Yenya's World

Thu, 29 Nov 2012

Secure Login at Alza.CZ

Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:

Alza SSL login

In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.

Section: /computers (RSS feed) | Permanent link | 3 writebacks

3 replies for this story:

dan wrote:

I agree, their login form is weird. I checked it with firebug and fortunately the credentials are not sent over in plaintext - it's still HTTPS. It seems that something in the way they are sending them confuses the browser - they are not using a standard HTML form, they are sending the credentials using XHR request. The login doesn't even work with JS turned off.

toto wrote:

Ty máš co kritizovat...spíš si oprav CSS. http://imgur.com/PBm7C

Yenya wrote: Re: toto

Well, the "official" URL of my blog does not start with https, so it is not my problem that it contains http-only images or whatever when accessed over https. Also, there are no private data sent over the net during communication with my blog (as opposed to Alza.cz).

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

Wed, 28 Nov 2012

SOAP::Lite

Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.

For example, look at this:

HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
  BEGIN {
    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
      return 'username' => 'password';
    }
  }

So apparently the only way how to use Basic authentication is to override a global function in some foreign namespace. And what to do when I want to use two SOAP servers with two sets of credentials inside a single application? There are more similar "features" in SOAP::Lite. For example, tracing can only be set up globally in compile-time, or by manually calling ->import().

My dear lazyweb, is there a SOAP module with cleaner design?

UPDATE 2012/11/28: Tracing
FWIW, it is probably easier and cleaner to do both basic authentication and tracing at the transport level - the transport module here is LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:

$soap->transport->add_handler(
	request_prepare => sub {
		shift->authorization_basic($login, $pass);
	},
);

$soap->transport->add_handler(
	request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
	response_done => sub { print STDERR shift->content; },
);

I wonder why the SOAP::Lite manpages suggest such dirty ways of handling this (and I have not even started mentioning things like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global variable; ugh)

Section: /computers (RSS feed) | Permanent link | 3 writebacks

3 replies for this story:

Adelton wrote:

From man page: Because "SOAP::Client" inherits from "LWP::UserAgent", you can use any of "LWP::UserAgent"'s proxy settings. Can't you really apply the same to the ->credentials call? Eg, $soap->transport->credentials($netloc, $realm, $uname, $pass); ?

Adelton wrote:

By the way, who is holding a gun to your head to force you to use SOAP?

Yenya wrote: Re: Adelton

Well, why TF they have "redefine the get_basic_credential" in the POD as their prefered way of handling basic auth then? (ISDS is the gun holder there, but fortunately this is not my job, I just tried to help one of my colleagues :-)

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

Tue, 27 Nov 2012

Cookies Auth and 403 Forbidden

In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.

When the yet-unauthenticated user accesses an URL for authenticated users only, Apache2::AuthCookie returns the HTTP response with "403 Forbidden" status code, and with text/html body containing the login form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive. So the user fills the login form, submits it, and the server returns the real page for that URL, this time with "200 OK" status code. This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with the following two use cases:

What to do now? The problem is clearly in the HTTP status code 403, and in its mis-interpretation by some clients. I don't want to return the login form in a 200 OK response, because I need e.g. the web crawlers to know that this is not actually the page they tried to access. As for Symbian, they can be clearly identified by their User-Agent string, so I can return 200 OK only for them. But as for MS Word, I have no clue: what I see is the request made by MSIE (and again, I probably don't want to return 200 OK to every unauthenticated MSIE request). Any other suggestions, my dear lazyweb?

Section: /computers (RSS feed) | Permanent link | 2 writebacks

2 replies for this story:

Adelton wrote:

I'm not sure about that 403: "Authorization will not help and the request SHOULD NOT be repeated". Since you are using cookies for something it's not technically supposed to be used (authentication), I wouldn't worry about that 200 that much. I'd either make it 200 or 302 to some login page, ideally with some Pragma: no-cache so that spiders don't index/cache it.

Yenya wrote: Re: Adelton

Well, the request after 403 is not repeated (by the browser itself). Apache2::AuthCookie returns a login form in that request, and the action of this form is some different URL (which, by coincidence, returns 302 to the original URL, if correct credentials are submitted). So I still think 403 is a perfectly legal way of returning the login form.

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

Tue, 20 Nov 2012

SMD Soldering

For the first time in my life, i have tried to solder SMD components (as I have written before, I am working on DYI LED lights for my bike). The component side looks OK, and soldering through-hole components went without problems. The SMD parts were a bit tricky, though.

bike lights board bike lights
board


I have used an ordinary soldering station with temperature regulation, but the results are not pretty. I wonder what is required to achieve this level of quality (watch from 14:10). One possible problem might be that some components on my board (especially the smallest sensing resistors) are connected to the highest-current and thus thickest paths, which suck great amounts of thermal energy when soldering.

