Posted on
by

Yesterday, there was a thread on hacker news highlighting that many sites around the world were making available potentially sensitive information about their site via Apache’s server-status link (provided by mod-status).

The stated advice is to limit access to this and similar pages (such as the server info page provided by mod-info) by using Allow/Deny to limit access to requests from the local machine, thus:

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 ::1
</Location>

Many distributions have this as the default configuration, but beware!

If you run Squid in a reverse proxy configuration, which many sites including this one do to improve performance under high load, you can easily expose such pages.

A common reverse proxy configuration is to run Squid on the local machine “in front” of Apache by configuring Squid to listen to port 80 and relaying to a local Apache server (which is bound to a different port). Under this configuration all requests to Apache will appear to be local, originating from the local machine.

Without extra steps being taken (such as using Squid ACLs) you could quite easily expose sensitive information you thought was only available to your local admins.

Beware!

Posted on
by

WordPress, the popular blogging software written by Automattic, has a problem with SSL self signed certificates. Basically, they don’t work well in any of their newer software products or services.

In order to post an update, I must first log into my blog. This requires me entering a username and password into a login box in the usual way. By default, WordPress does not use the secure HTTPS protocol for this, instead it sends this password in the clear over HTTP.

This is not good, so I, like many others, force WordPress to carry out login and administration functions over HTTPS. This is relatively straightforward, and well documented in WordPress’ own documentation, but requires a SSL certificate.

You can obtain a SSL certificate in one of two ways. Either you pay for a third party issuer to give you one (which has the benefit of not triggering a warning in the browser), or you generate one yourself – a so called “Self Signed” certificate.

Self signed certificates are perfectly valid, but browsers will display a warning on sites which use them. A problem if you’re running a public facing service, but not if it’s just for your own private blog, and crucially the traffic is still encrypted.

The Problem

Unfortunately WordPress don’t seem to like self signed certificates.

The iOS WordPress client once worked fine with self signed certificates, but this functionality was removed in an update a few months ago. Attempts to connect now display an error about the certificate’s self signed status, but unlike all browsers, will not give you the option to proceed.

Jetpack, which is now replacing much of the functionality previously provided by separate WordPress plugins (most importantly WordPress stats), is completely broken.

When you attempt to activate the plugin, Jetpack complains about being unable to communicate with the site with the following error:

Error Details: The Jetpack server was unable to communicate with your site [IXR -32300: transport error: http_request_failed SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]

There is no way to bypass this, since the cURL error originates on the Jetpack servers and would require a code change at their end to allow the self signed certificate.

WordPress remain tight-lipped

I am not alone in encountering these problems, but so far attempts to contact WordPress/Automattic for support by various mechanisms have all gone unanswered.

It is a legitimate point of view that certificate failures caused by self signed certificates should be a fatal. Personally, I think providing a mechanism to bypass these errors for those who know what they’re doing, is a better solution, but making it fatal is a legitimate point of view from a security standpoint.

I could resolve this issue by buying a certificate, although I have a number of good reasons, some financial and some technical, for why I have not yet done so. If Automattic were to point blank refuse to support self signed certificates in their products then I would have to find a way of making it work.

I also accept the possibility that I could have made a mistake in configuration, although I’m not sure what this could possibly be, and it is only Automattic products that are having issue.

I accept all this, however all requests for support in forum threads and direct, from myself and others, go unanswered. Bug reports for the iOS client are months old and are ignored. Similarly, direct support requests to Jetpack go unanswered.

Automattic: If self certified certificates are a feature that just won’t be supported, then please communicate with me and your other users, or at least update your FAQ. If you think I’ve made a configuration error then please say so. Please communicate, because this silence is infuriating!

Update 20/11/12: After much chasing around I’ve got a response, about JetPack at least. Seems that not allowing self signed certificates was originally a design decision (a clearer error message would have been nice!), however this decision has been re-thought and it is now seen as a bug. There is currently no time-scale as to when the issue will be addressed.

Posted on
by

Canonical has come in for a little bit of heat for the inclusion of the Unity Shopping Lens into the latest release of Ubuntu.

This new tool, installed and switched on by default (although you can turn it off if you want), extends desktop searches online. The upshot being that when looking for a file or application on your desktop, it will also perform an Amazon search for products with similar names and keywords. You then have the option to buy these products (of course netting Canonical a cut from the referral).

Many find this an objectionable direction for a free software platform to take, although Canonical have to pay their developers somehow, and the service model has its limitations. A number of people in Europe have questioned its legality, given the stringent EU data protection laws.

However, I think Canonical may get bit by the law of unintended consequences just simplistically piping a search string through a third party engine.

Check out what happened when I looked for the Terminal application:

Ooops!

I think being offered Playboy DVDs from within the desktop may get people’s backs up, even if the choice to ad fund development of the operating system doesn’t!