Hubesco's Blog

Inside a software engineer mind

Firefox, I'll never let you down

Rédigé par Pao 1 commentaire

Sad day today.

Recently in my project I worked on a feature that was about adding different colour on the application. After releasing it and moved it to test, it came back because the hexadecimal codes were wrong. I used DigitalColor Meter (OSX software) but the tester used Eye Dropper, a Chrome extension.

Another feature another failed test. This time it was because the scroll bar was overlapping a video. But it did not on Safari, neither on Firefox. Again the tester was using Chrome.

Today in the office I am looking at the screen of my colleagues all working with Chrome. For the first day of many years, I suddenly realize how sad I am.

According to Wikipedia browser market share page, in 2016 Chrome is always more than 46,42% and Firefox is always less than 15,43%. It's not new that Chrome is number one. It's just that today I took 10 seconds to think about it. And it made me sad.

There was a time when Firefox was popular around developers back in 2007 (when I started to code for the web). It was a time when Internet Explorer was the leading browser because it was installed by default in Windows. According to the frictionless law (completely invented law which states that people will do the least effort), people used it instead of installing a new one. But developers adopted Firefox because :

  • We were writing more and more web applications
  • We started to think that a web browser should be more respectful of the W3C standards, which IE didn't do very well (remember differences between IE6, IE7, IE8 ?)
  • Firebug started in 2006 and was an incredible tool to develop web applications
  • It was highly customizable and extensible thanks to plugins
  • Rendering was faster than IE

But Firefox didn't manage to get rid of IE because IE was pre installed in every Windows version. Enterprises wanted IE support.

We had to wait until end of 2009 to have the ballot screen which let users choose their web browser when they open their Windows session the first time. But Chrome was already here. The ballot screen didn't really profit to Firefox but to Chrome. All the features that were the strengths of Firefox Chrome took them and made them its own strength in a context where people were now ready to change. Firefox opened the door, Google went through it with maestria.

Chrome had three killer features :

  • Rendering was faster than any other mainstream web browser
  • UI was minimalist (e.g. merge of address bar and search bar)
  • Short cycle updates

To achieve the supremacy, Google pre installed the browser in Android and they were good to go.

Apart from  short cycle updates (that Firefox does now), Firefox always rendered web pages fast enough for me (even today) and interface is minimalist (compare two fresh installations of Firefox and Chrome and see. Ok one search bar and 3 buttons more for Firefox but come on, this is minimalist too).

BUT...

Chrome is not open source. And don't say a word about Chromium, please. Firefox is not totally 100% open source but it tries to be as open source as possible. Open source should be the default. Open source is collaboration. Open source is transparency. Open source is interoperability. Open source is learning. And it is much more than that.

Firefox, I love you, and I'll never let you down.

Classé dans : general Mots clés : aucun

Workplace headache

Rédigé par Pao 2 commentaires

DISCLAIMER : The following does not happen only in my company. And it's comprehensible stuff. But it gives headache.

------------------

New project, new office, new desk.

Again, I need to set up my tools and my desk to work properly. And again, the same issues remain : slow laptop, network connectivity problems, missing whiteboard, ...

First, the laptop.

It's provided by the company and it's brand new. Windows 7 (getting old but okay), 256 GB SSD, i5 2.40 GHz (2 cores, 4 threads), 8 GB RAM. Good stuff no ? What could be wrong ?

Already 3 blue screen of death (in 2 months), Outlook lagging and sometimes crashing, Software Center not working properly, slow log in...

Why, why, why ? My Windows 10 at home works very well and is very fast ! My only guess is because of custom Windows, modified to comply with corporate's rules and security.

At least, we have admin privileges to install software we need. But, it is monitored and if you install some blacklist software, IT will knock at your door.

Second, the network.

I can understand that, for security reasons, Internet is not wide open. But, as a software engineer working with the Cloud (especially AWS), I expect that I can do everything I want. And of course, port 22 (ssh) is closed. How am I supposed to connect to my EC2 instances ? Or use Ansible (which uses ssh) ?

So now I connect my laptop to a open WiFi. But sometimes, connection drops. Disconnect WiFi and reconnect again. Connection lost. Disconnect, reconnect... When one of my script is frozen, I don't know if because it is processing or because the connection is lost.

Third, desks.

I like open space. Because I like space. And open space let me have a big view of all the floor. It's open and refreshing. But in this open space, there is no personal desk. You need to book it. No personal desk means :

  • every morning, I open my locker, take my laptop, connect to the power, connect the screen, connect the mouse.
  • every evening, I disconnect the cables, pack my laptop and place it in the locker.

Not really efficient. I like open space, but I like also have a personal desk so that I don't move every day.

Four, no whiteboard ?!?

Whiteboard is, in my opinion, a powerful tool to communicate with people. Just pick a pen and draw your idea, while explaining it. Everybody can participate, it's visual, and it's big. Better than writing on a piece of paper.

