Encrypt MySQL data using AES technique

I came across this blog post from a while back, which demonstrates how to use AES encryption for the data in MySQL database.

INSERT into user (first_name, address) VALUES (AES_ENCRYPT('Obama', 'usa2010'),AES_ENCRYPT('Obama', 'usa2010'));
SELECT AES_DECRYPT(first_name, 'usa2010'), AES_DECRYPT(address, 'usa2010') from user;

This seems rather easy and straightforward (apart from a little calculation one needs to do for the VARBINARY field types).  The only thing that I’m concerned about is whether the encryption keys will be visible in the MySQL process list (as in “SHOW FULL PROCESSLIST“).

Crooked Style Sheets

Crooked Style Sheets is a proof of concept for website tracking/analytics using only CSS and without Javascript.

What can we do with this method?

We can gather some basic information about the user, like the screen resolution (when the browser is maximized) and which browser (or engine) is used. Further we can detect if a user opens a link or hovers with the mouse over an element. This can be used to track which (external) links a user visits and using the hover method. It should be even possible to track how the user moved their mouse (using an invisible table of fields in the page background). However, using my method it’s only possible to track when a user visits a link the first time or hovers over a field the first time. Maybe it’s possible to modify the method so that it is possible to track every click.

Furthermore it is possible to detect if a user has installed a specific font. Based on this information it should be possible to detect, which OS a users uses (because different operating systems ship different fonts, e.g. “Calibri” on Windows).

The 2018 Guide to Building Secure PHP Software

The 2018 Guide to Building Secure PHP Software” is an excellent guide to writing modern PHP applications with security in mind.  It covers a bunch of the usual topics, but provides fresher solutions than most other similar guides.

SSH vs OpenVPN for Tunneling

I have never particularly liked Virtual Private Networking (VPN).  From the old days, when there were a gadzillion of proprietary implementations, each being super slow, resource hungry, and requiring a mess of versions specific requirements, like Java and Firefox.  Secure Shell (SSH) has always been my choice for remote connections and tunneling.

Today I came across this article, which also shows that SSH tunnels are much faster than OpenVPN (if one has to use VPN, OpenVPN is probably the best choice around).  Needless to say they are also much easier to setup, both manually and automatically.

This adds yet another argument to my SSH vs VPN toolbox.

GitHub : Security Alerts and Team Discussions

GitHub blog recently announced a couple of interesting new features.

Firstly, Security Alerts.   For now it only supports Ruby and JavaScript, but hopefully other languages are coming soon (PHP/Composer please!).  Security Alerts will notify repository owners if there are any known security issues in any of the packages that the repository is using.  Similar, I guess, to who SensioLabs Security Check works, but integrated with your GitHub.

Secondly, Team Discussions. This is yet another way place for the team to communicate.  There are Issues and Pull Requests already.  But those are more specific and more focused.  For anything that doesn’t have a single issue, or doesn’t have a PR yet, a Team Discussion might be a better place.

SSH via bastion host

A while back I wrote this blog post on the subject of using SSH via bastion hosts.  If you are into this sort of thing, have a look at this blog post by my brother.  He is providing a few more explanations and clarifications, as well as covers a tricky to troubleshoot case with non-default location of your SSH configuration files and keys.

Firewalld configuration and usage

If you are a Linux old-timer, who is used to iptables (or even ipchains, or even … anyway), you might find “Firewalld configuration and usage” guide very handy.  It covers firewalld concepts and provides a number of examples for zones, ports, services, interfaces and other bits and pieces that you might be scratching your head about, when configuring the modern Linux firewall.

Front-End Checklist

This Front-End Checklist is pretty awesome and quite extensive:

The Front-End Checklist is an exhaustive list of all elements you need to have / to test before launching your site / page HTML to production.

It is based on Front-End developers’ years of experience, with the addition from some other open-source checklists.

It goes over generic HTML bits, meta information, web fonts, CSS, images, JavaScript, security, accessibility, performance and more.

The best part is that large parts of this list are pretty easy to automate and integrate with your deployment / continuous delivery tool chain.

Single Sign On – You’re Probably Doing It Wrong

Arnes Blanert wrote an extensive article for the architect magazine on the subject of Single Sign On (SSO).  It covers both authentication and authorization via a variety of widely and not so widely used methods, including oAuth, SAML, JSON Web Token and more.

As someone who was involved in a variety of Single Sign On implementations (see some of the posts on the subject in my blog), I wish I had an article like this in my RSS feeds much much earlier.