January/February 2018 issue of acmqueue

The January/February issue of acmqueue is out now

Web Security

  Download PDF version of this article PDF

ITEM not available


Originally published in Queue vol. 13, no. 2
see this item in the ACM Digital Library



Axel Arnbak, Hadi Asghari, Michel Van Eeten, Nico Van Eijk - Security Collapse in the HTTPS Market
Assessing legal and technical solutions to secure HTTPS

Sharon Goldberg - Why Is It Taking So Long to Secure Internet Routing?
Routing security incidents can still slip past deployed security defenses.

Ben Laurie - Certificate Transparency
Public, verifiable, append-only logs

Christoph Kern - Securing the Tangled Web
Preventing script injection vulnerabilities through software design


(newest first)

dave taht | Tue, 24 Feb 2015 08:40:44 UTC

I have been converting my old blog on blogger to hugo.io, and converting the related ikiwiki site also. The biggest headache was using the jeckle import utility and then converting the metadata, and then touching up the resulting markdown.

I am loving hugo. It does dynamic refresh while you are writing the site locally. And it compiles 1000 blog postings into a nice site in under a second, totally smoking ikiwiki on the task. The resulting blog loads at least 10x faster than blogger does and the only thing stopping me from finally pulling the trigger on publishing the conversion is trying to find a chat system I like.

I think I need to go learn more go.

paul vixie | Fri, 23 Jan 2015 22:09:10 UTC

i was asked, separately: ``what is the correct solution for a truly dynamic website? Im thinking about a WebApp or something, when you *have* dynamic contents. How should we, web devs, implement it?' if you're building a webapp that has to be dynamic, you match the qualification in my article, "unless you have a business reason". rules of thumb: use a compiled language that lacks "eval", and in the same sense, use a database interface that requires hard coded verbs and parameters rather than one that parses and interprets SQL in real time; audit with two extra sets of eyes the source code to any framework or library you import; audit with two sets of eyes any code that accepts input from the web including environment variables, url's and url parameters, and POST vaules, where your sanity-checking is to accept only valid characters rather than rejecting some predefined subset of invalid ones. there are millions of web-apps and i'm sure that at least thousands of them are safe. you can do this. good luck and let me know how it works out for you. --paul

paul vixie | Fri, 23 Jan 2015 22:01:55 UTC

meint, i certainly agree that hybrid models are safer, and in the article i used Bricolage as an example. there's a "really-static" plugin for wordpress that can yield similar code-vs-data separation. as you say, there are many roads to Rome. my overarching assertion is: if you havn't studied these matters in detail, and you try to run a DCMS out of the box, you will get hacked; therefore either study these matters in detail and take responsibility for the complete result, or, use a system that completely separates your code from outsider data, until you have the motivation and the resources required to build a hybrid solution. --paul

Meint | Thu, 22 Jan 2015 21:40:30 UTC

The issue might not exactly be static or dynamic but rather that systems like wordpress and drupal have the same codebase for content management and content generation. If there is a vulnerability in the content generation code it might be possible to get to the content management area. Though a solution might be to make everything static this would not necessarily give the best user experience. Current developments are that systems like wordpress are split into content generation and content management components which decouple these functionalities and strongly diminish the susceptibility to attacks based on shared codebase. Added to that there are a lot of solutions to make the content generation nearly static via caching plugins. I have written a small blog post that shows how to put an entire wordpress site in to a CDN which strongly increases DDOS survivability. I certainly agree with the signalled shortcomings of dynamic cms solutions but wanted to point out that there are ways to Rome.

paul vixie | Tue, 20 Jan 2015 17:18:37 UTC

choi, bobby! of course it was bobby. i don't know what i was thinking. my apologies.

paul, i only mentioned Bricolage when i talked about dynamic authoring environments with static front ends. i hear you regarding staticgen. i don't think i need to publish an exhaustive list of such packages, but i invite other comments to that effect. most people just install Wordpress or similar, and it was the recent breakin at my old company's Wordpress based site that inspired this article.

paul | Tue, 20 Jan 2015 16:43:12 UTC

There's lots of software out there for nontechnical people to write static sites with: see staticgen.com for links to a bunch of programs, and a hosting service for them. I'm not connected with the service and don't currently use it but it seems like a cool idea to me.

chol | Tue, 20 Jan 2015 14:27:38 UTC

Little Bobby Tables, not Johnny.

Leave this field empty

Post a Comment:

© 2018 ACM, Inc. All Rights Reserved.