I've been busy reading Lean Startup book with deep thoughts. But here's something light and fun stuff I have been managing to read and study meanwhile.
Google Chrome browser & OS related stuff:
HULK (Http Unbearable Load King) was released and I had to play a little with it.
I tested hulk against many services and servers that we run, during night time. It seems that most of services can handle traffic generated by hulk. Main thing is that request handling must be light enough. Only urls which run CGI scripts were naturally heavily affected by hulk attack, due slow request processing. But as we all know, attackers will find these points from system which are slow to handle and exploit those.
All systems should have code which detects attacks and stops serving these IP addresses or whole blocks. It would be preferable if web server would be able to handle these very lightly or even better, if firewall rules would be modified dynamicly to completely drop this traffic.
Only a few modifications were required to make hulk fully Tor compatible and also enable requestion real pages from HTTPS sites, instead of requestin redirects using HTTP.
I also found out that many sites running Drupal are very vulnerable to this attack.
If single Privoxy & Tor & Hulk set isn't enough and won't saturate your own bandwidth, you can naturally run multiple Tor clients and Privoxies in parallel with multiple HULKs, by using different port numbers. It required about 25 parallel process sets to saturate 100/100 Mbit/s (down) link with remote server which was serving static files from attack url and therefore wasn't brought down by hulk attack. This would bring easily down sites which do not process reuqests very efficiently.
What would happen if this attack would be run from several servers with 1 gigabit connection / each, it would be very hard hit to any small to medium site. Of course world class sites wouldn't notice a thing. Also Tor network in general could run out of bandwidth.
Hushmail.com session / password issue:
1. Login to hushmail from two computers
Afaik: When password is changed, re-login should be forced at least for
all other sessions than the session which changed the password.
P.S. HSTS header is also missing.