I came across this blog post from a while back, which demonstrates how to use AES encryption for the data in MySQL database.
INSERT into user (first_name, address) VALUES (AES_ENCRYPT('Obama', 'usa2010'),AES_ENCRYPT('Obama', 'usa2010'));
SELECT AES_DECRYPT(first_name, 'usa2010'), AES_DECRYPT(address, 'usa2010') from user;
This seems rather easy and straightforward (apart from a little calculation one needs to do for the VARBINARY field types). The only thing that I’m concerned about is whether the encryption keys will be visible in the MySQL process list (as in “SHOW FULL PROCESSLIST“).
What can we do with this method?
We can gather some basic information about the user, like the screen resolution (when the browser is maximized) and which browser (or engine) is used. Further we can detect if a user opens a link or hovers with the mouse over an element. This can be used to track which (external) links a user visits and using the hover method. It should be even possible to track how the user moved their mouse (using an invisible table of fields in the page background). However, using my method it’s only possible to track when a user visits a link the first time or hovers over a field the first time. Maybe it’s possible to modify the method so that it is possible to track every click.
Furthermore it is possible to detect if a user has installed a specific font. Based on this information it should be possible to detect, which OS a users uses (because different operating systems ship different fonts, e.g. “Calibri” on Windows).
Netrack reports some statistics for the Top SSL Issuers, and it’s nice to see Let’s Encrypt leading the race with a significant advantage over the rest. Well done, ladies and gentlemen!
“The 2018 Guide to Building Secure PHP Software” is an excellent guide to writing modern PHP applications with security in mind. It covers a bunch of the usual topics, but provides fresher solutions than most other similar guides.
I have never particularly liked Virtual Private Networking (VPN). From the old days, when there were a gadzillion of proprietary implementations, each being super slow, resource hungry, and requiring a mess of versions specific requirements, like Java and Firefox. Secure Shell (SSH) has always been my choice for remote connections and tunneling.
Today I came across this article, which also shows that SSH tunnels are much faster than OpenVPN (if one has to use VPN, OpenVPN is probably the best choice around). Needless to say they are also much easier to setup, both manually and automatically.
This adds yet another argument to my SSH vs VPN toolbox.
GitHub blog recently announced a couple of interesting new features.
Secondly, Team Discussions. This is yet another way place for the team to communicate. There are Issues and Pull Requests already. But those are more specific and more focused. For anything that doesn’t have a single issue, or doesn’t have a PR yet, a Team Discussion might be a better place.
A while back I wrote this blog post on the subject of using SSH via bastion hosts. If you are into this sort of thing, have a look at this blog post by my brother. He is providing a few more explanations and clarifications, as well as covers a tricky to troubleshoot case with non-default location of your SSH configuration files and keys.
If you are a Linux old-timer, who is used to iptables (or even ipchains, or even … anyway), you might find “Firewalld configuration and usage” guide very handy. It covers firewalld concepts and provides a number of examples for zones, ports, services, interfaces and other bits and pieces that you might be scratching your head about, when configuring the modern Linux firewall.
This Front-End Checklist is pretty awesome and quite extensive:
The Front-End Checklist is an exhaustive list of all elements you need to have / to test before launching your site / page HTML to production.
It is based on Front-End developers’ years of experience, with the addition from some other open-source checklists.
The best part is that large parts of this list are pretty easy to automate and integrate with your deployment / continuous delivery tool chain.
Arnes Blanert wrote an extensive article for the architect magazine on the subject of Single Sign On (SSO). It covers both authentication and authorization via a variety of widely and not so widely used methods, including oAuth, SAML, JSON Web Token and more.
As someone who was involved in a variety of Single Sign On implementations (see some of the posts on the subject in my blog), I wish I had an article like this in my RSS feeds much much earlier.