Categories
Security

Outlook.com breaks DKIM signatures

I’m currently implementing DKIM support for my Exim mail server, and due to this I’m sending a lot of test messages to all major freemail providers in Europe and the USA.

I noticed that Outlook.com breaks DKIM signatures since they modify one header as follows:

The original header I sent is

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

while the header which I see when I fetch the received message with IMAP is the following:

Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

Noe the extra “double quotes” around the charset which are not transparent to “relaxed” Header Canonicalization. This causes Thunderbird’s “DKIM Verifier” extension to fail on this message.

What’s strange is that Outlook itself succeeds internally to verify the DKIM signature, so the modification to said header probably occurs after checking the original header. See below for what the header of the received message says about authentication:

Authentication-Results: ... dkim=pass (identity alignment result is pass and alignment mode is strict) header.d=example.org;

To solve this small issue I modified Exim’s list of headers to be signed as follows. Original set is

Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID

while I now only sign the following (which I consider to be sufficient):

Subject:To:From:Date:Message-ID

Let me know if you have any comments or suggestions.

Categories
Computers Security

Insecure self-updates via plain HTTP

Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain HTTP so that attackers can modify downloads and thereby introduce malicious code.

Immediately I got in touch with the manufacturer of the application, and only 9 hours later they came back to me with the below response:

Right now <unnamed product> download server supports only HTTP and not HTTPS, so we don't have any immediate solution to offer. However we are keeping notes of this concern and we will address it.

Is this not simply unbelievable?!

Remember we’re not talking about someone who does this for a hobby, who may not have the money or time or even knowledge to implement SSL on their server. But we’re talking about one of the largest IT companies in the world… 🙁

I will now wait for a while, and if they haven’t fixed the issue by then I will disclose it on my blog anyway to put pressure on them… But maybe they do it intentionally in order to aid the NSA?! :-/

Categories
Computers Networking

How to properly benchmark your broadband connection

Since a while my broadband connection gets slow frequently, so I wanted to perform regular benchmarking probes and create a graph to illustrate the actual uplink and downlink speed.

Your first approach to this might be to download and upload a payload, measure the time this took, and divide the sizes of the files you downloaded and uploaded by the times it took. But this approach is seriously flawed… Why? Simple. In a usual scenario you have a router that terminates your internet connection, so eventually other LAN clients will cause traffic at the same time you’re performing your probe. This would “limit” the bandwidth you have for your probe, and thus artificially reduce the speed you calculate.

So how to do it properly? You should ask your internet gateway (your router) for the traffic it sees.

Continue reading “How to properly benchmark your broadband connection”
Categories
Networking Routers

Arcor bzw. Vodafone EasyBox 803A: Verwendung nur als “Modem”

Bisher habe ich an meinem Arcor- bzw. nunmehr Vodafone-ISDN/DSL-Anschluss noch separate Komponenten verwendet: Splitter, ISDN NTBA und Speed-Modem 200. Aus aktuellem Anlass (plötzlich drastische Einbrüche bei der Internet-Geschwindigkeit von normal 16 MBit/s auf teilweise nur 1-3 MBit/s) habe ich diese jedoch gegen eine Vodafone EasyBox 803A ausgetauscht, weil ich einen Defekt des Modems oder Splitters vermutet hatte.

Die EasyBox ist recht clever konstruiert, sie kann nämlich selbständig feststellen, ob sie an einem Analog-/ISDN-Anschluss betrieben wird, wo der Splitter benötigt wird (um das UK0-Signal für den NTBA abzutrennen), oder an einem reinen DSL-Anschluss (NGN), wo er nicht benötigt wird, weil dort Sprache per VoIP über DSL übertragen wird. Je nachdem wird also der Splitter und NTBA in den Signalweg eingeschliffen oder nicht. Das ist das Klickgeräusch beim Einschalten der Box! Man sollte bei Verwendung der EasyBox einen evtl. noch vorhandenen separaten Splitter aus dem Signalweg entfernen und die EasyBox direkt an die “erste” TAE-Dose (früher “Monopoldose” genannt) anschließen, um die Dämpfung (“Leitungsqualität”) zu verbessern (und damit ggf. noch ein wenig zusätzliche Geschwindigkeit aus dem DSL-Anschluss “herauszukitzeln”).

