Hey WhatsApp switcher

23rd February 2014 | Comments

Just some lines about the current situation and why switching to alternatives is possibly more reasonless than you might think.

First of all, WhatsApp is not even very secure. Indeed it was dangerously insecure. For a long time, traffic between your phone and the WhatsApp servers wasn't encrypted and everyone on the same network could listen and manipulate all your data. Also your never-shown WhatsApp password was quite easy to guess and therefore anyone could have hacked into your account with just a little research. Later on they switched to using transport encryption, so that at least the traffic between you and their servers was secured. And still you have to fully trust that company and their server infrastructure. There is no way to proof they are secure and WhatsApp had a lot of security flaws in its short history.

Now that Facebook has bought WhatsApp, people seem to get hysteric. Which is for no reason cause those users trusted WhatsApp before and WhatsApp still claims in their privacy notice that they don't collect your messages and delete everything after delivery. So actually, nothing has changed yet. Additionally, I guess WhatsApp has to get your legal approval in case your data gets merged with the Facebook database.

Now we have two common announced alternatives, Threema and Telegram.

Telegram is a free service from two brothers who are also know for founding Russia's largest social network. The protocol itself and the phone clients are open source and also look quite similar to WhatsApp. But for default usage, only traffic between you and the servers is encrypted and you have to trust their servers (which are still closed source), just like in case of WhatsApp. You could use an end-to-end encryption by choosing the quite hidden option of a "Secret Chat", though. Sadly this isn’t well explained within the app. Additionally you should meet personally to conduct that, what you likely don't do at that point deep within the user interface. Also Telegram is criticized for using unusual cryptographic patterns. That doesn't mean that it is insecure, but it is also hard for experts to say that this is likely secure. Instead of providing good explanations and proofs, Telegram initiated some disputable hacker contest which is out of real-life situations. No, just that someone doesn't hack you at that point doesn't mean you are secure. And the reward of $200,000 seems high, but actually might be pretty low if you compare it to selling information about such a strong security hole on the black market.

Threema might look better at a first glance since they claim to always use end-to-end encryption. But all they do is closed source and behaves like a black box. Only the end-to-end encryption could be checked with some guide they provide. This is not enough. The client apps could provide side-channel attacks. What does a secure connection help if the password is badly generated or additionally sent in an insecure way? No proof for that. Also we still have to trust the server for e.g. not fiddling around with our contact list and giving fake contacts a positive verification status. No word on how secure that is implemented either. Some technical blame: Only using Forward Secrecy for the transport encryption is strange, too, since its message is: "Trust our servers.“ Something no secure solution should ever expect from its users.

Also some people think that XMPP with the OTR plugin might fit perfectly for that use case. Nope. We are talking about messengers, including asynchronous communication (your dialogue partner might be offline while you send something), group chats and push notifications for low battery usage. There is no solution using that technology and solving the described points yet. Let alone having a good implementation on multiple mobile platforms.

The problem with security is, there is nothing like "a little secure". There is only security or insecurity on the current knowledge base of attack possibilities. You could restrict security to specific parts, e.g. full encryption between client and client or just client and server. But either it's broken or it's not. And using something in the belief that it is secure while it isn't at all is quite dangerous.

My conclusion it that there is no end-user solution out yet that I could really recommend for mobile phones. Telegram might be one in the future, if they rethink their whole security structure, only use the end-to-end encryption and that with an intuitive user guidance, too. Most importantly: Don't assume that any of those named solutions is more secure than SMS or WhatsApp, even if they try to advertise that.

You might say I'm paranoid, but the point is: In all current solutions you have to trust the service provider just like you already had for WhatsApp. And how to rate trust?

If you switch, do it to score off WhatsApp and its unsympathetic CEO, not because of bogus security.

For a theoretical article about that topic, I recommend reading "How to choose your secure messaging app" by Geoffroy Couprie.

Fake for whatever reason

29th April 2013 | Comments

Last Monday I got contacted by someone I didn't know before. That alleged girl sent me a friend request on Facebook and shortly after that started to regularly chat with me. After some research it was obviously a fake account. The profile picture was from some random nude girl photo set (you can use Google's similar image search for that), the friend list of that account was hidden and "she" only got likes from young, male Facebook users. But the profile was already created in 2009.

I still got interested and played that game. We had a quite open discussion about a lot of things and that person shared a lot of common positions about society, politics, interests etc. It isn't that I just got consent about my opinions after I said them first, it also was the other way around.

On the other hand that person sent me some nude pictures pretending it's her and was implausibly open about her sexuality. Still no reason to give up, I wanted to know how well the fake profile was played. And it has become clear that it was a pretty professional virtual character. She attended an existing university course, had a plausible place of residence, was well informed about the news and also the mobile number was at least valid. The memory about things I already told that person was good. My collocutor even voiced concerns about sharing "her" nude pictures on Facebook and used some faked Gmail address instead.

Finally I sent that person a link to an also faked picture on my web server and therefore got the used IP address which was an IPredator exit point. I also purported the wish of visiting her, so that we would see us in real life. Even that wasn't handled as a problem, but I haven't got a postal address. Also no wish for money or something was given.

After sending me another nude picture that was again from some photo set on the Internet, I confronted that person with the facts. Within seconds, the Facebook account was either deleted or I was blocked, Facebook just says that the profile isn't available.

By the way, reporting something on Facebook is quite difficult if the content isn't available anymore, especially if you are blocked and can't see it. Still there is some form in Facebook's help labyrinth and I'll see if someone reacts there.

After all I'm just wondering why the person did this. Is it just an insane one? A male or female? Old or young? Someone not having the guts to contact people with a real identity? Someone how wanted to get recognition?

