Turn SSLv3 off means turn it off

A quick refresher: SSLv3 is no longer safe for use. The POODLE issue was the final nail in the coffin, but it was already starting to show several cracks.

When the POODLE issue was discovered, the reaction was swift: turn SSLv3 off. While the issue was potentially fixable (record splitting for example), getting rid of it all together was the right thing to do – very few people need it these days, and who knows what else we’ll find in the future.

Since then, a few blog posts have popped up on how to “gracefully” handle SSLv3 connections, like showing an error page, “Sorry, SSLv3 is not supported, please upgrade your browser.”

Don’t do this.

By doing that you are effectively supporting SSLv3. You have to accept the SSLv3 connection in order to show the error page. You might think, “Well I am not sending any sensitive information, just an error page, so this should be OK”.

Remember what POODLE does – an active attacker can force a browser to downgrade their connection to a weaker version of SSL during the handshake. Many browsers that that still use SSLv3 don’t support TLS_FALLBACK_SCSV, so they are still vulnerable to POODLE.

Let’s pick on Internet Explorer 7. IE 7 supports TLS 1.0 and SSLv3, but not TLS_FALLBACK_SCSV. This person uses your website that requires authentication. Like most websites, you do authentication with a persistent or session cookie. Cookies are sent via HTTP headers by the client to the server on most HTTP requests: GET, POST, etc. That attacker then downgrades the connection to SSLv3, where they promptly see the error page that they need to upgrade their browser. But the browser sent your authentication cookie because they were already authenticated. The attacker then – with enough persistence and requests – be able to retrieve the authentication cookie.

This completely defeats the point of disabling SSLv3. Turning SSLv3 off means turn it off. By not accepting the connection at all, then the client is not able to even start an HTTP request.

Blocking requests with HAProxy behind a load balancer

In our current infrastructure, we have three HAProxy instances behind a AWS ELB load balancer. One of the things these HAProxy instances do is tarpit (block) a list of bad IP addresses.

The configuration looked like this:

acl spamlist src -f /etc/haproxy/abusers.lst
http-request tarpit if spamlist

Turns out it didn’t work. We were still seeing a spammer get through in our logs. The reason being, the connect to HAProxy is the IP address of the load balancer – not the IP address of the client, so it would never get blocked. It did work before an ELB was part of the infrastructure. Most proxies, including ELB, support the X-Forwarded-For HTTP header. What the ELB does in this case is take the original client’s IP address and put it in that header.

We can’t just compare that header with the IP’s in the blocklist though. It is possible in some corporate environment they have their own proxy. In this case, the X-Forwarded-For becomes a comma separated list of IP addresses. So we need to check every IP address in the X-Forwarded-For header against our list.

HAProxy makes that pretty easy. You can use hdr_ip to accomplish this:

acl spamlist hdr_ip(X-Forwarded-For) -f /etc/haproxy/abusers.lst
http-request tarpit if spamlist

hdr_ip takes in the name of the header you want to use, and automatically handles it as a list of IP addresses.

Time to get over the Linux fear

When I was first getting into software development, I heavily used Windows and Microsoft technologies. I insisted upon it when working with people, telling them that Microsoft’s stack was always the best choice. Windows, to me, was the superior operating system. Zune was superior to the iPod. C# was the right programming language for all things.

Despite my strong belief in the Microsoft platform, many people around me were starting to use Macs, Ruby was becoming popular, and I was more and more reluctant to consider these things as unnecessary. In 2011 I bought my first MacBook, and decided I was going to learn every thing I possibly could about the Unix and Linux world. In 2015, I’d say the *nix ecosystem makes a hell of a lot of sense to me. My view of technology today can be summed up as “Use the right tool for the right job”. This doesn’t seem like a very profound statement, but it took a while for it to really click with me. This meant that my current knowledge was not future proof, at all. It meant I probably shoehorned a few things here and there in the past. It meant I had a crapton more to learn.

I got comfortable developing in C/Objective-C (and as passé as it is, I still like the language quite a bit) at least for OS X, never quite as much for iOS. I know enough of Swift to be dangerous, and I know the BSD toolchain to make it through a day of work using it. A lot of that knowledge translated over the Linux, so I used Ubuntu and Fedora for a while to learn the ins and outs of Linux (tip: OS X is not Linux).

Learning these tools and technologies has done more to make me a better Microsoft Stack developer than anything else I ever did.

