I See What You Did There

SSLv3 is older than my daughter, but is still supported by all major browsers. The latest crypto bug is a MITM (man in the middle) attack that could allow anyone with a network device (WiFi router) sitting between browser users and the destination SSLv3 server (https “secure” bank site, for instance) to snoop on the connection in plain text.

SSLv3 server stats and steps to fix your browser
POODLE attack details
#POODLE on twitter

Everything is Good Here

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
        OSStatus        err;

        if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
                goto fail;
        if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                goto fail;
                goto fail;
        if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
                goto fail;

        return err;

The duplicate ‘goto fail;’ line above will always pass the SHA1 signature check as valid, no matter what. Nice little programming error, there, Apple. Affects iOS since at least 7.0.4, and a fix was just released. MITM anyone? o_O

via: Apple’s SSL/TLS bug

Simple read-only git repository over HTTP

I’m working on a code exercise and wanted to throw it in a web directory to allow read-only git clone/pull, without putting the repo up as a public one on github. Initializing the repository and using SSH for read-write access was familiar, since I’ve done it many times, but I stumbled around for a few minutes scanning docs for read-write HTTP repos that use fastcgi, gitweb, git-http-backend, git daemon, etc. This is just using simple and “dumb” read-only HTTP access, and the tidbit I had long forgotten was enabling the post-update hook to update the repository metadata, which just execs git update-server-info as commits are made – of course, git needs to be installed on the web server.

$HTTPROOT is the full path to your website directory (i.e. /srv/http/example.com).

On the server:
$ mkdir -p $HTTPROOT/git/myrepo.git
$ cd $HTTPROOT/git/myrepo.git/
$ git init --bare
$ mv hooks/post-update.sample hooks/post-update

On the client, use SSH to clone the repository for read-write work (needs full path to $HTTPROOT):
$ git clone ssh://$HOST/$HTTPROOT/git/myrepo.git
Cloning into 'myrepo'...
warning: You appear to have cloned an empty repository.
Checking connectivity... done
$ cd myrepo/

Then go about adding files, committing, and pushing changes over SSH.

When it comes time to share your work, the read-only repository can be shared with others and cloned/pulled with:
$ git clone http://$HOST/git/myrepo.git
Cloning into 'myrepo'...
Checking connectivity... done