Anyway, from the preliminary testing, it seems that my board works. So far I have found the following problems:

Now it's time to finish the firmware and to start adjusting the mechanical parts. I have already made the front spotlight and rear spotlight, and I want to make a LED string. Any tips about making a waterproof LED string out of 3mm through-hole LEDs will be appreciated. Should I use silicon, shrink-wrap tube, or what?

Section: /personal (RSS feed) | Permanent link | 0 writebacks

0 replies for this story:

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

Thu, 15 Nov 2012

Printed Circuit Boards

For my bike lights I needed a PCB. Out of several services for manufacturing PCBs, I have chosen Itead Studio PCB prototyping service (the other candidate was Seeed studio). Here are the preliminary results:

bike lights PCB

I have placed my order on October 29th evening (Central European Time), according to Hong Kong post, the package was received by them on November 7th, it left Hong Kong on November 11th, and I have received it today, on November 15th.

They also have an interesting "Open source" program - the customer declares that his design is open source (mine is anyway), they make few more boards in addition to those the customer has ordered, and they send them to their other customers. The original customers gets his orderd boards, and in addition to that, two more boards from other open source projects. I have in fact got their demo board (on the right side), and one open source board (the white one). Apparently, it is Arduino 512KB SRAM expansion board. I currently don't use Arduino, so if any Arduino user is interested in this PCB, just let me know.

Okay, now it's time to take a soldering iron and play more with the hardware :-)

Section: /personal (RSS feed) | Permanent link | 0 writebacks

0 replies for this story:

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

Mon, 12 Nov 2012

Desktop Environment-Specific Apps

I have recently came across this two years old bug report, filled to the bug tracker of Transmission (a Bittorrent client) where a GNOME developer suggests removal of the notification area icon from the application on the basis that GNOME 3 does not support notification area at all.

So if I understand it correctly, we are now living in a world where all the GUI applications have to be dependent on the particular desktop environment, and it should be no longer supported to run - say - Transmission under XFCE, or GIMP under KDE, at least according to GNOME developers. "We GNOMErs do not support notification area icons, so this application should not use it" (even though the application is not used exclusively under GNOME)? Where are the freedesktop.org cross-DE interoperability recommendations?

That said, notification area as such sucks - what I liked most was the original approach of X11: using on-desktop icons for minimized applications (instead of applications and documents shortcuts), and applications displaying their own status in their icon (handled by every window manager using the same ICCCM specification).

Section: /computers/desktops (RSS feed) | Permanent link | 3 writebacks

3 replies for this story:

Martin Putniorz wrote:

GNOME devs are just a bunch of guys who think of themselves as the team of Steves (Jobs). More about it here https://igurublog.wordpress.com/2012/11/05/gnome-et-al-rotting-in-threes/

Yenya wrote: Rotting in threes

Yep. I have also discovered that blog post yesterday. Quite disturbing read, isn't it? And it is not only GNOME, but Ubuntu and others as well.

Milan Zamazal wrote:

Interesting reading, it explains a lot. I'm pretty happy and quite stable with simple and highly customizable environments (StumpWM + Emacs + uzbl) last years. The problem is that such environments are not suitable for nonprogrammers. It seems that Xfce is still going in the right direction, i.e. being easy to use, easy to set up and running well on old hardware. So I'm going to replace GNOME and KDE desktops of my users with Xfce on the next upgrade. Other users may have other needs. E.g. one of positive effects of Ubuntu was that some developers and users preferring smaller and unstable distribution with frequent updates and more buzz have left Debian in favor of a somewhat similar distribution better suited to their needs. This is all right and there has been less tension in Debian since then as there are less attacks on its principles -- I think both Debian and Ubuntu users and developers are happier now.

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

Tue, 06 Nov 2012

DNS Lookup :-)

It seems my registrar will discontinue their "free" hosting (as in "bundled with the domain registration") soon, so I will have to move my domain yenya.net mail and WWW servers elsewhere. There is no problem with that - I have a 24/7 running computer at home with good connectivity. There is one challenge, though:

The new DirectNIC service allows only one A record in the registered domain, when the domain is hosted on their DNS servers (no AAAA and no DNSSEC). So I am considering running my own DNS server in addition to mail and WWW servers. This would allow me to have A and AAAA records, SSHFP, and possibly the new DANE records. So I need someone to host a secondary DNS server. The requirements are:

Of course, I am willing to provide the same service to the other party. Is anybody interested? Thanks in advance.

Section: /personal (RSS feed) | Permanent link | 1 writebacks

1 replies for this story:

Adelton wrote:

I use freedns.afraid.org as my secondary DNS, for two(?) years now. IIRC it's IPv4 only. They should be DNSSEC compliant thou I don't use DNSSEC. I don't think there is hourly update option but you can just send notify and have the transfer initiated when something on your primary DNS server changes.

Reply to this story:

 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comments:
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)

About:

Yenya's World: Linux and beyond - Yenya's blog.

Links:

RSS feed

Jan "Yenya" Kasprzak

The main page of this blog

Categories:

Archive:

Blog roll:

alphabetically :-)