Permalink

9

rows.io: A Secure Public Jabber/XMPP Server Federated on Hyperboria, Tor, and The Internet

With Google’s transition away from open federation in favor of “Hangouts” and PRISM being all but certain I decided it was a good time to find an alternative to my Google Talk account. I decided to set up a Jabber/XMPP server that is open for public registration and will federate with any xmpp server over the Internet and over Hyperboria and which is also accessible over Tor.

The service is called rows.io (yz6yiv2hxyagvwy6.onion on Tor).

To sign up, simply use any Jabber/XMPP client, like Pidgin, and add an XMPP connection with any [email protected] Registration is handled in-band so you can simply check “create this account on the server” and you will have a new @rows.io account.

If connecting over Tor, enter the same info, but specify the connect server as yz6yiv2hxyagvwy6.onion and make sure it’s tunneling over your Tor proxy via SOCKS5.

You’ll then be able to chat with any Jabber/XMPP account over the internet or Hyperboria. And don’t forget to add me: [email protected]

More info at https://rows.io/

Permalink

7

Provider Independent Zero-Knowledge Backups

I recently went looking for a secure cloud-based backup solution. I always have, and still do, run my own backup server out of my apartment using the excellent open source package BackupPC. But this has the obvious disadvantage of being in the same physical location as the things it’s backing up. Also, BackupPC hasn’t been updated in a few years and development may be stalled.

The primary problem that I wanted to avoid when looking for a backup provider is one that the vast majority of them suffer from. They are fundamentally insecure. By this I don’t mean that they don’t require complex passwords, because they do. And I don’t mean that they don’t encrypt your data, because they do that too. The problem is that they also hold the key to that data. In those cases the security of your data is only as good as the policies of the service provider. What I mean is that you are no longer protected by the mathematics of encryption, instead you are simply trusting the provider not to lose or use your key.
Continue Reading →

Permalink

0

PHP 5.3.10 and APC 3.1.9 on Ubuntu 10.04.4

This is not the latest Ubuntu LTS or PHP versions but it happens to be my current configuration until Xen is working better with 12.04 (hopefully 12.04.1) and I’m also waiting for a stable Suhosin patch for PHP 5.4 on 12.04 (also, hopefully 12.04.1).

To get PHP 5.3.10 on Ubuntu 10.04.4 LTS I recommend using Brian Mercers PPA. It is not being updated any longer but that’s fine since I’m only concerned with having PHP 5.3.10 with Suhosin.
Continue Reading →

Permalink

2

Performance Tweaking nginx For Static Files Over SSL

A few small changes to your nginx.conf can increase your SSL performance. Enabling session cache and extending its timeout will allow reuse of the secure connection without having to renegotiate the key exchange. Increasing the keepalive will allow the workers to serve more requests before being restarted. Disabling the EDH cipher will significantly reduce the connection time. Thanks to Mike for pointing out in the comments that by disabling the Ephemeral Diffie-Hellman cipher you gain speed but lose perfect forward secrecy. In my particular case of serving static assets this was an acceptable trade-off.

http {
        keepalive_timeout 65;
 
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        // ....
}

If you want to examine which ciphers are being used on an SSL connection you can use this openssl command:

openssl s_client -host HOSTNAME -port 443

Then in your server block of your nginx config you can set cache control headers far in the future for your image assets.

server {
        listen x.x.x.x:443 ssl;
        server_name  images.example.com;
 
        root /var/www/example.com/images;
 
        index index.html;
 
        location ~* \.(?:ico|gif|jpe?g|png)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public";
        }
}
Permalink

9

User-Specific Timezones With Symfony2 and Twig Extensions

It’s considered a best-practice to store all your times in the same timezone. Usually this timezone is UTC. Whenever a user enters a time it should be converted from their local timezone to UTC before being persisted. Whenever you want to display a timezone to a user it can be converted from UTC to whichever timezone they prefer. This normalizes the data in your database to a common timezone which allows for simpler querying and data aggregation. It also gives you the flexibility of having simple user-specific timezones that can be changed.

We can use Symfony’s events and dependency injection to make this conversion as seamless as possible.

Continue Reading →

Permalink

15

Calling a Method Before Every Controller Action in Symfony2

There are times when you need to execute a method on a controller before every action and sometimes on multiple controllers. In my case I had to check that a user was associated with a particular company and if so, fetch the company and some related data from the database. This had to happen before every action in the controller. It also had to happen in several controllers. Rather than extending a common controller class and calling a method from every action I decided to imitate the old symfony1 behavior of the preExecute method.

Continue Reading →

Permalink

3

Dynamic Validation Groups Using a GroupSequenceProvider in Symfony2

I recently had to build a form that had two possible validation groups. These groups were dependant on the data being submitted. Specifically, I had a file upload and a text input. The user could either enter a hash in the text field, which would then be validated using MinLength and other custom validators OR they could select a torrent file to upload. The file would need to be validated for mime type and size and also a custom validator for validating its contents.
Continue Reading →