Blog‎ > ‎

Google Chrome (OS & Browser), Passwords, HULK, Hushmail, SSL, IPv6, RFID, Shell

posted Jun 7, 2012, 10:05 AM by Sami Lehtinen   [ updated Jan 18, 2015, 11:11 AM ]
I've been busy reading Lean Startup book with deep thoughts. But here's something light and fun stuff I have been managing to read and study meanwhile.

Google Chrome browser & OS related stuff:
  • Great article about optimizations, prediction systems and performance optimizations of Google Chrome browser.
  • Enable IPv6 for Google Chrome browser visit chrome://flags select DNS and there you can enable IPv6.
  • I installed Google Chrome OS for one old laptop, and it works just great. It's boots fast and it's very nice to use. Of course it's limited to "browser only" usage. Now there is a race to develop all business apps which will run in the plain browser.
Due LinkedIn passwords hash leak, here's a few password related articles:

HULK (Http Unbearable Load King) was released and I had to play a little with it.

I tested hulk against many services and servers that we run, during night time. It seems that most of services can handle traffic generated by hulk. Main thing is that request handling must be light enough. Only urls which run CGI scripts were naturally heavily affected by hulk attack, due slow request processing. But as we all know, attackers will find these points from system which are slow to handle and exploit those.

All systems should have code which detects attacks and stops serving these IP addresses or whole blocks. It would be preferable if web server would be able to handle these very lightly or even better, if firewall rules would be modified dynamicly to completely drop this traffic.

Only a few modifications were required to make hulk fully Tor compatible and also enable requestion real pages from HTTPS sites, instead of requestin redirects using HTTP.

I also found out that many sites running Drupal are very vulnerable to this attack.

If single Privoxy & Tor & Hulk set isn't enough and won't saturate your own bandwidth, you can naturally run multiple Tor clients and Privoxies in parallel with multiple HULKs, by using different port numbers. It required about 25 parallel process sets to saturate 100/100 Mbit/s (down) link with remote server which was serving static files from attack url and therefore wasn't  brought down by hulk attack. This would bring easily down sites which do not process reuqests very efficiently.

What would happen if this attack would be run from several servers with 1 gigabit connection / each, it would be very hard hit to any small to medium site. Of course world class sites wouldn't notice a thing. Also Tor network in general could run out of bandwidth.

Hushmail.com session / password issue:

1. Login to hushmail from two computers
2. Change password
3. Notice that session from another computer is still alive and kicking

Afaik: When password is changed, re-login should be forced at least for all other sessions than the session which changed the password.

This is especially big problem if something like authenticated cookie is stolen, or if password is stolen and they manage to login. Then there is no way to deny their access.

Well, if I remember right dropbox had this very same flaw. But I assume they fixed it already.

Watched long 2 hour long lesson about 3D printing business and current state and future possibilities.

P.S. HSTS header is also missing.

Other stuff:
  • Hardened s.sami-lehtinen.net SSL Ciphers, only AES256 and CAMELLIA256 are now supported, with TLSv1.0 and newer protocols. TLS1.1 and TLS1.2 are also supported as well as Ephemeral DH enabled with SHA384, providing PFS. (DH key exchange)
  • IPv6 launch is here. Here's some interesting statistics for you.
  • Listened "Security Now!" RFID security episode, did read  Wikipedia RFID, Smart Card and Smart Card Security articles in detail and also checked many chip details.
  • Started to use Ridiculous Fish (Fish's Fish shell)
That's all folks! I also studied and thought some topics which I really would like to write much more about. But I'll do it later. This should be enough for now. See my G+ posts for minor stuff.