Free software

TLS 1.0 Hatin’ the Game

Wednesday, June 1, 2011 

After much reading and interpreting, it became clear there was no more advice for configuration variations to get client cert login working. It seemed Chrome was doing it right, IE not even trying, and Firefox failing. No advice as to why and setting LogLevel to debug didn’t add much in the way of useful hints.

TLS_bad.JPG

Jared Davenport, for reasons that would never have occurred to me, tried turning off TLS 1.0 in firefox as an allowed protocol. PCI compliance requires turning off a bunch of weaker/compromised protocols and ciphers anyway, so I already had:

SSLProtocol -ALL +SSLv3 +TLSv1

A quick test of

SSLProtocol -ALL +SSLv3

solved the problem with firefox. IE still refuses to talk to SSL, but IE is a stupidhead anyway. OK, it annoys me as the same client cert works on CACert.org’s site so something there is working right that isn’t on my box, but as I never use IE, I think I can let it go

no_tls_good.JPG
Posted at 01:21:25 UTC

Category: FreeBSDLinux

Awesome SSL client cert fun

Tuesday, May 31, 2011 

Client cert authentication is oddly elusive given the practical value. I found a neat bug:

with
SSLVerifyClient optional
SSLVerifyDepth 3
SSLCADNRequestPath /usr/local/openssl/certs/clientcerts/

I get a request for identification in firefox, no problem. If I choose the right certificate to respond with I get an instant child pid 61501 exit signal Bus error (10). Every click on the “OK” button gets another seg fault. Yay. Magic.

client_cert.jpg

signal_bus_error.jpg
Posted at 00:36:09 UTC

Category: FreeBSDtechnology

Moar Privacy

Thursday, December 9, 2010 

I’m using an Ubuntu VM for private browsing, and like many people, I’m stuck using a mainstream OS for much of my work (Win7) due to software availability constraints. But some software works much better in a linux environment and Ubuntu is as pretty as OSX, free, and installs easily on generic x86 hardware.

It is also pretty straightforward to install an isolated and secure browsing instance using VirtualBox. It takes about 20G of hard disk and will use up at least 512K (better 1G) of your system RAM. If you want to run this sort of config, your laptop should have more than enough disk space and RAM to support the extra load without bogging, but it is a very solid solution.

Installing Ubuntu is easy – even easier with an application like VirtualBox – just install virtualbox, download the latest ubuntu ISO, and install from there. If you’re on bare metal, the easiest thing to do is burn a CD and install off that.

Ubuntu desktop comes with Firefox in the tool bar. Customizing for private browsing is a bit more involved.

My first steps are to install:

NoScript is an easy win. It is a bit of a pain to set up at first, but soon you add exceptions for all your favorite sites and while that isn’t great security practice, it is essential for sane browsing. NoScript is particularly helpful when browsing the wacky parts of the net and not getting exotic browsing diseases: it is your default dental dam. Be careful of allowing domains you don’t recognize – Google them first and make sure you understand why they need to run a script on your computer and that it is safe. A lot of sites use partners for things like video feeds, so if some function seems broken, you probably need to allow that particular domain. On the other hand, most of the off-site scripts are tracking or stats and you really don’t need to play along with them.

BetterPrivacy is a new one for me. I am very impressed that it found approximately 1.3 zillion (OK 266) different company flash cookies AFTER I had installed TACO and noscript etc. You bastards. I’m sure I can enjoy hulu without making my play history shared-available to every flash site I might visit. Always Sunny in Philadelphia marks me as a miscreant. I flush the flash cookies on starting silently (preferences).

TACO is a bit intrusive, but it seems to work to selectively block tracking and advertising cookies. At least the pop up is comforting. For private browsing, I’d set it to reject all classes of tracking cookies (change the preferences from default).

User Agent Switcher is useful when you’re deviating from the mainstream. Running Ubuntu pretty much flags you as a trouble maker or at least a dissident. Firefox maybe a bit less so, but you are indicating to advertisers that you don’t respect the expertise of those people far smarter than you who pre-installed IE (or Safari) to make your life easier. Set your user agent to IE 8 because the nail that sticks up gets pounded down.

