security hsts, network

HSTS (HTTP Strict Transport Security) is a security policy where a web server instructs the client that the website they are calling can be used with HTTPS only. By using tools like Wi-Fi PineApple and sslstrip a man-in-the-middle attack can be carried out easily. The attacker can redirect the victim to HTTP version of the site they are connecting to and after the login info is submitted in clear-text and captured the victim is redirected back to HTTPS. By using HSTS the client browser always makes the calls over HTTPS hence reducing the risk of MitM attack. It’s not bullet-proof but still an improvement over not using it.

Implementation

HSTS is basically a response header. In an ASP.NET application it can be added in the web.config file as below:

  <system.webserver>
    <httpprotocol>
      <customheaders>
        <add name="Strict-Transport-Security" value="max-age=31536000" />
      </customheaders>
    </httpprotocol>
  </system.webserver>

And when you visit this site over HTTPS response looks like:

HSTS

This header tells the browser to use only HTTPS from now on for 1 year. Also, the response header can be added in the BeginRequest event handler:

protected void Application_BeginRequest(object sender, EventArgs e)
{
	protected void Application_BeginRequest(object sender, EventArgs e)
	{
		switch (Request.Url.Scheme)
		{
			case "https":
				Response.AddHeader("Strict-Transport-Security", "max-age=31536000");
				break;
			case "http":
				var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery;
				Response.Status = "301 Moved Permanently";
				Response.AddHeader("Location", path);
				break;
		}
	}
}

HSTS header only works with HTTPS. So you can not observe it HTTP responses. That’s why redirecting to HTTPS is required. Because if the client uses HTTP all the time and if there is nothing forcing the user to use HTTPS, even if you have HSTS turned on, the client will never receive those responses. So at this point even if an attacker is redirecting the user to HTTP, the browser will always make the requests over HTTPS.

Shortcomings

  • Not all browsers support it. It works with Chrome and Firefox but not with IE and Safari
  • Cannot protect for the first call: If the user is making a call to a site for the first time and there is an attacker in between it wouldn’t work. At least it would start working after the attacker is finished with the attack and redirected the user back to HTTPS.

Resources

hobby electronics

If you’re going to do something you need the right tools. The last time I was dabbling with I didn’t quite enjoy it but that was mostly because I didn’t have the right tools. The most daunting part for me was cabling. With the jumper cable set I had it was just too painful.

Get your cables right

This time I’m prepared for all occasions: I have Male – Male, Male – Female and Female – Females cables which cover all combinations.

Cables

Essentials

Multimeter: I realized a multimeter is an essential tool if you want to build your own circuits. I added a reference for an excellent tutorial which teaches you how to use one in a few minutes. By using it, I was able to measure voltage and resistor values in no time.

LCD Display: Also, I think it’s almost impossible to build a cool project without a display. It can be used for debugging and informing the user so very helpful to have it in the mix. They are so cheap that I ordered 5 of them for about £7 on eBay. So I guess there is no excuse for not buying one!

Resistors: Real resistors! I hated my old blue resistors with 5 bands. I couldn’t read the values. Colors were not clear. But now finally I got a bunch of standard 3-band yellow ones which make it easier to read. (Actually I have a multimeter now, so I can just use it to measure the resistance anyway.)

Breadboards: I had a big nice one but I think in order to run things in parallel I’ll need a few more of the smaller ones. Also I’m trying to learn how to solder so I now have a couple of solder boards to practice. Push buttons: I think to control the flow they are definitely needed.

New Components

Let’s get crackin’

I just built a simple circuit to light a LED when the push button is pressed. I know it’s not impressive by any means but I enjoyed building something from scratch. Familiarized myself with my tool shed and looking forward to build more complicated things.

Resources

hobby leap_motion, gadget, review

Yes!!! Finally it arrived. It looks very tiny and elegant. This is what the package and contents look like:

Leap Motion

Installation

Good thing it comes with 2 USB cables of different lengths. One is bout half a meter, probably for laptop users and the other is about 2 meters, better suited for desktop users like myself. It doesn’t come with any instructions or user guide but a card that tells you to go to leapmotion.com/setup. And that’s where I went.

The setup file is about 56MB. As this is a new file, Norton 360 didn’t like it and issued a warning. Another interesting note is right after I plugged it in Skype icon started blinking. I checked the window and it was saying “Your video works fine”.  as I don’t normally keep my webcam plugged in, the video doesn’t work. But it became happy to detect a camera! I’m not sure if it would work with Skype though. Probably not.

App Store

After the installation you have to login to Airspace which is the app store for Leap Motion. I logged in with my LeapMotion account. It comes with a few free apps. Cut the Rope didn’t run unfortunately. Didn’t bother to give an error message either. So I tried the others. Lotus looks like a weird psychedelic app. As far as I could understand you make music with your fingers. Here’s a little demo of how it looks:

Development

What’s more interesting than downloading and using apps is developing one on my own! In order to do this you have to sign up for a developer account at: http://developer.leapmotion.com After the sign up you download their SDK. So far I managed to install the drivers, tried a few apps and downloaded the SDK and I’ll post the development experience in another post.

Final words

I’m not so sure if this gizmo will take off but as long as it’s an interface for the OS, not some custom apps, I don’t see much use for it. Keeping hands in the air for long tasks is tiring. I think it only might make some games more fun but that’s a very small market.