As I mentioned in Forthcoming blog move, I was planning to switch my site hosting away from Google Blogger. Of course, that post was back in September. I just spent a little time applying the fixes needed to have some basic styling; on the advice of my colleague Jon, I took a look at Foundation as a site framework; major points in its favour are that it touts semantic markup and accessibility, which are two issues that matter to me.
A colleague recently enthused about TCP FastOpen being in the Linux kernel; being a grumpy old fart, this troll had ignored such things as always being security holes, such as T/TCP proved to be. So I just looked back over LWN's article on the topic, to better understand why we might want to enable this on our webservers. As far as I can see, if you have a path link where others can observe Server→Client traffic, but not influence its routing, and can inject packets without being subject to BCP 38 Network Ingress Filtering, then TCP FastOpen lets an attacker send data, using a purloined TCP cookie, and have it acted upon by a server without the server verifying that the stated IP really did send the traffic, bypassing source-bound security checks.
Some notes, from having set up a MySQL server on Ubuntu and worked to make sure it offered SSL (TLS) for the connections. In this case, Ubuntu 12.04.2 LTS running inside a VMWare Fusion 5 virtual machine. (I write TLS for the generic protocol support, SSL as it pertains to MySQL in particular because that's the term the MySQL documentation uses). I installed MySQL 5.5. This is purely for testing purposes, so there was no MySQL performance tuning done for the VM; the only relevant tuning was existing tuning, just making sure that the Linux kernel did not try and treat the virtual disk, provided from a backing store as a file in the outer filesystem, as a spinning disk but instead as just a dumb backend (even more appropriate since the laptop has an SSD):
Administrivia: I had the new Blogger/Google+ integrated comment system turned on for about 24 hours but have now reverted. My policy is that I want the minimum barriers to commenting consistent with limiting spam. For a while, I was open commenting relying upon Google's excellent spam detection systems and cleaning up the little that slipped past. I do not want to require that folks submit their data into a particular fiefdom to be able to talk with me.
A couple of days ago, I came up with a thought about the ideal way to get ISPs to actually deploy BCP 38 (aka “don't let out traffic with source addresses that are spoofed to be from elsewhere”). The good news is that it's appropriately evil enough that folks I mentioned it to last night really appreciated it. The bad news is that it involves legislation, and it impacts folks with deep pockets, so will never get passed without being corrupted to, at the very least, have severe side-effects, and more likely accomplish the opposite of that which was intended.
[I wrote this in a Google+ post on December 24th, 2012. I am reposting to my blog, for discoverability.] [Since G+ has disappeared, I guess “for persistence” too.] In the aftermath of tragedy, people reach out for solutions. Sometimes the obvious approach is very wrong for reasons which are not immediately obvious. When you're upset, taking the time to understand those reasons can be difficult. Part of being adult is taking a deep breath and working to understand them anyway before forcing changes on everyone.
So, I need to get one of these plug computers up and running, so it can be my monitoring server for my household. This morning, DNS resolution broke at home. My router, running OpenWRT, is using unbound, so I can get DNSSEC validation. DNSSEC validation broke, on being unable to validate the keys for the root zone, so I could only get DNS service back by disabling DNSSEC. Turns out, the clock on the router said it was November 27th, 2012.