Posted 2 years ago

Chrome, why dont you?

Following yesterday’s post on flaws in the trust model of SSL certificate authorities; today I had a conversation in the break out area with Indra on how browsers manage certificates. Indra reminded me how Phobos, one of the Tor developers, removes all certificate authorities from his/her Firefox setup. Phobos instead adds certificates individually to Firefox as he/she gains trust in a site.

That’s impressive, but extreme. The amount of effort, knowledge and technical skill required to achieve an outcome is beyond of most browser users.

My browser of choice is Google’s Chrome. Chrome already has some additional security features for SSL certificates and secured domains, such as certificate pinning. But Chrome doesn’t give me any tools to even partially emulate Phobo’s approach. Which left me to lament to Indra:

  • Why aren’t certificates for my important domains (e.g. internet banking) already pinned?
  • Why can’t I manually pin the certificate for select domains?
  • Why can’t I declare some (or all) SSL protected domains to be sensitive?
  • Why doesn’t Chrome remember the last certificate presented by sensitive domains?
  • Why doesn’t Chrom warn me when the certificate for a sensitive domain changes?

So Google Chrome, why don’t you?

Posted 2 years ago

Fixing SSL flaws

Just in case you missed it; a very serious security breach occurred recently at DigiNotar, a dutch certificate authority. At least 531 fraudulent certificates were issued by the attacker for a wide variety of SSL/TLS secured sites including Gmail, Facebook and the Tor project. Some of those certificates have been used in man-in-the-middle (MITM) attack on Iranian citizens.

One of the effects of this event, and the earlier Comodo breach, has been a renewed discussion on “fixing” SSL because it’s broken. Ignoring the argument of whether SSL is “broken” or just flawed, so far I seen two basic themes to the proposals.

The first is decentralise the trust relationship. Solutions like Perspectives and Convergence introduce the concept of “notaries”. Notaries monitor the use of certificates on sites over time. A user chooses which notary or notaries they trust; when accessing a SSL secured site, the notary is contacted to verify the server certificate presented to the browser.

Which makes we wonder why not do away with the notaries altogether. The recent implementation of uChat, a peer-to-peer chat application built on bittorrent. Using magnet links for each site, swarms could assemble to clients distributed around the world to compare the certificates being presented to each. All this could be built directly into the browser.

The second is to increase the cost of attacks against certificate authorities by have multiple independent certificate authorities sign a certificate. This would require an attacker to compromise multiple certificate authorities simultaneously to issue a fraudulent certificate.

Avoiding any discussion on the relative security of the two models for the moment. I contend it’s the second approach that will prevail. Why? Performance.

A lot of work has been going of recently to reduce the latency of creating new secured connections. Technologies like session resumption, FalseStart, SnapStart, and OSCP stapling are all designed to reduce the number of round trips to create a connection. Decentralising the trust relationship doesn’t just introduce many more rounds trips than were required in the past, it introduces round trips to multiple new locations.

Compounding the problem of a poor user experience, I also contend that a distributed trust model is more vulnerable to state level censorship. When the communication required to establish a new secured session is restricted to that between the client and the server (baring fraudulent certificates) a state level actor is contained to denial of service.

However, in a distributed model the state level actor has the possibility of allowing access to the service but denying access to any notaries or peers outside the censored region. Thus the client, and ultimately the user, is afforded the option of accessing the service but without any guarantees as to the security of the site. We all know how well users pay attention to warning messages today.

I believe this to be a significant weakness of the distributed trust model. A denial of service attack on the SSL validation infrastructure is potentially far more damaging than a denial of service attack on a service its self.

It will be interesting to watch dialogue in this space develop. There are a lot of talented security professionals I’ve yet to see comment such as Bruch Schneier and Adam Langley. Let’s hope as few people as possible get hurt until a solution is found.

Posted 2 years ago

Why metaclass?

I was asked an excellent question today:

So those metaclasses you’ve ben writing about, when would you use them?

I thought this question was great because, if you’ve been following my previous posts on using metaclasses, you may have noticed I never stopped to describe some scenarios when metaclasses are useful.

A good place to start is this 2002 quote from Tim Peters, the Tim behind timsort.

[Metaclasses] are deeper magic than 99% of users should ever worry about.  If you wonder whether you need them, you don’t (the people who actually need themknow with certainty that they need them,and don’t need an explanation about why).

While not exactly answering the question at hand, it’s a pertinent reminder that just because we have a hammer it doesn’t mean we need to treat every problem like a nail.

So when might you know you need them? Metaclasses are the class of classes, so they’re capable of  making systematic changes to class definitions or class instances as they are created. When multiple classes need to adhere to common interface, that logic can be abstracted out into a metaclass.

That’s very abstract, so here’s a short list to real world examples:

What all these examples have in common is the application of a common transform to class definition or instance creation. That transform could add new methods or properties, modify existing methods or properties, or communicate with an external framework.