Continue reading “Arcor bzw. Vodafone EasyBox 803A: Verwendung nur als “Modem””
Categories
Computers Mac Security

iTunes app downloads are unsafe…

I recently bought Little Snitch because it was on sale, and just found something strange…

I launched iTunes to download an app that’s currently available for free (ok, so I am a cheapskate… ;-)), and when the actual download was about to start Little Snitch asked for confirmation to allow iTunes to connect to phobos.apple.com on port 80, meaning that the download is not protected by SSL…

IMHO this is a big security risk since it allows attackers to manipulate your download and replace the original app by another one (e. g. one that contains malicious code).

I can’t see any reason why Apple would intentionally not protect downloads by SSL — it just seems to be very bad, careless design… 🙁

What do you think?

Categories
Computers Networking

OpenWRT: Easy and secure guest WLAN access

I use OpenWRT on my TP-Link TL-WDR3500, and I have a guest WLAN defined on each of the two radios (2.4 and 5 GHz). The guest WLANs are isolated from my LAN, i. e. guest WLAN stations can’t talk to any of my own hosts (either on the WLAN, or in the LAN, i. e. hosts connected via Ethernet). Guest WLAN stations also can’t talk to each other. The actual OpenWRT configuration (apart from passwords, of course ;-)) is not a secret, I will publish an article about that soon.

For security reasons I didn’t want a static guest WLAN password, but one that changes daily, so that I don’t have to manually revoke the right to use my WLAN by changing the password all the time. So I created two tiny scripts, one that actually changes the active WLAN password every day, and one CGI script that displays the password so that I can give it to my guests.

Here’s the first one that sets the password. I run it from cron at 00:01 every day:

 #!/bin/ash
 SALT="theSalt"
 DATE=`date -I`
 PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`
 CHANGE=0

 if [ `uci get wireless.@wifi-iface[2].network`x = guestlanx ]; then
   uci set wireless.@wifi-iface[2].key=$PWD
   CHANGE=1
 fi
 if [ `uci get wireless.@wifi-iface[3].network`x = guestlan2x ]; then
   uci set wireless.@wifi-iface[3].key=$PWD
   CHANGE=1
 fi
 if [ $CHANGE -eq 1 ]; then
   uci commit wireless
   wifi
 fi

And here’s the CGI script that needs to go to /www/cgi-bin to show the current password:

#!/bin/ash
SALT="theSalt"
SSID="Guest-WLAN"
DATE=`date -I`
PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`

echo "Content-Type: text/plain"
echo ""
echo "Today's Guest Password for $SSID is $PWD"

Don’t forget to make the scripts executable by running “chmod +x <script>“.

If you find this helpful I would appreciate your feedback.

Categories
Communications Computers Networking

Windows 7 PPPoE-Protokoll schlecht implementiert?

Anläßlich eines Problems mit meinem Vodafone 16 MBit/s-DSL-Anschluss — Geschwindigkeit ging plötzlich dramatisch in die Knie, ca. 1-2 MBit/s nur noch! — habe ich testweise die PPPoE-Verbindung direkt vom Laptop unter Windows 7 über das Arcor-DSL Speed-Modem 200 zum Konzentrator bei Vodafone aufgebaut. Auf diese Weise wurde das Modem als “Schuldiger” ausgemacht: Ein baugleiches Ersatzmodem lieferte sofort über 14 MBit/s!.

Nachdem ich dann wieder das DSL-Modem mit dem TP-Link TL-WDR3500-Router (mit OpenWRT als Firmware) verkabelt hatte, stellte ich plötzlich erstaunt Folgendes fest: Die Ping-Round-Trip-Zeiten gingen von 31-32 ms (unter Windows 7 als PPPoE-Client) deutlich herunter auf 21 ms (mit OpenWRT Barrier Breaker r39582 als PPPoE-Client). Das ist insofern sehr erstaunlich, da ja nun eine 802.11an-WLAN-Strecke und der Router als zusätzliche Latenz erzeugende “Komponenten” hinzu kamen!

Ich interpretiere das so, dass die PPPoE-Implementierung unter OpenWRT der von Windows 7 deutlich überlegen ist, da sie offensichtlich “schneller” bzw. “effizienter” ist. Bevor jetzt jemand sagt “Vielleicht hast Du einen krötenlangsamen Laptop verwendet?” — nein, das ist nicht der Fall, es war ein Lenovo X220 mit einem Core i5-Prozessor mit 2.5 GHz…. Und der Laptop war dauernd “idle”… 🙂

Eure Meinung zu dieser Interpretation würde mich sehr interessieren, daher würde ich mich über Kommentare freuen.

