Blog‎ > ‎

HTTP/2, AWS, ECDSA, SQLite, ARTS, CloudFlare, Cryptography, Duplicati 2.0, EmailRelay

posted Nov 4, 2014, 7:29 AM by Sami Lehtinen   [ updated Mar 2, 2015, 6:42 AM ]
  • HTTP/2 all the things, great presentation about HTTP/2 - Thoroughly studied the document and though how it would affect things (Web app / page development) in future.
  • Studied AWS Directory Service - Yet it seems that I most probably don't have any use for it.
  • Played a little with Python-ECDSA library, seems to work and does what it promises. It's a good question if there's any sense of doing crypto in pure python, because it's slow. But on the otherhand, it's also ultimately portable. So if python runs, libs work too. There has been so namy problems on different platforms with libraries which include C parts or dependant on other already included in OS libraries. This library doesn't provide encryption, but it can be easily used for strong authentication. It was also exceptionally easy to use. I don't have a strong use case for this particular library. But it was fun to toy with it.
    It's actually quite similar what I would do if I would create that Spritz library. Limited use, pure python, but can be handy in some special cases. As well as you'll really learn the internals of things, when writing the implementation yourself.
  • Tried to play with PyFiglet, but didn't work out easily enough. Maybe I'll retry bit later, but this is just the reason why I like versatile generic pure Python implementation, so it works always and everywhere. Things which are only thin Python wrappers for something which requires much more work to get working, isn't always too fun.
  • Had some fun with SQLiteCipher. Yet I don't see it in my case very useful. If you have full access to the system with the database, you can usually read the source code and the encryption keys being used also. So it's more or less classical failure of "data is encrypted". Yes it is, but keys are way too easily available. Also it naturally provides no protection against SQL Injections etc.
  • Studied ARTS XML Digital Receipt Charter v 2.0  Links [ 1, 2 ] - Didn't provide anything at all what I wouldn't have known already.
  • Toyed with Python Web Apps. One interesting solution to replace Nginx in front of uWSGI is to use CloudFlare as the front end server. It can globally distribute all static content with long cache TTL and only dynamic content is served from primary uWSGI server. This is quite excellent solution for small sites with light servers. Also checked situation of uWSGI and HTTP/2, seemed quite messy. Well, maybe one day there will be a solution.
  • "Making sure crypto stays insecure" by Daniel J. Bernstein. Super interesting presentation about how systems are designed to be and stay insecure on purpose.
  • Studied and tested Duplicati 2.0 Storage Engine - Storage format description [PDF] - Google+ Discussion
    Quote:
    "I'm just wondering if Duplicati guys have though about creating a Duplicati server. What? Server? Yes, I don't now mean the service, or 'backup server'. But I do mean server with custom protocol? Why? What's the benefit? Well, the befit is that the server module can compact storage space without retransmitting data over network. That's exactly what some data transfer methods are much more efficient than others, but those usually require custom software at both ends. I'm personally running the servers creating the backups, as well as the server (at another location) which stores the backup data. Using this kind of solution would save a lot of bandwidth.
    Quickly it sounds like it would use more bandwidth and disk space. But of course it depends from your settings. In my case I'm currently saving 3 full backups and daily incrementals. So it would quite surely save me quite a lot of bandwidth.
    But based on this, as soon as stable version is released I'll have to upgrade systems to use it. I'll also really love the new command-line. I'm currently using GUI version on Windows servers and command-line (Duplicity) only on Linux, because it was immediately obvious that the old command-line was so complex that average Windows Administartor simply can't handle it.
    I've also always loved Duplicati's Trust No One (TNO) design, where all cloud stored data is strongly encrypted."
  • Configured EmailRelay - What did I just write about parameters and Windows admins? Yeah, here's another enjoyable task. EmailRelay parameter reference. It didn't take too long to configure it, but I guess it would have still been hard for most Windows admins. It seems that some ISPs are dropping support for SMTP, just as they did drop their own NNTP and IRC servers a long time ago. So, if you want to run mail server, you're out of luck. Many ISPs also block TCP/25 aka SMTP-port and so on. Solution was tu run emailrelay on site, which got MTA and allows it to be used. I just used alternate port, mandatory STARTTLS and strong login credentials to authenticate user. Problem solved. Now email can be easily delivered from almost any place without making it hard for anyone. I also pre-generated list of 10k email credentials, so nobody needs to be bothered with creating new accounts for a while.