Finally, processes.

You want to get something ? You want to fix the issues described above ?
Create a ticket on a software and go through the process ! Just wait. Pray that you didn't forget to fill some mandatory field. Pray that the ticket will be accepted. And wait again.

It's not that I don't like processes. I like processes that take the unexpected into account, or enable the new and agility. But I don't like processes that are too standard or too inflexible. It's hard to find a balance between the two, but on a scale from 1 to 10 (standard to anarchy), I would choose 8.

Let me do my job !

Ok, it's not that big issues. I can work. But it's encountering the same issues that's provoking me headaches.
 

My utopian workplace

  • Linux, with at least i5 CPU, 8 GB RAM, SSD 256 GB
  • No restriction on software (even cloud software)
  • 24 inches screen
  • Personal desk
  • Open space
  • 2 whiteboards (at least, or entire walls)
  • Reliable WiFi with no restriction

 

 

 

Classé dans : general Mots clés : aucun

Lesson learned from VPN : hiding is hard

Rédigé par Pao Aucun commentaire

I recently installed a VPN on my private server. I had done this before but I tried to go much deeper by testing my setting. The question was : can I really hide my identity behind this VPN ?

Test 1 : basic test

I am using Yunohost for my private server and Yunohost has an OpenVPN package. So I installed it and then connected to it. It was straightforward.
The first test was pretty basic. I went to https://www.whatismyip.com/ and tried to see if my IP was the server's IP.
And yes it was ! Cool ! Done ? Not at all !

Test 2 : DNS leak

I don't remember where I heard about DNS leak. But that could unveiled your identity and break your anonymity.
First lesson : when you want to be behind a VPN, you have to route ALL traffic through this VPN. Including the DNS requests.

Under certain conditions, even when connected to the anonymity network, the operating system will continue to use its default DNS servers instead of the anonymous DNS servers assigned to your computer by the anonymity network. DNS leaks are a major privacy threat since the anonymity network may be providing a false sense of security while private data is leaking.

dnsleaktest.com

Ok, so let's fix it !
I added some configuration into client ovpn file :

;Ubuntu
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

and also in the server ovpn file :

;DNS Leak
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

For Windows, I followed the steps as per this website.

I went to https://www.dnsleaktest.com/ for the second test.
Hurray ! No more DNS leak !

Test 3 : WebRTC

Another issue I found by browsing the web. WebRTC. Ok what's that ?

WebRTC (Web Real-Time Communication) is a collection of communications protocols and application programming interfaces that enable real-time communication over peer-to-peer connections. This allows web browsers to not only request resources from backend servers, but also real-time information from browsers of other users.

Wikipedia

That's a good feature. But the implementation is crap :

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

Daniel Roesler

We can prevent this flaw by disabling WebRTC in Firefox :

about:config > media.peerconnection.enabled = false

Again testing, this time I went to https://ipleak.net/. Yeah, it's working.

Test 4 : Geolocation

Uh oh. On the previous website, I saw a new category. Geolocation. And unfortunately, even I was behind my VPN, this map was showing my real location...
Why ? Ok, I found this on Mozilla Firefox website :

If you consent, Firefox gathers information about nearby wireless access points and your computer’s IP address Then Firefox sends this information to the default geolocation service provider, Google Location Services, to get an estimate of your location.

Mozilla Firefox

Firefox tries to tell us that they are not trying to find your location only with your data, but also with nearby wireless access points data. And then it sends everything to Google :facepalm:. Guys, you're killing me.

Fix is pretty simple, just disable geo in Firefox :

about:config > geo.enabled = false.

New test ! Same website as the previous test. And it's working. No more geo.

Test 5 : IPv6

My IPv4 address was showing my server's IP. But my IPv6 address was still mine. So I searched a bit and found some useful information on openvpn.net website.

Starting officially in the 2.3.0 release, OpenVPN supports IPv6 inside the tunnel, and can optionally be configured with IPv6 as a transport protocol for the tunneled data. There were some unofficial developer patches for the 2.2.x series that added partial IPv6 support (Debian in particular chose to integrate these patches into some of their builds.)


After some configuration, I managed to configure IPv6 VPN :

;IPv6
server-ipv6 2001:db8:0:123::/64
push "route-ipv6 2000::/3"

Next test ?

Hiding behind a VPN is hard. I found some issues, but there are certainly plenty of them, waiting to be discovered. Or maybe already discovered and used by some people ?

Classé dans : general Mots clés : aucun

Faire fonctionner OpenVPN sous Yunohost

Rédigé par Pao Aucun commentaire

Après installation d'OpenVPN sous Yunohost, j'ai eu quelques petits problèmes pour le faire fonctionner.

