Archive for the ‘Communications Development’ Category
Posted by jpluimers on 2015/06/17
Inspired by CloudFlare Keyless SSL, I have this idea of using Diffie Hellman over WebSockets over a MittM based http proxy (which intercepts and decrypts HTTPS traffic) like mitmproxy (but them from a commercial vendor to inspect web traffic) to setup an encapsulated secure channel.
I know SSH uses Diffie Hellman to setup a secure channel over a binary TCP connection.
Binary communication over HTTP usually means WebSocket.
I don’t want WebSSH (which does use WebSockets, but is probably filtered by the MitM proxy anyway).
Maybe either of these open source tools will work:
If these don’t work, I need to do more research.
Since I use C# and .NET for much of my work, I started the WebSocket over HTTP C# query.
c# – How to use proxies with the WebSocket4Net library – Stack Overflow.
–jeroen
Posted in *nix, *nix-tools, Communications Development, Development, HTTP, Internet protocol suite, Linux, Power User, SSH, SuSE Linux, TCP, WebSockets, Windows, Windows-Http-Proxy | Leave a Comment »
Posted by jpluimers on 2015/06/01
They days of SHA-1 are quickly coming to an end. Chrome has already marked SHA-1 signed TLS/SSL certificates for having an expiration > 2015-12-31 as insecure for a few weeks now. They promised to sunset SHA-1 about 9 months ago.
So if you haven’t done so, upgrade your HTTPS (and HTTP/2 which defaults to TLS) certificates to SHA-2. A great site of help here is SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates. It is open source at GitHub.
You’ve less than 6 months now.
More in dept-reading (especially the comments by Ryan Sleevi): Chrome 42 (next stable) will mark SHA-1 signed certs with a validation date >2015 as insecure!.
–jeroen
PS: if you really need to do the balancing act, you technically can serve old certificates to SHA-2 incompatible clients while serving more secure certificates to modern clients. But it’s a risk, so you might as well tell these old clients they’re out.
Posted in https, Power User, Public Key Cryptography, Security, TLS | Leave a Comment »
Posted by jpluimers on 2015/04/16
Interesting, especially the reasoning behind them:
UrlEcho permits the requestor to completely define the response it wants to receive, thus giving it the ability to “host” static HTTP resources within URLs themselves. Why is this cool/useful? #
- You don’t need a Web server to host a simple resource — you just construct a URL and you’re set to go.
- Since resources are cheap to create and throw away, you can create as many URLs as you want, when you want them.
- This is especially useful for testing — you don’t want to configure many server-side resources to return hard-coded responses in order to test correct handling of that response. For example, imagine you need many simple iframes to test a JavaScript library, and you don’t want to modify the server hosting the iframes each time you add or change tests. Since you already know what the responses will be, why not define them in the requests and have a simpler testing process? It makes tests easier to maintain no need to modify the server and understand due to response visibility in the tests.
UrlEcho [ed: UrlReq] lets the requestor to wrap any HTTP request any method, with headers and body into a simple GET request with only an URL defined. Why is this cool/useful? #
- You can make any HTTP request in situations where only a simple GET is possible, or where you can only define just the URL. For example, most systems that provide Web hook callbacks only let you define the callback URL only not the method, headers or body structure.
–jeroen
via: Experimenting with HTTP services – UrlEcho and UrlReq.
Posted in Communications Development, Development, HTTP, Internet protocol suite, Software Development, TCP | Leave a Comment »
Posted by jpluimers on 2015/04/10
This is an elaboration of How to fill proxy information in cntlm config file – Stack Overflow.
When digging around how to get authentication stuff going, I want as much information, so this was the command-line I used:
cntlm.exe -v -c cntlm.ini -I -M http://www.bbc.co.uk
The -v is important: it shows you why things fail, and where: It also shows you the NTLM headers sent back/forth over the wire.
These are the switches used:
- -v verbose
- -c configuration file
- -I interactive (prompt for password)
- -M magically detect the NTLM level used by the proxy
Since it is unsafe to store plain text passwords in configuration files, cntlm allows you to store the hashes.
