it a go. Migrating was surprisingly straight forward and done in basically half a day (that includes understanding Pelican, porting the CSS, moving all posts over, and implementing every missing feature I used to have in Blogofile in the Pelican templates.

I'm not 100% happy, but so far Pelican seems nice enough, everything works (even better than before). A few of the problems I have:
- the design seems unnecessarily complicated, compared to blogofile
- the error handling is quite poor, it is basically impossible to get useful error messages
- the documentation could be better (still much better than Blogofile though)
- the ...
read more

Terminology, Enlightenments fancy new terminal emulator

Di 29 Januar 2013
By Thomas Gstaedtner
Category: misc , Tags: enlightenment

Some of you might still know or even use Eterm, a neat terminal emulator that came back when e16 was still new. A long time there has been nothing new in this area, but Raster apparently found the muse to write another one, based on the Enlightenment Foundation Libraries.

Anyway, I don't need to tell you why you should use it, let me just show you :)

The first one shows a some weeks old version with the basic cool features:

The second video shows the new tcat (which within some hours has been renamed to tycat due to a naming conflict) tool to make more practical use of the features:

More cool things will certainly come (some I didn't showcase are already there).

Now for the bad news, and the actual reason I wrote this post (the videos I had lying around anyway): Only terminology 0.2 has been release so far and a lot of features are broken in this one and have been fixed since. The new versions from SVN only run on EFL 1.8 though, which will not ...

read more

Trust issues (and the web), 03 - Convergence

Fr 23 September 2011
By Thomas Gstaedtner
Category: misc , Tags: other

In a previous post I promised that I would check out some of the solutions that promise a safer and thus better web.

This is part two, Convergence.

How does it work?

Convergence replaces the certificate authorities (CA) used traditionally in SSL by an independent distributed authorities, called notaries.

It totally ignores the CA that issued a sites certificate and instead checks the certificate over all activated notaries. These can be added, removed or disabled on personal preference; so you don't have to trust a bunch of faceless corporations which are each a SPOF in the whole concept(!), but can instead trust a number of notaries working together.

This can be one of your own servers in your LAN (providing no MITM security towards the internet), another one of your servers reachable over the internet, and the server of people or organizations you may or may not trust all over the world.

Than you can decide if it is enough for you if only one notary validates the requested certificate - bad idea, perhaps even a little worse than the CA system. However, the default is to gain a majority validation. This means every active notary will be checked and ...

read more

Trust issues (and the web), 02 - Web Of Trust

So 11 September 2011
By Thomas Gstaedtner
Category: misc , Tags: other

In my last post I promised that I would check out some of the solutions that promise a safer and thus better web.

Let's start with Web Of Trust (WOT).

In contrast to some of the other things I plan to take a closer look at, WOT is not related to transport security or any cryptographic methods to ensure site integrity.

It actually works like Mandatory Access Controls (MAC) with a user centric (as apposed to a system centric) approach.

How does it work?

WOT is a combination of client side software, usually a brower plugin (who would have guessed :P), and a central database that contains per-domain based ratings, provided by users as well as "trusted sources". The latter are (well-known) security sources, such as blacklists from security vendors, and similar material.

The browser plugin, which exists at least for Firefox and Chrome, is available under GPLv3. It checks every domain, that is either querried or linked to, against the WOT central database and aquires a rating based on the previously mentioned sources.

Feedback is given to the user via an easily visible graphical indicator (green = good, yellow = so-so, red = bad, grey = no rating yet), as well as ...

read more

Page 1 / 2 »