What Perfect Forward Secrecy means

Let’s say you had an encrypted conversation with Bob yesterday. Today Bob accidentally posts his secret key on the internet. You still want your conversation to be private, right? So what can you do? You can use a cryptographic protocol with perfect forward secrecy (PFS). That will protect you against similar blunders by your conversation partners and even your own blunders of this type. Sounds pretty desirable, right?

Since the Snowden leaks, we know for sure that a variety of state run intelligence services record your communication – some of them with the explicit intent to decrypt it later when possible. And with many protocols you just need to break one key to be able to decipher many messages. PFS also protects against that: you usually need to break every single message individually.

So both blunder, as well as outright malice, pose a sizeable threat, which therefore we need to consider when designing our threat models.

Continue reading

Postgres Performance Troubleshooting – An Example

Recently we encountered some severe performance problems in one of our projects. Some SQL queries were very slow.

A certain query took over 6 seconds to finish in Azure’s Postgres service and about 350ms locally on my laptop. Both are unacceptable.

I don’t know much more than the postgres basics and the project was in all parts relevant here more or less new to me. But let me show you how I approach the unknown, what I learned and how I solved it.

By the way: The issue is a prime example of not spending more time on optimisation than what feels necessary at the time. So even though the initial code looks a bit dumb in hindsight I still consider this ok as the application was fast enough for over 2 years in production and as we later learned the issue was caused by some up to that point unprecedented data.

Now, let’s dive in!

Continue reading

Developers Adopt Kotlin! Addressing your fears and Kotlin’s gains.

Every time I have used Kotlin instead of Java I enjoyed it and did not regret it. But somehow I still meet some reservations regarding Kotlin with both managers and sometimes developers.

This Post will address your fears as a (Java) developer regarding the use of Kotlin and elaborate a bit on what Kotlin will gain you. There is a similar post on this blog addressing managers (German version here) which will probably also be good reading for you.

Continue reading

Managers adopt Kotlin! Addressing your fears and Kotlin’s gains.

Every time I have used Kotlin instead of Java I enjoyed it and did not regret it. But somehow I still meet some reservations regarding Kotlin with both managers and sometimes developers.

This post will address your fears as a manager regarding the use of Kotlin and elaborate a bit on what Kotlin will gain you. There will be a similar post on this blog addressing developers that goes a bit more into technical details.

Continue reading

Angular & OpenId: a real world example

In theory it appears pretty easy to build the browser side of an application using OpenId Connect. Actually implementing it in a real world application has usually proven to be more difficult than that.

I would like to show you how to solve some of the real world problems beside the basic setup. First let me describe what I want to build:

  • a single page app with Angular
  • routing via the hash part of the url
  • a forced login via OIDC

I will write about the following problems within building that app:

  • What library to choose?
  • Where and when to initialise that library?
  • Angular and hash based routing
  • How to handle errors?
  • Some smaller miscellaneous problems

Continue reading

WildFly 8-10 and JBoss EAP 7 verbose HTTP headers

As a developer I am really happy to have an easy way to determine which version of a software I’m running. But I do not like it if my software tells everyone its name and version, as this gives important fingerprinting information to possible attackers.

If you use WildFly versions 8 through 10 or JBoss EAP version 7 the default configuration includes some HTTP headers that are too verbose in my opinion. JBoss EAP 6 is not affected by the way. The headers you get look like this

Server: JBoss-EAP/7
X-Powered-By: Undertow/1

Getting rid of these headers is really easy. So I think the tiny effort to remove these headers should be put into any project even if the probability of getting attacked and the possible impact are really small.

To fix the problem let’s have a look at the default configuration in the standalone.xml:

Continue reading

commons-fileupload 1.3.3 resolves deserialisation vulnerability CVE-2016-1000031

CVE-2016-1000031 is a vulnerabilty in the extremely widely used Apache Commons library commons-fileupload – you might not even know you’re having it on your class path. It has a very nasty Remote Code Execution vulnerability with easy to use exploits publicly available up to version 1.3.2. What makes it even worse is that you do not even need to use the library – you only need to have it on your class path and to deserialise some data. The data is the attack vector. You can find a good in detail explanation of the vulnerability here.

It did take a while but with version 1.3.3 this vulnerability is finally closed (by default).

There is some stuff that you should know about the fix though:

Continue reading

ActiveMQ Confusion and What comes with your JBoss EAP / WildFly

Oftentimes people talk to each other about using ActiveMQ, but they’re actually referring to different brokers. That is because there are 3 different message brokers with ‘ActiveMQ’ in their name and this turns out to be pretty confusing when a project as big as WildFly starts to use a broker with ‘ActiveMQ’ in its name that is not the broker that was known for years under the name ‘ActiveMQ’.

So there are 3 projects:

Continue reading