TagSecurity

Comcast and Mozilla Work to Enable DNS over HTTPS

Comcast Partners with Mozilla to enable DNS over HTTPS

Comcast’s version of DNS over HTTPS (DoH) will be turned on by default for Firefox users on Comcast’s broadband network, but people will be able to switch to other options like Cloudflare and NextDNS. No availability date was announced.

Color me impressed. I’m still not a fan of Comcast, but maybe this will be the kind of change that begins correcting Comcast’s corporate culture.

Unlikely, but we can hope.

Content-Security-Policy

Inspired by a post made by Sheogorath from Shivering Isles (yes, that Sheogorath, from those Shivering Isles), I recently implemented a Content Security Policy on my site to help frustrate third-party tracking systems and reduce reliance on externally hosted tools. There are some exceptions to this policy, like ShortPixel’s CDN, or WordPress.org (w.org in this case) that I allow for better performance. The idea is that I can advise the browser to not allow connections outside this website (and the above exceptions), which means that there is less likelihood that a piece of malicious content could start sending data to someone else.

How I Implemented It

Previously, I implemented these rules with a WordPress plugin called “HTTP headers to improve web site security“. This long-named plugin allowed me to set various options for these security rules, all I had to do was provide them. One of the biggest issues I found with the tool was that it lacked a “Report URI” directive. This directive allows me to have the browser report a flagged piece of content on my site, which in turn allows me to fix or remove it.

Since I’m no stranger to PHP and plugin development, I downloaded a copy and cracked open PHPStorm to inspect it. I was not impressed.

While the plugin works, it’s a mess of spaghetti code and one-off statements that don’t make much sense. In this moment I briefly thought of cleaning this up and releasing my own plugin to improve upon this. That moment faded when I realized what I was actually looking to do. Add a single header to the request. This could be done much more simply.

Content Security Policy in functions.php

I had some changes to the TwentyTwenty theme that I wanted to port from the modifications I had made to the TwentyFifteen theme I was using prior. Namely the ‘old content’ banner. This was a perfect time to implement a child theme for TwentyTwenty and add my header information.

Once I added the bare-bones child configuration, and the old content banner, I set to work adding headers. Headers can be kind of tricky in PHP. If you add them ‘too late’ in the script, they can be missed as PHP tries to get all the content out to the user as fast as possible. That means if your headers are buried in some deep dark section of a theme… well, you’re likely to miss it.

Thankfully, WordPress has a ‘send_headers‘ hook that allows you to ensure that your modifications get sent to the user in a timely fashion. With all that said, here’s the final product:

function twentytwenty_child_csp() {
	header( "Content-Security-Policy: connect-src 'self';default-src 'none';font-src data: 'self';frame-src 'self'; img-src data: 'self' cdn.shortpixel.ai s.w.org; media-src data: 'self'; object-src data: 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; base-uri; form-action 'self'; block-all-mixed-content; upgrade-insecure-requests; report-uri https://degruchy.report-uri.com/r/d/csp/enforce" );
}

add_action( 'send_headers', 'twentytwenty_child_csp' );

Yes, that big mess of a CSP is a single line of data. Ugly, but that’s the spec. As you can see, I added a report URI to the end so I can keep tabs on anything suspicious.

Privacy Concerns?

The nice thing about Report-URI and CSP, no IP addresses or other information is logged. When I get a hit, this is what I see logged:

{
    "csp-report": {
        "blocked-uri": "https://s.w.org/images/core/emoji/12.0.0-1/svg/1f600.svg",
        "document-uri": "https://degruchy.org/2006/03/",
        "original-policy": "connect-src 'self'; default-src 'none'; font-src data: 'self'; frame-src 'self'; img-src data: 'self' https://cdn.shortpixel.ai; media-src data: 'self'; object-src data: 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; base-uri 'none'; form-action 'self'; block-all-mixed-content; upgrade-insecure-requests; report-uri https://degruchy.report-uri.com/r/d/csp/enforce",
        "violated-directive": "img-src"
    }
}

Just the facts.

I honestly don’t like logging more than I have to. This is more of a security context thing, so I’ll allow it. Plus it’s up to the browser to actually take action on. All entirely voluntary.

Animal Crossing Exploits

NO. This post is not about Animal Crossing: New Horizons. If that’s what you’re here for, sorry to disappoint.

I’ve been a long time fan of the Animal Crossing series. It’s a great, colorful, “safe” and generally wholesome experience that also is fun to play. While recently, the New Horizons release has charged everyone’s attention, it’s nice to see people are still paying attention to the other iterations of this amazing series.

