Yet Another PHP Security Blog

Geode, Loki and the implications

nospam@example.com (Christopher Kunz) — Thu, 09 Oct 2008 16:24:44 +0200

(Preface: Most of the scenarios I am going to point out have actually been around for a long time, since Loki toolbar existed for a while now. However, I live under a stone and seem to learn things a million years after the “in crowd”. So, no flaming pls.)

So, the Mozilla Labs have released an experimental Geode plugin that is a preview for possible future native features in the Firefox mainline (and derived) browsers. The plugin basically provides a possibility for web sites to receive the user’s current physical location on a fairly precise scale.

I have played with the plug-in a little and found that it is between 10 and 50 meters off in an urban, although not very densely populated area of Hannover, Germany. This is surely not GPS-quality positioning, but it works indoors and gives a detailed enough ballpark figure to enable most “where’s the next café”-like business models.

The whole endeavor is part of an upcoming W3C spec for geolocation and thus somewhat high-profile and “official”. This is no longer a niche project, or at least aims not to be. Sure enough, my interest was sparked and I dug a little deeper.

Continue reading "Geode, Loki and the implications"

Upcoming article series regarding security - some thoughts

nospam@example.com (Christopher Kunz) — Tue, 03 Jun 2008 17:11:03 +0200

After throwing the first article about PKI and PHP at you with relatively few explanation about why I am doing this, I thought I’d post something that explains a bit more in detail.

Continue reading "Upcoming article series regarding security - some thoughts"

X.509 PKI login with PHP and Apache

nospam@example.com (Christopher Kunz) — Fri, 30 May 2008 12:22:28 +0200

Preface

As some of you know, I’m currently working in an environment that is very much about security in terms of “how do I determine for sure who is accessing my service while having all access encrypted”. Since grid computing (that’s what I’m currently doing) also is very much about Single-sign on and delegation of rights, username/password authentication schemes don’t quite do it for us. Thus, a PKI (public key infrastructure) based on X.509 is employed.

Huh?

Acronyms-a-plenty, you think. Well, it’s not so bad at all. What we call X.509 certificates is what you would call “SSL Certificates”. The correct name for those certificates is “X.509 certificate” and that’s what I’m going to refer to. Whatever name you call the child, it is what you already know and probably use - the certificates that make you able to verify you’re actually buying at amazon.com. More generally speaking, X.509 certificates can be mutually used by servers and clients alike to authenticate themselves to the other party. We can exploit this feature to get away from traditional knowledge-based credentials towards possession-based credentials.
Continue reading "X.509 PKI login with PHP and Apache"

This is what this blog is about

nospam@example.com (Christopher Kunz) — Fri, 30 May 2008 12:17:02 +0200

Yay, first post!

nospam@example.com (Christopher Kunz) — Fri, 30 May 2008 08:35:14 +0200

I had the domain “php-security.net” since we first started writing the german PHP security book and up to now, I didn’t have anything I could do with it, so it went to rot on Sedo. However, I found a nice topic for blogging under the shower this morning and so I set up a new S9Y instance. Hope you enjoy it. Don’t expect this to be very full though, I am only going to post stuff that is not appropriate content for php-sicherheit.de or my personal blog.

So mainly, there will be some english PHP security articles here. Enjoy.