Preamble

For quite some time now, session hijacking has been a potential attack vector for many websites. A recent example of this was the demonstration of Hamster against GMail at Defcon. A relatively simple solution to this issue would be to use SSL across the board, which would result in the session cookie (a browser cookie that uniquely identifies/tracks your login when using a web service) being encrypted. I suspect that the reason this isn’t done more frequently with sites like GMail, MySpace, or whatever site you enjoy logging-in to, is that SSL over HTTPS is expensive relative to its unencrypted HTTP counterpart. Another reason is the cost of renewing a valid SSL certificate so your users aren’t presented with wonky error messages when they access the site, but I highly doubt monetary issues are in any way a concern for the likes of GMail or MySpace.

So, where am I going with this?

Well, I’ve been putting together a system to handle Mathish.com, I have been putting it together for well over 2 years now in fact. The underlying principles have remained the same, though the database engine and development platform have both changed over time. One of the essential underlying ideas behind this system is that everything is backed by a resource. So, every article, link, user and so forth is backed by a row in a “resources” table. The resources table itself represents a tree, with all items ultimately a descendant of the root node, which I have cleverly named “root.” To ease query lookups to fetch ancestors and descendants of a given resource, the resource table is managed by a modified pre-order tree traversal algorithm (for those familiar with Ruby on Rails, acts_as_nested_set.) In this way, permissions can be assigned to a parent node, inherited by children (or grandchildren, or great-grandchildren), and all of that can be resolved with only a few SQL queries.

So, seriously, where am I going with this?

This system I am working on uses sessions based on cookies, and I thought to myself: how do I mitigate session hijacking? And then a thought occurred: sudo. It appears quite a few Linux distributions are making use of sudo these days, but I am most familiar with Ubuntu’s usage. For those who haven’t kept themselves abreast of Linux goings-ons, in Ubuntu, your user account is rather unprivileged. You can modify your own files, configure your own settings and do other shit that’s “you-centric.” However, should you need to make a change that is system-wide, Ubuntu will prompt you for your password and validate that password before any such change is made. Though your account is unprivileged, it has the ability to escalate its privileges when you verify (by entering your password) that it is okay to do so. And that is where I’m going with this. Why not create an action (task, permission, whatever you want to call it, I’m calling them actions) named “sudo,” and when a user has permission to perform sudo on a given resource, but does not have permission to perform the action they initially requested, they are prompted for their password. If the password validates, the task is performed, if not they are unambiguously reminded of all their failings in life.

How does this solve the problem?

In an entirely plaintext environment, it does not solve the problem. It merely creates one more barrier between the attacker and the goal. In such a case, the barrier is a trivial one if we assume the attacker can already detect the session cookie. However, in an environment where SSL is available, but the expense of HTTPS is too high for every page load, I think this presents a viable solution. The user logs-in through an HTTPS page, then uses HTTP for their mundane activities (reading articles, viewing user profiles) but should they wish to do anything that will affect the system, they have no privilege to do so, but do have the ability to sudo on the given resource. Thus, they enter their password, at this point across an HTTPS connection, and the change is made.

Why this method doesn’t really solve the problem.

For my purposes, this method is sufficient and robust enough to work. But I am putting together what is essentially a resource management site. My earlier examples of GMail and MySpace would not translate so nicely. For instance, in GMail, what constitutes an action that should be protected by a sudo? Email deletion? Marking a message as spam? Reading a message? Even if one made use of a flag to indicate that the user had performed a sudo in the last, say, 5 minutes, that’s still going to result in a lot of prompting. It would also create 5 minute windows where session hijacking is just as powerful as it ever was — mitigating the problem, but not completely alleviating it. MySpace presents similar problems. My experience with it is pretty limited, but I personally have a few friends who are mental for posting bulletins and adding comments to their friends’ profiles. Again, that’s an awful lot of prompting for a password and provides a user base with plenty of examples of why it should consider using a competing service. Regardless, for my purposes, I think it is a decent idea, and when combined with a pseudo-randomly generated token to track action sequences, I think the result will be a pretty good start towards securing a web-based application.