In the original GameCube version, the player can find or buy NES games. These allow you to place a cartridge and console to actually play an emulated version of that game. While amazing, there is a slightly more rare feature that I don’t believe was ever realized after the game came out.

In addition to the NES games you can find. There is also a “blank” NES. When placed, it looks just like the other games, but it doesn’t have any cartridge on top, indicating a game available. When you interact with it, it would always just say you had no available software to play on it. For most people, like me, that was enough.

Hacking an Animal Crossing

A Github user named James Chambers did a deep dive of the functionality of this feature and discovered something interesting. It turns out that the blank NES was actually designed to load specially crafted ROMs from the GameCube memory card. This would allow you to play a further selection of games. Probably designed to be utilized as part of a promotional deal or similar. Sadly, I don’t think this was ever realized after release.

Not to be deterred, James decided to see if you could actually load a ROM from the memory card and get it to work. After some further debugging and technical digging, they found that the emulator included was actually pretty complete! You can play many NES games with little issue inside of Animal Crossing!

It is always fascinating when people pick apart old games and see how they tick. Often they find interesting, clever or strange methods of making the game work on limited hardware resources. This article just proves that even old games can have surprising features, hidden deep within the code for someone to discover later in life.

Plugin Vulnerability

If you’re one of the 200,000+ users/clients of the WordPress ThemeGrill plugin, you should update yesterday.

Plugin vulnerabilities are not a new thing. The only novel thing about this one is the number of affected sites. It’d be like Askimet having a major remote control exploit. You can mitigate these issues by making sure your plugins are up-to-date. WordPress is not particularly hard to manage. There are lots of plugins and services that make it brainless (shoutout: Jetpack). So, this should be a non-issue.

While we’re talking about plugin vulnerabilities, you should go visit Marko Saric’s guide on securing your WordPress install. Lots of good advice in there. I personally like using Jetpack (with Askimet and Vaultpress), but there are lots of free tools that you can use to secure yourself.

FBI vs. Apple: Round 2

Ah, the good old false trade-off: Security or Letting the Terrorists Win and Kill Your Children. Once again, we have Apple being asked by the FBI to unlock or build back doors that “only law enforcement” (read: any bad guy) can use.

Look: I’m sympathetic to law enforcement. They have a tough enough time dealing with the literal worst of humanity and having to piece together the crimes that are comited by said. This is made more difficult when one of their suspects (or criminals) has encrypted some information. Because we have a codified right to privacy, it is reasonable to argue that giving up passcodes and other privacy stripping keys is not something we should have to do, no matter the case, as we’re all equal under the law (the Constitution being the “highest” of those laws).

This fight is further exacerbated by the fact that this is not the first time that Apple has reasonably denied these requests. It would damage their brand, their customer’s security and give an already powerful governmental department sweeping access to stuff it wouldn’t (and shouldn’t) have access to on it’s own. All in the name of “security”. The subtext of all of this is some what sadder: Despite all the massive surveillance that is being done on Americans, we still cannot stop domestic terrorism from happening. Giving the FBI or any entity, aside from the consumer, access to a device that has become the epicenter (for better or worse) of many people’s lives goes counter to our rights.

What about providing a sort of “key escrow” for law enforcement? It would be a semi-reasonable method of giving everything they want, in theory. Law enforcement would have the ability to decrypt data that they would presumably have proven their need to access. The user would still have encryption that is difficult to impossible to break in a reasonable manner and their rights are respected.

The main problems with this scenario are:

  • Who do you give these keys to?
  • What legal recourse do you have if they loose, leak or otherwise provide (willingly or not) keys to someone who should not have it?
  • How do you get millions of people, companies and devices to enroll in this system when free, strong and cryptographically secure code and systems exist in the wild and aren’t going anywhere?
  • Criminals are obviously not going to enroll, so it defeats the point.

Not to mention the massive organizational nightmare it would be to ensure keys are tied to the right person, device or organization. The whole idea is infeasible on any sizable scale.

I wish the general public would be more aware of the erosion of rights. All too often we just allow our government to trample over us because it’s convenient or we’re lead to believe that it’s “for the greater good”. When in actuality we could take some pointers from France, England and Italy where when their governments do wrong, people protest. We need some of that fire back in America, not this anesthetized complacency.

© 2020 Verily

Theme by Anders NorénUp ↑