Torbutton needs Tor to work. Tor provides really good privacy, but is a bit involved. The Tor Button Plugin for firefox makes it seem easier than it really is: you install it and click “use tor” and it looks like it is working but the first site you visit you get an proxy error because Tor isn’t actually running (DOH!).

To get Tor to work, you will have to open a terminal and do some command line fu before it will actually let you browse. Tor is also easier to install on Ubuntu than on Windows (at least for me, but as my browser history indicates I’m a bit of a miscreant dissident, so your mileage may vary).

Starting with these fine instructions.

sudu gedit /etc/apt/sources.list
add
deb http://deb.torproject.org/torproject.org lucid main
deb-src http://deb.torproject.org/torproject.org lucid main

Then run
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get upgrade
sudo apt-get update
sudo apt-get install tor tor-geoipdb

Install vidalia with the graphical ubuntu software center or with
sudo apt-get install vidalia

Tor expects Polipo. And vidalia makes launching and checking on Tor easier, so remove the startup scripts. (If Tor is running and you try to start it from vidalia, you get an uninformative error, vidalia has a “launch at startup” option, so let it run things.) Vidalia appears under the Applications->Network.

sudo update-rc.d -f tor remove

Polipo was installed with Tor, so configure it:
sudo gedit /etc/polipo/config

Clear the file (ctrl-a, delete)
paste in the contents of this file:

UPDATE: paste in the contents of this file:

(if the link above fails, search for “polipo.conf” to find the latest version)

I added the binary for polipo in Vidalia’s control panel, but that may be redundant (it lives in /usr/bin/polipo).

I had to reboot to get everything started.

And for private chats, consider OTR!

Posted at 17:45:45 UTC

Category: politicstechnology

Working Toward Workable Time Zones

Sunday, August 22, 2010 

PIMs (Personal Information Managers, what we used to call things like Outlook, or Sunbird, or Lightning, or Zimbra before they were integrated with email) haven’t progressed much in the last 20 or so years.  Actually, neither have email clients.   Perhaps the most essential of our daily tools, these classes of products have failed to progress much at all over the decades.

Sure, email has styled text now and you can compose a message in Outlook using Word, but these wizzy tricks distract from the function of email–communicating the written word.  There’s rarely any reason to style text in email and HTML mail has only been a boon for spammers and a distraction for users.  One of the few useful enhancements is inline images which I do find useful.

The best email clients ever, Eudora and  Mulberry (the BAT might qualify too, though I haven’t used it) have failed to keep up in OS level support. Thunderbird is OK, and pimped out with extensions to enable proper formatting, forwarding, text wrapping, etc. it is usable, though it still doesn’t handle frequent IMAP disconnections all that gracefully (it pains me to admit it, but only Outlook does this really well).

PIM functionality has actually gone backwards as the years have gone by. Calendar programs have always handled reminders and notifications and scheduled events fairly well.  DateBook was great in 1990 and there’s very little useful that has been added since .  In the mid-90’s Motorola shipped a great little PIM along with their TimePort phones called TrueSync Desktop.  You could create an event in a time zone other than the one you were in.  Wow.  Amazing.  The developers actually considered the possibility that you, the user, might have some business in a time zone other than the one you’re in.  At the time, some people pointed to Outlook’s then “dual time zone” functionality as the be-all end-all.  True, two time zones are better than one, but hardly a solution suitable for the whole of the US, let alone the world and the pixel heavy dual time zone stripe precluded anything more comprehensive.   At the time, the official M$ work-around was to change your computer’s time zone to the time zone you wanted to create the event in, create the event, then change the time zone back.  Brilliant.

