Mainline

Original, edited content. The "real" blog.filippo.io posts.

I'm giving up on PGP

After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys. This is not about the gpg tool itself, or about tools at all. Many already…

So I lost my OpenBSD FDE password

The other day I set up a new OpenBSD instance with a nice RAID array, encrypted with Full Disk Encryption. And promptly proceeded to forget part of the passphrase. We know things get interesting when I lose a password. I did a weak attempt at finding some public bruteforce tool,…

Securing a travel iPhone

These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order. I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and…

Analyzing Go Vendoring with BigQuery

GitHub published a snapshot of all the public open-source repositories to BigQuery and Francesc used it to draw some cool statistics about Go projects. I used the same dataset to analyze how the Go ecosystem does vendoring. Disclosure: there's some ego stroking here, as I'm the author of gvt. (Try…

git fixup: --amend for older commits

Everyone knows and loves to use git commit --amend to change the latest commit. But what if you want to correct a older commit? The flow in that case involves an interactive rebase with a edit step. But that's kludgy. Here's an alias that using a couple of nifty git…

Stale GOROOT and gorebuild

GOROOT is the path where the Go stdlib and tools reside. To make setting up Go easier, the (default) GOROOT is hardcoded in the go binary. Normally it's /usr/local/go, but if you build Go yourself it'll be whatever path you built it in. If you install Go with…

Untrusting an intermediate CA on OS X

Intermediate CAs are certificates signed by a root CA that can sign arbitrary certificates for any websites. They are just as powerful as root CAs, but there's no full list of the ones your system trusts, because root CAs can make new ones at will, and your system will trust…

Self-host analytics for better privacy and accuracy

Something that always annoyed me of the current state of technology is how easy and pervasive we let tracking become. Tens of connections to 3rd parties carrying Referer and Cookies just to load an article. (We give up our users to social media websites just to show a like button…

Shrink your Go binaries with this one weird trick

Ok, I lied, there's no weird trick. However, you can easily reduce a Go binary size by more than 6 times with some flags and common tools. Note: I don't actually believe a 30MB static binary is a problem in this day and age, and I would not trade (build…

Understanding Metrics in the Age of the TSDB

Network and web applications generate metrics, which we usually just shovel into a library without thinking much about their true meaning or performance cost. This week I decided to read through the existing Go libraries, got halfway through writing my own, dropped it, and finally wrote this guide aimed at…

Bleichenbacher'06 signature forgery in python-rsa

While looking at the source of python-rsa (>100K daily downloads) I found it vulnerable to a straightforward variant of the Bleichenbacher'06 attack against RSA signature verification with low public exponent. The bug allows us to forge signatures for arbitrary messages, as long as the public key has a low exponent…

Most Go tools now work with GO15VENDOREXPERIMENT

tl;dr: 1.6 brings support for /vendor/ to most tools (like the oracle) out of the box; use the Beta to rebuild them. GO15VENDOREXPERIMENT is the native vendoring support added in Go 1.5. In short it allows you to put a package at a/vendor/x and import…

SSLv2 redux: patching Go crypto/tls to work with IE6

tl;dr: Go crypto/tls servers can't understand a sad SSLv2-flavored compatibility trick IE6 and JDK 5/6 do, I updated a patch, don't use it. While doing large scale TLS measurement with a Go crypto/tls server for CloudFlare, I started seeing this error score pretty high in my…

Building Python modules with Go 1.5

tl;dr: with Go 1.5 you can build .so objects and import them as Python modules, running Go code (instead of C) directly from Python. Here's the code. The Go 1.5 release brings a number of nifty changes. The one we will be playing with today is the…

ssh whoami.filippo.io

Here's a fun PoC I built thanks to Ben's dataset. I don't want to ruin the surprise, so just try this command. (It's harmless.) ssh whoami.filippo.io For the security crowd: don't worry, I don't have any OpenSSH 0day and even if I did I wouldn't burn them on…

How Plex is doing HTTPS for all its users

This week Plex, a self-hosted media server, announced that they now offer TLS to secure all connections, including those to the user's servers. This is actually pretty interesting. Background A quick overview of the Plex architecture to understand why this is different from the average HTTPS deployment. The server is…

The unofficial Chrome SHA1 deprecation FAQ

Chrome is visually penalizing long-lived SHA1 HTTPS certificates. The information about it is a bit scattered around so I'm writing this to provide a complete and hopefully correct overview. Just give me the tl;dr If your certificate is expiring after Dec 2015 and: it's signed with SHA1, or one…

The sad state of SMTP encryption

This is a quick recap of why I'm sad about SMTP encryption. It explains how TLS certificate verification in SMTP is useless even if you force it. SMTP SMTP is the protocol that mail servers talk between them to deliver mail. Standardized in 1982 it used to be, unsurprisingly, 100%…

Komodia/Superfish SSL Validation is broken

If you are on the ball already and just want the new vulnerability, scroll to the "client side SSL verification" section. tl;dr The Komodia/Superfish proxy can be made to allow self-signed certificates without warnings. Recap Some Lenovo laptops shipped with Superfish preinstalled - an ad injecting software. How…

So I lost my NAS password

I got my WD My Book World Edition II NAS out of the closet. The reason it went in the closet is that I locked myself out of SSH access, and in the meantime I forgot most of its passwords. Still, I need a NAS, so let's get it back…