I would encourage those that are firmly in the Microsoft world to step back and see what else is there. I know many self proclaimed “Microsoft stack developers” that own MacBook Pros, run Bootcamp, and never touch OS X. Even more interesting are those that use Parallels, but just use OS X as a thin virtual machine host and run pure-Windows there, too.

Part of what frustrates me is people that use inferior Microsoft tools just because they come from Microsoft. They don’t want to get their hands dirty and learn some basic technology outside of Microsoft. An example that I recently came across is someone that wanted a Content Management System. Many people said, “WordPress”, and indeed, as he described his requirements more, it sounded more and more like WordPress was the right choice. Interestingly, one of that persons requirements was “It needs to run on Windows.”

Why?

The usual response is “Because we are a Windows shop”. That needs to stop. Sure, you can run WordPress on Windows. The Web Platform Installer can install it for you, it can run on a Microsoft SQL Server database… but why? People have gone through tremendous pains to get platforms running on Windows that don’t need to run on Windows. Meanwhile on a Linux distro, those platforms are easy to install and maintain, manage, and run. WordPress with MySQL is very simple. Why does IIS need ARR when there are much more proven, and scalable proxies able to run on Linux? (HAProxy, Squid, NGINX, just to name a few).

I know some people will never be comfortable or want to endeavor into Linux – that’s fine, just know there is a ton of things you are missing out on.

For those that are willing, take the time to learn it. Try building sources form scratch on your MacBook, if you have one. Go install a Linux distobution. The wonderful thing about Linux is if there is something you don’t like about it, you can fix it. Either someone has already done the work for you by packaging it up and putting it on Homebrew or Macports, or you can build it yourself. Don’t like the version of Git that OS X ships with? Easy:

#Install Xcode and the CLI tools before doing this so you have compilers.
#Choose a more suitable branch or tag if you aren't feeling adventurous to build trunk.
curl -L https://github.com/git/git/archive/master.zip > git-master.zip
unzip git-master.zip
pushd ./git-master
make configure
./configure --prefix=/usr/local
make prefix=/usr/local
sudo make prefix=/usr/local install
popd

I’m not trying to slam Microsoft and say Linux is The Path of the Beam. The two coexist with each other quite well. When used together, you can do some really great things.

My cygwin setup

Part of changing jobs meant that I had to rebuild my Windows virtual machine. Most of which I’ve managed to get down to a science at this point, but remembering all of the little changes I’ve made to Cygwin over the years has been lost. I thought, “make a blog post” since it’ll help me remember, and possibly help others.

Ditching cygdrive

I don’t really like having to type /cygdrive/c – I’d much rather type /c, like Git Bash does out of the box.

The solution for this is to modify the /etc/fstab file and add this line at the end:

c:/ /c fat32 binary 0 0

Don’t worry about the “fat32″ in there, use that even if your file system is NTFS. You can do this for arbitrary folders, too:

c:/SomeFolder /SomeFolder fat32 binary 0 0

Now I can simply type /SomeFolder instead of /cygdrive/c/SomeFolder.

Changing the home path

Cygwin’s home path is not very helpful. I choose to map it to my Windows home directory (again like Git Bash). The trick for this is to edit the file /etc/nsswitch.conf and add the following line:

db_home: /%H

This sets the home to your Windows Home directory. Note that this change affects all users, so if you have multiple users on Windows, don’t hard code a particular path, instead use an environment variable like above.

Prompt

I typically set my prompt to this in my .bash_profile file:

export PS1="\[\e[00;32m\]\u\[\e[0m\]\[\e[00;37m\] \[\e[0m\]\[\e[00;33m\]\w\[\e[0m\]\[\e[00;37m\]\n\\$\[\e[0m\]"

This is similar to the one Cygwin puts there by default, but does not include the machine name.

vimrc

Not exactly cygwin related, but here is a starter .vimrc file I use, I’m sure I’ll update it to include more as I remember more.

set bs=indent,eol,start
set nocp
set nu
set tabstop=4 shiftwidth=4 expandtab
syntax on

If anyone has some recommendations, leave them in the comments.

New Pasture

For the past eight and a half years, I’ve enjoyed many different challenges at Thycotic. From working on some tough security implementations to consulting. I’m always interested in new challenges, seeing what else lies beyond where I am now. That is why I’ve accepted employment with Higher Logic. I’ll be joining their team continuing what I do best: solving problems and doing my best to make customers happy.

I’m looking forward to it.