Blog‎ > ‎

GAE MS HRD, Tor ObfsProxy, CSRF, XSS

posted Apr 8, 2012, 9:43 AM by Sami Lehtinen   [ updated Apr 8, 2012, 9:59 AM ]
  • Completely read How China Is Blocking Tor paper. After reading it, I thought it might be nice to write simple tcp proxy application which would allow simple plain text traffic modification plugins to be used. I already wrote small 4 pages long specification about it. But I'll ask comments from my friends. Basically it would be simple tcp socket proxy, which just modifies traffic to hide original traffic pattern and finger print. Even if I decide that project isn't going forward I'll publish that document after I have reviewed it my self. Obfsproxy would be great, but it's too strongly linked to Tor.
  • M/S data store is being deprecated, now it's great time to start using HRD. I think I might upgrade and if M/S -> HRD requires changing AppId then I'll might shutdown OTR, although it's data store access is super simple key value method. I'll think about it.
  • CSRF vulnerabilities seem to be much more common than I thought. Even major sites are vulnerable. Also finished reading two papers about XSS attacks.
  • All user input should be properly sanitized. Yes yes, really old news, but there are many ways to send "user input" that developers might not think about. Like HTTP request headers.
  • It seems that IBM doesn't know how Internet and cloud stuff works. "People are quickly turned off by complex or lengthy sign-up processes". Well, it turns out that making agreement with IBM for test use of their cloud-service products, requires way too much work. With same effort you have completely running test environment with most of other service providers. I guess that isn't too good for IBM.