I See What You Did There

SSLv3 is older than my daughter, but is still supported by all major browsers. The latest crypto bug is a MITM (man in the middle) attack that could allow anyone with a network device (WiFi router) sitting between browser users and the destination SSLv3 server (https “secure” bank site, for instance) to snoop on the connection in plain text.

Links:
SSLv3 server stats and steps to fix your browser
POODLE attack details
#POODLE on twitter

Everything is Good Here

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
        OSStatus        err;
        ...

        if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
                goto fail;
        if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                goto fail;
                goto fail;
        if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
                goto fail;
        ...

fail:
        SSLFreeBuffer(&signedHashes);
        SSLFreeBuffer(&hashCtx);
        return err;
}

The duplicate ‘goto fail;’ line above will always pass the SHA1 signature check as valid, no matter what. Nice little programming error, there, Apple. Affects iOS since at least 7.0.4, and a fix was just released. MITM anyone? o_O

via: Apple’s SSL/TLS bug

Simple read-only git repository over HTTP

I’m working on a code exercise and wanted to throw it in a web directory to allow read-only git clone/pull, without putting the repo up as a public one on github. Initializing the repository and using SSH for read-write access was familiar, since I’ve done it many times, but I stumbled around for a few minutes scanning docs for read-write HTTP repos that use fastcgi, gitweb, git-http-backend, git daemon, etc. This is just using simple and “dumb” read-only HTTP access, and the tidbit I had long forgotten was enabling the post-update hook to update the repository metadata, which just execs git update-server-info as commits are made – of course, git needs to be installed on the web server.

$HTTPROOT is the full path to your website directory (i.e. /srv/http/example.com).

On the server:
$ mkdir -p $HTTPROOT/git/myrepo.git
$ cd $HTTPROOT/git/myrepo.git/
$ git init --bare
$ mv hooks/post-update.sample hooks/post-update

On the client, use SSH to clone the repository for read-write work (needs full path to $HTTPROOT):
$ git clone ssh://$HOST/$HTTPROOT/git/myrepo.git
Cloning into 'myrepo'...
warning: You appear to have cloned an empty repository.
Checking connectivity... done
$ cd myrepo/

Then go about adding files, committing, and pushing changes over SSH.

When it comes time to share your work, the read-only repository can be shared with others and cloned/pulled with:
$ git clone http://$HOST/git/myrepo.git
Cloning into 'myrepo'...
Checking connectivity... done