Categories
Consumer Electronics

Firmware Issue with LG BP430 BluRay Player remains

In one of my recent articles I blogged about a regression the latest firmware update for my LG BP430 introduced. I made LG aware by calling them, and they said they would forward that warning and have the broken firmware update pulled from their update server.

Today, more than a week later I noticed by chance that there is supposedly a new firmware update available on their web server (i. e. not on their update server that the player uses internally, which usually will be updated prior to the web server according to the support guy I talked to). See below for a screenshot of LG’s web site as of today:

LG-FW-Update-Typo

See how it says BD3.413, while the previous (broken) version was BD3.412. That sounded promising, since a higher version number could have meant they had already fixed the issue I reported. So I downloaded the ZIP file and prepared to install it by copying the file to a USB flash memory stick.

Prior to actually applying the update the player shows the version number in the upgrade image, and in fact it still says BD3.412. So there’s simply a typo on LG’s web site. Not very professional, if I may say.

Finally, the upgrade server still holds the same broken version as well. 🙁

I guess I have to call them again — they don’t even have a toll-free number, but I’m willing to pay the price anyway since it’s at least not a premium (0900) number.

I will keep you posted!

Update 2014-02-10: I called LG again, and this time I was talking to a customer service rep who seemed to be interested. He took a note of my contact details and promised to forward the info about the bad firmware upgrade. He also confirmed that the LG BP530 would also be affected, since these two devices share the same firmware.

Update 2014-05-12: Finally LG seemed to have fixed the defects. Since a couple of days I’m running firmware version “BD3.412.40424.C” on my LG BP430, and so far I could not reproduce any of the issues encountered in previous versions. Please let me know how it goes for you.

Categories
Law

“Passagiere sollen mehr Rechte haben”???

Gerade geht groß durch die Medien, dass “Passagiere mehr Rechte haben [sollen]” im Falle von Flugausfällen oder Verspätungen. Dies bezieht sich auf einen Beschluss des Europäischen Parlaments, der die Kommission auffordert die Fluggastrechteverordnung von 2004 gemäß dem eigenen Vorschlag zu ändern. Die in den Medien genannten Entschädigungszahlungen für Verspätungen sorgten bei mir für ein Stirnrunzeln, war ich doch der Meinung die bisher gezahlten Entschädigungen seien bereits höher.

Beispielsweise bei Tagesschau.de heißt es:

“[…], dass Passagiere bei Flügen innerhalb Europas schon nach drei Stunden ein Recht auf Erstattung haben sollen.”

In der Tagesschau-Sendung von heute, 2014-02-05, 20.00 Uhr, wurde außerdem ein Betrag von 300 EUR ab einer Verspätung von 3h genannt.

Ausweislich Wikipedia gilt jedoch bereits heute:

“Seit der Entscheidung des EuGH vom 19. November 2009 […] stehen dem Fluggast bei einer Verspätung von mehr als drei Stunden (unabhängig von der Entfernung) auch Ausgleichsleistungen […] gestaffelt nach Entfernung zu.”

Das heißt, faktisch steht dieses Recht Passagieren bereits heute zu.

Continue reading ““Passagiere sollen mehr Rechte haben”???”
Categories
Consumer Electronics

Warning to install latest firmware version for LG BP430 BluRay player

A couple of days I was offered a firmware update by my LG BP430 BluRay player (German site), which I installed immediately when I noticed the update. The update process went ok, flashing finished with no (obvious) errors.

Today my wife told me that the device suddenly doesn’t play any DVDs any longer. They screen just stayed white, without the DVD being played. Also, some videos from my NAS don’t play anymore via DLNA.

I called LG support in Germany, but they’re not yet aware that the latest firmware seems to break things. They made me aware that on their website there’s still an old version available, but at the same time they said their technicians say you can’t downgrade.

Before I would send back the player to Amazon (it’s only one month old), I tried whether you can downgrade the firmware anyway — and yes, you can. After I downgraded from the bad version BD3.412.40122.C to the older version available on LG’s site (BD2.817.30806.C/Date:2013.08.19) all was fine again.

So, beware before you upgrade to said version. I would definitely wait until a more recent version becomes available.