La résolution est en fait simple : le subject du certificat doit avoir le même nom que le serveur. A l'installation du package OpenVPN, la configuration utilise le certificat, clé privée et root certificate en vigueur. Et dans mon cas, le root certificate est celui de StartCom, pour avoir une connexion HTTPS reconnue par les navigateurs. Mais du coup lors de la vérification de la chaîne de certification, OpenVPN tombe sur StartCom et n'est pas content car le nom ne correspond pas à celui du serveur.

Soit. Et bien nous allons utiliser les certificats auto générés par Yunohost  (lors de l'ajout d'un nom de domaine), car le subject correspond avec le nom du serveur !

La démarche est la suivante :

  • Modifier le fichier de configuration serveur
  • Modifier le fichier de configuration client
  • Relancer le service OpenVPN : service restart openvpn

Autre chose, il ne faut pas oublier de lancer le service OpenVPN après l'installation du package car apparemment cela ne se fait pas automatiquement.

Configuration serveur

Ci-dessous la configuration OpenVPN générée par Yunohost :

port 1194
dev tun
proto udp
ca   /etc/yunohost/certs/host.com/ca.pem
cert /etc/yunohost/certs/host.com/crt.pem
key  /etc/yunohost/certs/host.com/key.pem
dh   /etc/yunohost/certs/host.com/dh.pem
server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
keepalive 10 60
inactive 600
user openvpn
group openvpn
persist-tun
persist-key
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
status /var/log/openvpn.log
comp-lzo
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

Les modifications à apporter sont les suivantes :

...
;ca   /etc/yunohost/certs/host.com/ca.pem
;cert /etc/yunohost/certs/host.com/crt.pem
;key  /etc/yunohost/certs/host.com/key.pem
ca /etc/yunohost/certs/host.com/yunohost_self_signed/ca.pem
cert /etc/yunohost/certs/host.com/yunohost_self_signed/crt.pem
key /etc/yunohost/certs/host.com/yunohost_self_signed/key.pem
...

Configuration client

Après avoir modifié le serveur, j'ai eu l'erreur suivante :

Thu Sep 11 00:12:05 2014 ++ Certificate has key usage  00f8, expects 00a0
Thu Sep 11 00:12:05 2014 ++ Certificate has key usage  00f8, expects 0088

Je suis tombé sur cet article qui explique comment résoudre le problème.

Voici le fichier par défaut, proposé au téléchargement sous https://host.com/openvpn (j'ai masqué quelques éléments de configuration de mon serveur perso) :

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo yes
verb 3
remote host.com 1194
route-delay
reneg-sec 0
redirect-gateway
script-security 2
--auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
UNE_LONGUE_CHAINE_DE_CARACTERE
-----END CERTIFICATE-----

</ca>

Changements à apporter :

...
;remote-cert-tls server
--remote-cert-ku f8
...

Les certificats générés par Yunohost pour le domaine n'ont pas l'air compatible avec la commande remote-cert-tls server

 

Et maintenant c'est fonctionnel, c'est top, ça marche du tonnerre. Y a plus qu'à voir comment éviter le DNS Leak....

Classé dans : general Mots clés : aucun

VPN sans OpenVPN : vive SSH !

Rédigé par Pao 1 commentaire

Un collègue vient de me sauver du debbuging d'OpenVPN. Grand merci !

J'ai installé Yunohost sur mon serveur. Et dans l'optique d'avoir un VPN, j'ai installé l'application OpenVPN présente dans Yunohost. J'avais déjà configuré et utilisé OpenVPN avec succès en l'installant manuellement. Ici c'est Yunohost qui configure tout automatiquement.

Pour configurer le client, Yunohost affiche une page proposant de télécharger le fichier de configuration adapté avec le CA. C'était trop beau. Malheureusement je suis tombé sur cette erreur :

VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority

Il y a une question à ce sujet sur le forum de Yunohost, mais la personne n'a pas eu de réponse. Je n'ai pas trop cherché à comprendre pour trouver une solution, et c'est un collègue qui me l'apporte : "utilise le proxy du pauvre, avec ssh -D !". Hein ? Première fois que j'entends ça.

 

La commande est simple : ssh -D port user@server

  • port : port en local (machine cliente) du proxy SOCKS
  • user : Nom d'utilisateur pour se connecter au serveur distant
  • server : Nom d'hôte du serveur distant

Avec cette commande, toutes les communications qui utilisent le port spécifié dans la commande passent par un tunnel sécurisé SSH et ressortent par le serveur distant. Hey mais c'est la même chose qu'un VPN ! Bingo ! Je désinstalle OpenVPN et j'utilise SSH.

 

Avec putty

Puis se logguer normalement sur son serveur pour ouvrir le port SOCKS.

Documentation

Lien pour la manpage de SSH : http://www.delafond.org/traducmanfr/man/man1/ssh.1.html

Classé dans : general Mots clés : aucun
Fil RSS des articles de cette catégorie