Common Encryption Pitfalls

Part 3 - Rethinking AccessURL Security Design

This is the last part of a three part blog series about AccessURL –

  1. Password Security and Cookies
  2. Security issues with AccessURL original implementation
  3. Solving all the issues by simple design change

In the previous post we saw a few security issues in the way AceessURL generates the passphrase and the id for the share URL. In this post we’ll see a way where we can get more security using almost the same security concepts AccessURL relies on a bit differently.
Continue reading

Common Encryption Pitfalls

Part 2 - Security Issues Found

This is the second part of a three part blog series about AccessURL –

  1. Password Security and Cookies
  2. Security issues with AccessURL original implementation
  3. Solving all the issues by simple design change

Security issues found

After using AccessURL browser extension I found a few issues which allowed me to get almost any credentials. To have better understanding of the issues lets look at a sample URL you get from the extension –
https://accessurl.com/GMRT#yzdne1
This URL has two parts “GMRT” is the identifier sent to AccessURL server and retrieves the encrypted data, the part after the hash “yzdne1” is never sent to the server and is used as the to decrypt the encryption and recover the cleartext cookie.
Unfortunately, both of this values are too short to be secure and safe from a brute-force attack ( An attack where you go through every possible value until you get a valid result).
Continue reading

Common Encryption Pitfalls

When Using AES256 Is Not Enough - Part 1

I recently came across AcessURL. AccessURL is an online service which offers an easy way to allow access to online accounts without sharing the account password.
Unfortunately, their initial implementation had some security issues. In this post, I will describe and suggest how to fix these issues. It is important to say that AcessURL since solved these issues.

These kind of mistakes are very easy to make and they are relevant to almost any online service. My aim is to provide information that will be useful for both web users and professional web developers. Feel free to skip parts you’re already familiar with.
Continue reading

Rethinking Ember

It’s been 20 months since I publish my first post about Ember.js. It was suppose to be two part series and I already had the second part ready to go, but I wanted to get more intimate knowledge of Ember before publishing it. it took longer then I thought and the more I learned about Ember it became clear I shouldn’t publish my following post. Unfortunately until now I did not have the time to write anything else so I should apologies it took so long and I should probably apologies again since its not really going to be a sequel for the previous post.

Continue reading

Securing Private Piwigo Albums

TL;DR if you just wanna see the code and simple install instructions see the Github repo

Update – The original code had a major rewrite to be used as a plugin that will not require any NGINX/Apache special features. Yet it can use advance features like X-Accel-Redirect/X-send-files if available.
Though the ideas and methods described in this article should work and are still good to understand the concept, a new and better implementation is available. Information about the new implementation is available in the Github repo.

As many other people I was looking for a solution to control and share my private photos with family and friends. Google, Facebook and other 3rd parties will allow you to share your content easily with your friends. But do you really know who has access to your private data ? who controls it ? and who owns it ?
Continue reading

Should you use Ember Cli ?

If you are considering using Ember and still comparing it to other frameworks this is not the article for you. Ember has some really strong and positive sides, overall I think Ember is one of the best JavaScript frameworks available today. The way it handles some of the common needs in modern web apps like routing, data binding is purely amazing. After considering many other options I’m going to use Ember for a big project I’m working on. This article series is only going to talk about Ember issues.
I’m going to be very blunt and might make some people angry. For what its worth I’m only writing it in the hope that it will get enough attention in the Ember community and that this issues will be addressed properly.

Continue reading

ZTE open phone – upgrading to firefoxOS 1.1 / 1.3 how to

Update: I’ve realized that I actually compiled and installed FirefoxOS v1.3 instead of 1.1, so this instructions will actually cause you to install v1.3.
for me v1.3 is working fine but if you need to install v1.1 just be sure to configure the right branch

If you read my previous post about the ZTE Overview, you know I was planning to upgrade my phone to version 1.1 after finding instructions on MDN I thought its going to be easy, but apparently its not as straight forward as one might think.

this guide is basically going to organize the information from the mozilla.dev group thread – Updating ZTE Open to 1.1 and the MDN ZTE Open page
Continue reading

ZTE Open FirefoxOS Phone – Overview

After waiting for almost two weeks , I finally got the ZTE Open phone and thought to write a brief overview .

I bought this phone mainly to play a little with FirefoxOS and experience developing apps for this platform. So this review is going to focus primarily on the development of this phone especially in terms of its openness (since I haven’t had the time to actually develop for it just yet) .

If your thinking of buying this phone for daily use my recommendation is don’t!.
Mozilla claims that it directs its phones for “emerging markets” which is a nice way to say  poor people . From my short time handling the ZTE its slow, the touch is not very accurate, the 2 mp camera has such a low quality that I doubt its even 2 mp, and I’m sure you can get a cheaper android phone that will be way better.

Continue reading