Updates

• Adam pointed out to me that you can use GMail strictly over HTTPS by accessing the site through https://mail.google.com/mail

I just got my new pair of Converse shoes. This puts me one step closer to my life-long goal of having a pair of Converses for every occasion. It might seem like a trivial goal, but I find it is best to set your dreams low so that you are rarely disappointed. Pardon the crappy quality of the picture, I took it with my phone as that is the only digital camera I have access to at the moment.
On an unrelated note, I am actually leaning towards Ruby on Rails for site development.

So, there’s been a terribly long delay since my last post and here are some of the reasons for that:

• I moved from Clarion back to the Meadville area.
• I was hired by a company to do development work for real money

Anyway, I make no apologies for the delays, life has taken up my time as life does, and no one reads this blog anyway.  Onward.

At my new place of employment, I have been developing using ASP.Net 2.0, and I have to say, it is a better development environment than anything I have used in the past few years.  Java Servlet Pages provide a similar framework, but I have not developed in that environment in a very long time, and when I did, my level of development was rather limited.  Regardless, quite a few months ago I decided that PHP sucks, and there’s no getting around it.  The language appears to be designed largely ad hoc with little mind paid to consistency and no unifying direction.  I had started to play with Python and decided that if I got back into personal development, I would attempt to build a framework in that language, and that’s where ASP.Net comes in.  After developing in ASP.Net for a while now, I realized that to build a proper framework would be a huge undertaking, so I began looking for something comparable in the Apache/Linux world and stumbled upon Spyce.  I have only just begun to look at it, but this might be precisely what I was after.

So, a Python based framework, a PostgreSQL RDBMS (technically ODBMS) and perhaps I’ll actually do something with my fucking domain again.

So, due to a bit of hubris on my part, and some dumb luck, also on my part, I simultaneously lost 5+ years of data (software, web design, etc.) and recovered (5+ years) - (6 months) of data. It’s a long and tedious story that ultimately ends with: I formatted something I shouldn’t have formatted and by pure chance I had an outdated backup. We’ve all heard the story, most of us have been there, I won’t bore you with the details.

The important bit is that I lost the code I was developing for mathish.com’s content management + XML + LaTeX jibber jabber. Most of it was rough and proof-of-conceptish anyway, so that’s okay, and it’s given me a chance to rethink how much I want to put on the server and how much I want to do on my computer (the conversion from LaTeX to images is a bit CPU intensive, and though I wouldn’t be updating frequently, I still don’t think it’s a wise idea to burn CPU cycles on my hosting account at this time.)

I have also been afforded the opportunity to work on a second article, that I intend on “publishing” in the first issue of mathish.com, when I unveil it all. I’ve basically begun the early stages of looking at fractal patterns in documents, with the intent of identifying a “document quality” measure based upon these patterns. For some good, already published, articles related to this topic, check out the research papers on Mi Islita. It may take a while before I have any worthwhile results, but then again, it may take a while before mathish.com is ready.

Through the dual courses of business and pleasure, I have stumbled upon some interesting finds.

The first is a web-based rich-text editor (RTE) called TinyMCE that is released under the LGPL license. It’s feature rich, and if you use a newer version of WordPress, you’ve already seen it. Prior to embracing TinyMCE, I was using this fellow for my online rich-text editing needs. However, I do believe TinyMCE offers a better feature set, is quite a bit easier to get running, and has a much nicer license. The other RTE is “free”, but only for the “compressed” javascript. If you want to make changes to the script, and all of the GUI components are embedded in the script, you have to shell out cash for the uncompressed version. This wasn’t the case when I first stumbled upon the second RTE, which is why I initially used it, but given that TinyMCE is truly open source, I have a feeling they’re going to eat the other fellow’s lunch.

The second bit of goodness comes from kind of a random path. I was playing Maniac Mansion, and realized I liked the opening music. So I did some searching around for mixes of it. I found a few, and then I remembered the Overclocked Remix site. I hit that puppy up and what should I see greeting me on the main page but a remix of the original Doom score entitled The Dark Side of Phobos. A brief torrent download later, and I’m rocking out to the classic sounds of E1M1 and “Dis” (remixed as “The Leaning Tower of Babel”, easily my favorite track, both from the original score and “The Dark Side of Phobos” album.)