Metaclasses are a specialised tool. While invaluable for framework authors, it’s rare to use them in standard application code. If in doubt, refer to the Zen of Python and ask yourself; ‘Is using a metaclass making my code clearer, more concise and more maintainable?’.

Posted 2 years ago

Boo Ya, Cats

Tonight I had a plan. That plan was to clean up filemagic and release it on PyPi. That plan went out the window courtesy of the Geelong versus Collingwood tonight.

For those who don’t follow AFL; this is the final round before finals in the AFL. Collingwood and Geelong are the first and second placed teams respectively. Should be a epic clash, Collingwood are the favourites to win.

However, the final score stands by its self.

Click Me

Perhaps I should limit myself to to a hearty ‘Go Cats!' … but I can't. Please click through the Geelong emblem above for a little celebratory video.

Posted 3 years ago

QR code buddy icon

Every few months I get bored and change my profile picture on horde of sites I have accounts on. This time around I got geeky and used a Quick Response (QR) code.

QR codes have been around for nearly 20 years now. While popular in Japan they are only just beginning to become common here in Australia. I was inspired to use one as my profile picture when I found QREncoder on the Mac App Store. Although I confess I stole the idea from Mike Cardwell.

Generating QR codes is very easy. In addition to desktop applications there are multiple websites including Google charts that will generate charts for you. A Google search will give you an extensive list of options.

An interesting property of QR codes is the use of Reed-Soloman error correction to make scanning more reliable. This allows errors to be introduced to customise the design, make them more visually appealing or embed corporate logos. Clearly this will have some impact on how reliably readers will scan your code. (Thanks for Indra for passing me that last link.)

Now, if I can figure out how to drive Pixelmator, my next profile picture might look a little more spectacular.

Posted 3 years ago

Starting ‘The List’

Over the past few weeks I’ve managed to start a number of interesting projects, but failed to bring many of them to a close. Or even to a stable state.

I’m not sure how others maintain focus. As a start I thought I’d write down the major pieces of work I’ve started recently.

  • main; I write a lot of small applications with limited use and longevity. This package is to provide convenience functionality to reduce the amount of Python boiler plate.
  • filemagic; exposes the magic of libmagic to Python.
  • jitterbug; a framework for profiling the behaviour of PyPy’s JIT compiler.

Of these ‘filemagic’ is the closest to complete. It’s mostly just lacking in decent tests, save a couple of minor features.

The ‘main’ package has progressed the furthest and is the most usable. Before I could consider it stable I want to add some common application functionality such as unix daemons and logging along with default option sets for them.

Lastly is jitterbug. I am still most enthusiastic about understanding the PyPy JIT’s behaviour. But am finding it difficult to find the blocks of time I need to concentrate on the topic at length.

Now all I have to do is convince the boss there’s value in letting me progress some of these during work time.

Posted 3 years ago

The when of Python scoping

Here’s a fun bit of Python trivia I learned a yesterday. The decision to determine the scope of a Python variable is made at compile time not run time by the Python interpreter.

Compile time for Python you ask? Why yes. When Python code is first read by the interpreter it is translated into byte code that includes representations for the classes and functions in the code. It’s during this first read that Python determines a variables scope. As an aside, Python includes support for dissembling the bytecode which can be useful to performance analysis and debugging.

Normally this is not something you need to worry about. However, it is possible to introduce interesting bugs as a side effect of when scoping rules are applied. Consider this short piece of code:

from __future__ import print_function

def outer(name):
    def inner():
        name = name.capitalize()
        return 'Hello {0:s}'.format(name)
    return inner()
print(outer('world'))

This code will raise an UnboundLocalError for name. That’s because Python will determine when first reading the code that name is local to the inner function because there is an assignment to name. Even though name is available to to inner from outer’s scope.

Scoping rules are more than just interesting trivia. It goes to the heart of how closures work in Python. But that’s a post for another night.

Posted 3 years ago

This is my tomorrow.

Posted 3 years ago
Seriously, you can trust me!

Seriously, you can trust me!

Posted 3 years ago

Keeping up with Python

It’s hard keeping up to date with the “happenings” in an open source community as large and diverse as Python. I make no claims of knowing where the vanguard of Python news is. Though if it helps you, here’s how I stay up to date with developments in the community.

Most important to me is Twitter. The Python community is diverse, active and vibrant on Twitter. I’ve been acquiring new people to follow for well over a year now, so to help you get started I’ve started curating two Python related Twitter lists for you to follow:

The first list is of general members of the Python community I find interesting. The second list is of people predominately related to the PyPy project.

After Twitter I use Google Reader to follow Python related blogs and news feeds. To date I’ve acquired 47 Python related feeds. Again to make it easy for you I’ve collated these feeds into a single Google Reader bungle.

The bundle page includes an Atom link so you can follow along with your preferred news reader.

That should be enough to get you started following along with the Python community. If there are other interesting people and feeds you follow, please share them in the comments below.