Lightning (for Thunderbird) and Sunbird (stand alone) Calendar programs have finally incorporated some timezone functionality, you can at least set the starting and ending time zone of an event independently and differently from the time zone you’re in:

moz-screenshot-64.png

It is a start, but the time zone picker is still pretty much unusable:

moz-screenshot-65.png

This is a huge enhancement though, one I’ve been pushing for a long time:

https://bugzilla.mozilla.org/show_bug.cgi?id=224905

https://bugzilla.mozilla.org/show_bug.cgi?id=364750

https://bugzilla.mozilla.org/show_bug.cgi?id=364751

https://bugzilla.mozilla.org/show_bug.cgi?id=364751

The right answer is a simple pop-up menu with my favorite time zones in it.  I can use the semi-infinite list of seemingly random city names as a geography quiz along with Wikipedia to figure out what my favorite time zones are as long as I don’t have to spend 10 minutes scrolling through them every time I’m trying to find America/New York for ET or America/Los Angeles for PT (or America/Dawson Creek for MST, no DST).

Oddly, Lightning actually has a half-decent map view that shows you the time zone you’ve selected, but you can’t click on it to pick the time zone you want (!?):

moz-screenshot-66.png

I really like worldtimezone‘s view as a graphical picker:

moz-screenshot-67.png

Something like this, plus a search tool into a database of time zones for cities would be just perfect for creating my list of favorite time zones.  Even the most worldly traveler is unlikely to need more than a dozen time zones in their favorites list and thus a popup would make selecting the start and end time zones very straight-forward.  Way back at the start of 2007 I proposed something like:

moz-screenshot-68.png

Which is pretty much a copy of  Starfish’s TrueSync Desktop (though TSD didn’t support different starting and ending time zones).  Someday… maybe someday I’ll have a calendar program as advanced as they were in 1993.

Posted at 15:58:40 UTC

Category: Linuxtechnology

Calendar Syncing

Wednesday, February 6, 2008 

Like many people, I have to use Outlook. It is by far not my favorite email or calendar system; I use Mulberry personally because it does not suck at all and it has a cool calendar I can use offline. I haven’t quite figured out my own webdav server, so I use Google Calendar to keep track of shared events with my girlfriends and others in my life. And everyone can use Google calendar and it does not suck either, so there’s no reason not to.

But it does create a sync issue. One which can be solved with free software and services by the following fine providers:

I end up using Google as my shared hub, sort of. Technically scheduleworld.com is the hub, but it’s invisible to everyone but me. To get there I use the Funambol outlook plug-in to sync my outlook calendar with scheduleworld.com (following these directions). It is not able to sync directly to Google yet because Google has to do it their way. Fortunately the clever man behind scheduleworld has that figured out. I also sync contacts using funambol to scheduleworld, but Google borked the contact API and so they don’t make it to Google Contacts from scheduleworld any more: scheduleworld does have an LDAP server though.

On the well-designed side, I use gcal daemon to sync my Mulberry calendars with Google (my directions here). I also subscribe to the scheduleworld LDAP server from Mulberry so I can access my outlook contacts from mulberry.

Now, oddly, Outlook’s contact databases are painfully borked and the local address book and global address books do not collaborate at all. Stupid. Unfortunately neither does Mulberry offer an option to sync the local address book to one or more remote LDAP directories, which would be very useful. I think there is still an odd disconnect on the part of developers who tend to work stationary and assume everyone has an always-on connection with very rare moments of disconnect, but as someone who gets on at least 4 planes a week can attest: this is not always the case. Even Mulberry, which is the only IMAP client I’ve found that supports a workable disconnected mode, does not make frequently disconnected mode trivial to use – neither to keep IMAP mailboxes in sync nor to provide off-line lookup of LDAP databases.

But Cyrus is responsive and I am optimistic we might, someday, have a good solution. If not, Adobe Air is pointing the way toward a viable seamless connected/disconnected (or periodically disconnected) world. I think this will become increasingly essential as the world goes to frequently interrupted wireless connectivity. Currently we tolerate wireless (WAN) interruptions because we have to, but that rules out far too much of what we’d like to be able to do and solutions thus far are generaly ad-hoc. We need an imperfect WAN connected world that is perceptively as relaible as a wired one.

Posted at 13:41:05 UTC

Category: Linuxreviewstechnology