That’s about all the goodness you’re going to get from me today. I’ll post more such nuggets as they reveal themselves to me.

I’ve recently started using the Beryl compositing/XGL window manager. It’s very neat, and very pretty, but there’s about 1,500,000 webpages dealing with the prettiness of Beryl already. That’s not what this entry is about. Earlier today, I was tweaking keybindings for Beryl, when I stumbled upon a blog on usability improvements through Beryl, and it was because of this article I decided to try something a bit radical with my desktop.
I have been using the “Window Selector” panel widget, in preference to “Window List”, for Gnome for quite a while, so like the author of the linked article, I don’t bother trying to read truncated strings when looking for minimized windows. I’ve got Beryl mapping 3 out of 4 of my screen edges to various window selectors (thanks to the “Scale” plugin), leaving the top right corner free for the Gnome “Window Selector” panel applet. So, when I want to switch windows, I throw my mouse to a corner, and then click on the preview of the window I’m after (or select a minimized window from a list of all windows, if I hit the upper right corner.) I dig this. It’s much faster to throw a mouse into a corner of the screen than it is to read text and then hit a target of varying size. I also dig this because, in the case of Beryl’s selectors, I don’t have to read shit. I get a nice image preview of the window, something my brain is much better at identifying than text, or an arbitrary application icon. (Though the application iccon is provided for assistance.)

I was not aware that Alt+F1 (or whatever keybinding you use) will display the main menu regardless of whether or not the main menu exists on any particular panel. This rules, because, as the article linked above points out, when the main menu is removed, and Alt+F1 is pressed, the menu appears directly under the mouse’s current position. Fucking sweet from a Fitt’s Law perspective.

Next, I followed the author’s advice and dropped in the Deskbar panel applet. I have used this applet in the past with mixed results, but it seems to be working now. And with its own keybinding to take the focus, it’s very quick to access. I don’t have any strong opinions on the Deskbar portion of my desktop just yet, I should have feelings to share on that in about a week.

Finally, I mapped out Super+(Q,W,E,R,T,Y,U,I,O,P) and Super+(Mouse1,Mouse3) to launch the apps I use most frequently. I’ve always liked the ability to do this (part of the reason I’ve considered going back to KDE is the ease with which app-launching shortcuts can be created, whereas in Gnome/Metacity it’s pretty well obscured and limited to 10 apps.) Granted, Beryl only allows for a total of 12 commands to be mapped to keyboard/mouse bindings but that’s enough for my purposes. If you need more, then Beryl may not be right for you. So, while holding a button I issue a spastic twitch, and I’m editting in gVim, or inkscape, depending on which finger the twitch occurred in.

I haven’t fully adjusted to the keybindings I chose yet. And I may remap them later, but the point to all this is, I now do a lot more directly from the physical interfaces of my workspace (keyboard + mouse), instead of relying on the virtual interfaces of Gnome (desktop, menus, etc.) And, I like that very much.

I have, yet again, switched hosts for mathish.com. Overall I was pretty pleased with phpwebhosting.com and would recommend them to anyone seeking hosting. However, I’ve long wanted to move to a hosting environment that supported postgreSQL, and phpwebhosting.com only supports MySQL.

The transfer seems to have gone pretty painlessly, though I spent a fair bit of time around 8-9pm last night fighting with Verizon’s DNS servers, as the primary was resolving mathish.com to the new host, while the secondary was still pointing me to the old site. But that all seems hammered out now, and everything appears to be working for me. You may not experience the same results, but then again, if you don’t, you can’t read this anyway!

Finally, the reason for switching to a hosting provider with postgreSQL support is that I yearn for the atomic transactions and referential integrity that MySQL < 5.x cannot provide. Oh, and stored procedures, let's not forget stored procedures.

So, I will now get back to developing the code base for mathish.com again, but this time with a nearly real RDBMS.