Tag Archives: Security

Posted on
by

Yesterday, there was a thread on hacker news highlighting that many sites around the world were making available potentially sensitive information about their site via Apache’s server-status link (provided by mod-status).

The stated advice is to limit access to this and similar pages (such as the server info page provided by mod-info) by using Allow/Deny to limit access to requests from the local machine, thus:

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 ::1
</Location>

Many distributions have this as the default configuration, but beware!

If you run Squid in a reverse proxy configuration, which many sites including this one do to improve performance under high load, you can easily expose such pages.

A common reverse proxy configuration is to run Squid on the local machine “in front” of Apache by configuring Squid to listen to port 80 and relaying to a local Apache server (which is bound to a different port). Under this configuration all requests to Apache will appear to be local, originating from the local machine.

Without extra steps being taken (such as using Squid ACLs) you could quite easily expose sensitive information you thought was only available to your local admins.

Beware!

Posted on
by

I asked this question over on Hacker News, as well as Quora, but I thought I’d also ask it here…

The UK plans to intercept all electronic communication. They currently don’t plan to snoop on content, but as noted elsewhere connection data is just as invasive.

To me this is both a civil liberties and business risk problem. I view my list of business contacts as confidential information and I don’t trust the government not to leave this information on a train somewhere.

Legal solutions are one thing, but the snoops keep raising their heads, so my feeling is that we need to actually find a way to make this sort of thing technically impossible.

Content encryption is already largely solved, although for email we still need a critical mass of people using PGP or similar.

VPNs just seems to push the problem to another jurisdiction, and if this is an agenda all governments will one day pursue, this will become decreasingly useful.

What can an individual do to protect content and connection data? Onion routing for mail servers? Do technical solutions rely on everyone doing it and so are unlikely to get much traction?

So what are your thoughts? What can we build?

Posted on
by

There was a small ripple around the internet this morning caused by the Home office opening up the Beta terrorist reporting tool.

To what extent the reports from this tool are monitored is unclear, but I suspect this will cause more problems that it solves.

Even before we consider the rather broad definition the government has for illegal material (which on the face of it could cover a number of science and religious texts), I can see the tool quickly becoming buried under false positives – whether through over sensitive citizens or through plain vindictiveness – which would need to be investigated.

Even if no further action is taken after the investigation, the cost in both time and resources must surely represent a significant risk that things that are actually a threat will be missed.