Posts in Category: security

Securing my witterings: Cloudflare Universal SSL and WordPress

Ok, a bit unfair – my mind has clearly been infected by skimming one too many clickbait headlines: I am sorry.

I use CloudFlare for most of my non-temporary sites so I can skimp on hosting. I’m pretty sure that’s not the tagline they push, but it works well and gets rid of those annoying image loading lags for the most part with very little effort from me.

I’d been ignoring the Universal SSL stuff as I just don’t have the need for their commercial CDN, but that’s changed with the recent move to enable it for all customers, although just visiting was a mixed bag: yes, my site was served with zero SSL config on my part (and with zero webserver config), but the style sheets had gone, along with all the images.

Changing the site URI in the config of WP just gives an infinite indirect loop – the issue is not that setting but the fact that the site itself thinks it’s insecure and so all constructed links point to the insecure data. It’s the browser which refuses to accept the mixed-security assets (generally a good thing), but like XSS protection, a PITA when you’re testing.

Simple solution: download the SSL Insecure Content Fixer plugin and use the Test is_ssl() option. For me, the solution was to add a single if statement into wp-config.php which allows the plugin to know that my proxy was handling the SSL for me, and so all constructed links should be https:// prefixed. The site is now available via both methods, but once the check is in place it’s also safe to change the site config within WP, meaning that redirects kick in when accessing in plain text.

So I’ve done that: no idea if it’ll be a full-time change, but it’s possibly the first crypto-related change I’ve ever done online that hasn’t left me just wanting to give up and stick with plain-text wire-auth…

Good enough for Amazon, good enough for me

Amazon blocks Phorm adverts scan:

I hadn’t previously bothered to do this, as it seemed to be too early to say how Phorm would turn out and the implementation of the opt-out is so braindead and full of marketing BS that it just made me angry. Yeah, I want to ban all search engines so Phorm doesn’t scan me – right… What about all the other User-Agent strings that robots.txt can handle so nicely ? Oh yes – that’s right: if it was trivial then no-one would let their content be abused in this way.

So email sent: multiple domains and all subdomains thereof requested blocked. See what happens next.

bad security guide

Ok, this is a very bad take on security. Very, very bad:

Using a second router: A techie how-to

Ignore, if you will, the social aspects of if, why and how to police children online and just look at the totally stupid design proposal – he advocates a second router behind the main router, which is fair enough (ignoring all those protocols that die with a double NAT, or what happens if (gasp !) you actually produce content rather than just consume it and would like to forward an internal server to your public IP) for a quick-n-dirty fix, but the inexcusable part is that the ‘untrusted’ kids router is connected directly to the Internet, and the ‘trusted’ adult’s machines are connected behind the kids router…

That’s right: you (presumably) can’t trust the kids to not break your own machine, so you’re now giving them a free reign to spoof the router IP and fake up any web site you might be trying to visit… Bonus marks for the kids that spot the router firmware is buggy, and has no patch/is unpatched and then take over that device and hold your Internet connectivity hostage, screen scraping your banking password and giving themselves a nice present.

It’s ‘security’ like this that gives us mandatory password changes every month, but ignores the wealth of research showing that excessive password cycling results in post-it notes of passwords in plain view. Or airline security that… Nah – I can’t be bothered. Fill in your own similies here because he’s wasted far too much of my thought time as it is.