Skip to main content

Posts

Phil Zimmerman's Latest Project

Phil Zimmerman of PGP Encryption fame is launching a new project, Silent Circle -  The idea is an application suite complete with encrypted VOIP, email and IM. Exciting stuff! Lets hope it works out better than Hushmail !

Random Number Generation

Latest Update from Basement Dweller News: A great primer on random number generation from a few smart cookies at Intel, by way of IEEE: http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator/0 On a very related note, let's keep our eyes on systemic issues with encryption keys in the wild: http://eprint.iacr.org/2012/064.pdf I have yet to formalize an opinion as to the validity of any systemic key issues intrinsic to RSA (because I was a "D" math student I have to wait for the grown-ups to weigh in on these Deep Thoughts. I would like to see larger keys in use standardized and don't see any good reason not to) A compelling critique of the survey, urging for additional data before judgment is reached: http://dankaminsky.com/2012/02/14/ronwhit/

Websockets and IIS7

So its been about 5 months since the IETF released the RFC 6455 proposal for websockets: http://tools.ietf.org/html/rfc6455 The websocket API is a protocol that allows for the bidirectional transfer of http/https data. This breaks down to a single initial handshake and then autonomous communication from both the server and client concurrently. With it comes a significant performance improvement (as only one handshake is needed, and client-side implementation gets much simpler) and a number of practical applications - I always think chat clients, but the applications are endless for web driven applications that require real time data transfer (HTML5 games that don't suck!) Its no secret that websockets will not work with a standard IIS7 implementation. Http.sys is a greedy bugger, and gobbles up all connections listening on port 80. Even with WCF, there is no formally recognized workaround besides "wait for 8" and the native websocket/SOAP functionality that it

Same Domain, Multiple Machines, SSL?

I saw a lot of misinformation about this on the inter-tubes recently, some of it intentional misleading of customers, some of it unintentional, so it might be remedial for a lot of readers but posting a clarification here because its worth it to help clear up the confusion. Here are some facts that should help people when first making the leap to securing multiple server environments: Servers are domain and private key specific. They are not machine specific. You are welcome to generate multiple SSL certificates for the same domain to host on separate servers. Think for a bit, this *has* to be true. When everyone goes to https://google.com, are they hitting the same web server or SSL caching server? Of course not.* The most common scenario where this would be valuable is with a load balanced web cluster, but I recently came across this in a deployment with web and mail component where the mail admin neglected to give their MTA a unique FQDN *and* the organization is using SSL/TLS f

Reinstalling MDAC

Microsoft Access Data Components are usually fairly stable. They tend to be updated with significant OS related updates (I'm looking at you, Service Packs).  That being said, issues do happen. Today I encountered an issue following a P to V migration using Hyper-V for a Windows 2000 server with an ADO connection to a MSSQL database. Somehow MDAC versions become mismatched during this process. Your actual error may vary. Your application may throw an error 429 " Active-X component can't create object", you might get a  IPP_E_MDAC_VERSION error. In the case today, a line in the website's general.asa was mentioned as an invalid object. Download and execute the Microsoft Component Checker to verify a mismatch against your required Component versions - Use this for 2003   and this for 2000 . For Windows Server 2003 and 2008 systems, I would typically advise an in-place upgrade as outlined here . You can try a manual install on these OS' but frankly it is no