HSTS : The HTTP Strict Transport Security

There’s a new RFC that was published this month (http://tools.ietf.org/html/rfc6797) about an additional layer of HTTPS for web browsing, called HSTS (HTTP Strict Transport Security).  The basic idea behind it is that the server tells the browser that only HTTPS is allowed, or where to find the secure version of the website, while browsers that don’t support this feature will browse the insecure version.

Now there’s really no comparison I can find behind this and just simply using a rewrite rule in your favorite web server to force HTTPS, but it’s still an interesting take.  It seems like an additional handshake for a service that actually does nothing more than force security on a user.  The use cases (http://tools.ietf.org/html/rfc6797#section-2.1) further exemplify this fact.

From their thread model, it handles passive and active network attackers, as well as imperfect web developers.  However, it does not fix phishing and malware issues.  One has to wonder then what the point of HSTS is?  It basically does everything HTTPS but perhaps over HTTP (which, then, would nullify security completely and be a broken chain…)

I know RFCs are not intended to be super-awesome-de-facto things, and some are even jokes (the coffee pot protocol comes to mind), but this is just like saying “hey, I wrote a web server by compiling Apache’s code!”  I’m just not following it, and while it has some interesting points of use (using the UA string and HTTP response headers), I’m not sold on this as being a viable security solution.  All it sounds like, especially by the last threat model use, is a lazy man’s ways of forcing HTTPS on users.

Starting with Tornado in Python: Setting Up Your Server

There’s a good collection of different Python modules to use so you can run a server through Python (think SimpleHTTPServer). One that is commonly used behind Nginx proxies for handling API requests, however, is Tornado (http://www.tornadoweb.org). Since creating my backup service I have chosen Tornado as the backend to my API to provide an efficient and secure service to allow users to write their own clients.

Installing Tornado
To install Tornado all you have to do is this in Pypi:
pip install tornado If you don’t have Pypi installed, then you can install it from sources:
python set.py install This will install Tornado in your Python repos so you can now simply import it into your scripts. Now to cover some simple usages.

Initializing Tornado
The main thing we are going to focus on right now is setting up a simple ‘web’ server. This will allow you to have Tornado listen for connections and handle them appropriately. To start, import Tornado’s HTTP web server code:
import tornado.httpserver
We also need a reference to I/O handlers, so we need ioloop:

import tornado.ioloop To make this easy on us we will define a main() function:
def main(port = 8888): The magic inside is what makes this work.

Lets say we wanted to serve content from our server with a specific URI only. We’ll make this URI /get/sysinfo and /get/cpuinfo. Our main() method will look like this:
def main(port = 8888):
ioloop = tornado.ioloop.IOLoop.instance()
application = tornado.web.Application()
http_server = tornado.httpserver.HTTPServer(application)
http_server.listen(port)
try:
ioloop.start()
except KeyboardInterrupt:
pass
tornado.ioloop.IOLoop.instance() creates an instance of our I/O so we can send/receive network data. application is our reference to our tornado.httpserver instance, and we tell it to listen for /get/sysinfo and /get/cpuinfo requests, and forward them to our InfoHandler class which I will show in a bit. We then have our web server listening on the specified port, and try to start it. The exception is in place in case you are running this manually, so if you do Ctrl+C no Traceback information is displayed.

Now that we have Tornado checking for a request, we need to be able to handle such requests. This is where our infoHandler class comes in.

Handling Requests
class InfoHandler(tornado.web.RequestHandler):
def get(self, call):
try:
resp = valid_calls
self.write(resp)
self.finish()
except:
# log error message
pass We need to subclass the RequestHandler class so we can read and write data on the stream. To write data back to the user use self.write(), and to get data from the user you simply call self.get_argument(). So if someone sent the URI: /get/cpuinfo?core=1 you would do core = self.get_argument(‘core’).
What is valid_calls? This is a dictionary of ‘key’ : ‘value” where the key is the request being made (i.e.: ‘sysinfo’ and ‘cpuinfo’) and the value being a reference to the function. For example:
def SysInfo():
return "sysinfo printed from here"

valid_calls = {'sysinfo' : SysInfo} To get this up and running we then just do a simple name check and call main:
if __name__ == "__main__":
try:
import sys
main(sys.argv)
except:
main()
else:
pass

[Python] Send notifications to your phone using Pushover

Sure there’s Python modules out there that let you use Pushover, a smartphone service that lets you send notifications from any device to your phone, but all of them I’ve seen so far limit your messages to 512.  This makes perfect sense in that Pushover limits messages to 512 characters.  However, that’s not to say you can’t send bigger messages per-say.

Continued »

[Python] Wrapper for redis-py

In a recent project I needed an easy-to-use lookup, but cachable, system to store information for periods at a time.  I wasn’t really feeling the use of a strictly file-based cache system (i.e.: writing data to a file, reading form it, etc…) as most of the work is already I/O bound as is.  A friend of mine then introduced me to Redis, which is basically a memory-cache system that works based on key-value (or name-value) pair.

Continued »

Ubuntu 12.10 and the Privacy Invasion

I’m far from a supporter of Ubuntu.  While I feel it has it’s place in beginner Linux users transitioning from either Mac or Windows into a new world, I also feel Ubuntu has lost it’s place.  I recently installed Ubuntu 12.04 back in August due to laziness of not wanting to configure different aspects of my system.  This turned out to be a mistake on my part, which leads me into 12.10.

Continued »

Window Manager Review: Awesome

I don’t have a lot of experience with many window/desktop managers (i.e.: KDE, Gnome, e17, etc…).  However, one I have loved using, especially on my netbook, has been Awesome (http://awesome.naquadah.org/).  There aren’t that many tile-window managers out there, and if they are they’re often overlooked with the bigger-game ones.  What drew me to Awesome originally, though, is that it eliminates around 90-99% of the mouse use, so you can essentially operate every aspect of the window manager with just your keyboard.

Continued »

[Python] Check to see if a number passes as a credit card

Last month I went over a series of articles on how to use Balanced Payments to handle credit card processing in Python.  This time, continuing on with the credit card processing, I’m going to provide a small script that will show you how to validate a number as a credit card number.

This can’t be used to buy something with false credit card information, but was a fun little side project I decided to work on, and thought I would share.

Continued »

[Python] Processing Credit Cards Part 5 (Viewing Transactions)

After being able to complete transactions, the customer service aspect of this begins.  Now you have to be able to view transactions and all the details that come along with it.

Continued »

[Python] Processing Credit Cards Part 4 (Charging the Card)

Now that we can add users to our marketplace and store their credit cards for use to purchase things, lets make the magic happen!  This will be a shorter tutorial than most but still beneficial (what’s the point of processing credit cards if we don’t want money, right?).

Continued »

[Python] Processing Credit Cards Part 3 (Filtering Data)

To continue with my series of processing cards, we covered how to add clients and credit cards last time.  This time, we’re going to cover searching Balanced for various information and filtering data.

Continued »