Storing hashes not passwords locally is safer, but not much safer. See for instance Still Passing the Hash 15 Years Later: Guest Post: Let’s talk about Pass-the-Hash by Scriptjunkie the video How to own a Windows Domain or search for Mark Russinovich video windows hash ntlm hack.
Anyway: you can generate the password hashes using either Read the rest of this entry »
Posted in Development, DVCS - Distributed Version Control, Fiddler, git, HTTP, Internet protocol suite, Mercurial/Hg, NTLM, Power User, Software Development, Source Code Management, TCP, Web Development, Windows, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Vista | 1 Comment »
Posted by jpluimers on 2015/03/12
You can’t keep track of the whole world, so every now and then I bump into something and think “boy I wish I had known about this years ago”.
The OData (Open Data Protocol) standard by Microsoft is such a thing. It allows to communicate data over the internet in a RESTful way using either JSON or AtomPub based XML, standardized by OASIS who has it’s roots in the SGML world (SGML is one of the predecessors of XML).
There is a rich Ecosystem of implementations in many platforms (including .NET, Delphi, Java, PHP, JavaScript, etc) with public reachable Example Services to test with (not surprising there is a NorthWind service).
Here are a few links of stuff I want to dig deeper into it to grasp it better: Read the rest of this entry »
Posted in Communications Development, Database Development, Development, HTTP, Internet protocol suite, OData, REST, Software Development, TCP | Leave a Comment »
Posted by jpluimers on 2015/02/26
When developing mail sending software, you don’t want all your test mails to proliferate in the world.
Luckily there are some SMTP servers and services that allow incoming mail, but don’t forward them:
I got two of them from the interesting Stack Overflow question How to Debug/Monitor SMTP Communications? and later I also found about development smtp server for windows.
Note that I also like smtp-cli that Tripp Lilley suggested in his answer: though not a server, it is a nice command-line tool for testing SMTP servers (for instance to see if you got the above servers/services configured right on your client side, or if you have configured your own SMTP server correctly).
The cross platform monitoring tools tcpdump and wireshark (formerly etherreal) are great tools, they are usually way too deep for most of the SMTP problems I encountered. But when the going gets tough they are invaluable, especially Wireshark as it has a great feature Following TCP streams.
I wish there were similar servers and services for POP3, that would have helped a lot with a Delphi Indy project I developed a while ago (:
–jeroen
Posted in Communications Development, Delphi, Development, Internet protocol suite, SMTP, Software Development | 6 Comments »
Posted by jpluimers on 2015/01/28
Thanks Wiebe Elsingae for sharing a link to this:
Test your application with ease
Create REST and SOAP services which mimic your external providers.
Easy to use Create one mock in three secondsMockable is a simple configurable service to mock out RESTful API or SOAP web-services. This online service allows you to quickly define REST API or SOAP endpoints and have them return JSON or XML data.
Maybe the nicest feature: Try now (no sign-up required).
–jeroen
via: Mockable: Quickly create REST and SOAP mocks.
Posted in Communications Development, Development, HTTP, Internet protocol suite, OData, REST, SOAP/WebServices, Software Development, TCP | Leave a Comment »
Posted by jpluimers on 2014/09/10
Yesterday I posted this question on StackOverflow and G+: Is there a url or site like example.org which always produces a 404 error?
Soon after that, I found out three links that produce predictable HTTP status codes:
They also work for https:
Edit 20241223: these also return a 404: http://www.google.com/undefined and https://www.google.com/undefined
On StackOverflow very few people even noticed the question, probably wondering “why?”.
I’m using these links for positive and negative testing of some http / https handling code that needs to be good at coping with positive and negative responses.
In my testing life, I’ve learned the hard way that both negative and positive tests are core part of your suite, hence the question.
–jeroen
via: Is there a url or site like example.org which always produces a 404 error?. Read the rest of this entry »
Posted in .NET, .NET 2.0, .NET 3.0, .NET 3.5, .NET 4.0, .NET 4.5, Chrome, Communications Development, Development, HTTP, Internet protocol suite, Power User, REST, Software Development, TCP, Web Browsers, Web Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 