Shared information wasn't confidential and also it doesn't seem like a specific attack on my personality. At no time was a wish for financial support. A gay playing a female character? I don't think so, too. So either it's the pure lust of faking identities, the person has some serious problem with its personality or … I just don't know.

Update: The English language already has the term catfish for this phenomenon. And a German newspaper recently published the article "Liebeslüge im Internet: Verliebt in einen Fake" about a more intensive case of fake online romances.

SSL pandemonium with lighttpd

3rd April 2013 | Comments

I've had a bit confusing errors with my lighttpd installation when using SSL certificates. Everything worked fine on most of the desktop browsers and iOS had no problem, too, but Android threw an error as well as some online SSL check tool.

I'm using free certificates from StartSSL, but these are supported on a lot of platforms, just really old or odd ones might be problematic. Even Android supports them since version 2.2. Also Server Name Indication (SNI), which is used to run multiple domains with different certificates on a single IP, is already supported in current Android versions. Additionally, other sites signed by StartSSL were just fine.

Debugging

If you have any issues with SSL, just start debugging using the openssl command:

openssl s_client -connect example.com:443

This will show you a lot of information about your SSL installation, including which certificates are transmitted and how the chain looks like. You could even check it against a specific set of root certificates with the -CApath switch.

The chain looked like this:

Certificate chain
 0 s:/C=DE/CN=www.example.com/emailAddress=mail@example.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

Everything is fine, so I suspected some compatibility issues between the used lighttpd version and some browsers, maybe using old versions of OpenSSL.

Debugging SNI

Just recently I stumbled upon extra checking the SNI usage. Turns out OpenSSL supports also that by using the -servername switch:

openssl s_client -connect example.com:443 -servername example.com

Now I finally got near the real issue, since the result is a non-existing chain. Only the server certificate itself got transferred, so I get a couple of errors:

verify error:num=20:unable to get local issuer certificate
...
verify error:num=27:certificate not trusted
...
verify error:num=21:unable to verify the first certificate

Modern browsers don't just store authorized root certificates of certificate authorities (CAs), but also often include intermediate certificates used by them. So they were still able to verify my certificate without problems. But for some clients like Android, this is rather problematic.

But what's wrong with my server?

Lighttpd configuration

The SSL part of the lighttpd configuration files was looking similar to this:

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.ca-file = "/etc/lighttpd/ssl/example.com/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/example.com/ssl.crt"
        ssl.cipher-list = var.ssl-cl
}

$HTTP["host"] =~ "^(www\.)?example\.com$" {
        ssl.pemfile = "/etc/lighttpd/ssl/example/ssl.crt"
}

$HTTP["host"] =~ "^(www\.)?example\.net$" {
        ssl.pemfile = "/etc/lighttpd/ssl/example/ssl.crt"
}

Note that I'm using example.com and example.net as my two domains. If no hostname is specified, e.g. the client doesn't support SNI, then the certificate specified in the socket block is used. Otherwise ssl.pemfile is overwritten with the adequate path. But after further tests I found out that lighttpd is really a bit quirky in case of SSL settings.

Finally, the solution

The problem is, that it's really enormously important to specify all used SSL settings directly in a row, which means that you have to repeatedly specify all parameters for each block. Otherwise lighttpd tends to discard some options.

Here my complete current configuration pattern including IPv6 support:

# /usr/share/doc/lighttpd-doc/ssl.txt

var.ssl-cl = "AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.ca-file = "/etc/lighttpd/ssl/example.com/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/example.com/ssl.crt"
        ssl.cipher-list = var.ssl-cl
}

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.ca-file = "/etc/lighttpd/ssl/example.com/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/example.com/ssl.crt"
        ssl.cipher-list = var.ssl-cl
}

$HTTP["host"] =~ "^(www\.)?example\.com$" {
        ssl.ca-file = "/etc/lighttpd/ssl/example.com/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/example.com/ssl.crt"
        ssl.cipher-list = var.ssl-cl
}

$HTTP["host"] =~ "^(www\.)?example\.net$" {
        ssl.ca-file = "/etc/lighttpd/ssl/example.net/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/example.net/ssl.crt"
        ssl.cipher-list = var.ssl-cl
}

Just working fine now. So if you have any problems with your SSL installation, make sure you also test SNI. Most tutorials and check tools completely ignored that.

Digital wood is paperwhite

31st December 2012 | Comments

Forty days after I've received my Amazon Kindle Paperwhite it's time to write something about it. Not just about the device, also about the digital book era itself.

I've never really used ebooks before. Of course there were PDFs of books on my computer. But I only used them to look up some specific pages or doing a full text search. Also I read a lot on the Internet, short and long, but this is obviously different.

The Kindle Paperwhite

Amazon's latest generation of the ebook readers now comes with touch support instead of buttons and also has a display light for reading int the dark as well for contrast in bright environments. The screen has a higher resolution and 6 inches (15 cm) in size.

The usability is good, the interface quite intuitive and very responsive. The touch input works well for me and, I think, even better than the buttons of previous generations. You could either perform a simple tap on the screen where everything is the next page besides from a small stripe on the left for backwards, the top for the Kindle menu and the status text on the bottom for changing that view. Or you could just use intuitive swipe gestures.

The size is okay, too. It isn't paper weight and even a bit more than the previous Kindle generations. Additionally I've ordered the official Paperwhite case which comes with a magnet mechanism for turning the screen on and off (so you don't have to use the only button, an on-off switch) and the case adds 160 gram to the 210 gram of the device. But still a soft cover book is heavier and the weight could be hold well in your hands.

Get content

Amazon is known as a great online store to look for books. And if an ebook version is available, it is likely listed there, too. Amazon, Apple and EPUB files with DRM (sold in various stores) are the usual ways the publishers deliver with.

Amazon uses its own AWZ format, but the Kindle also supports PDF, TXT and the more common MOBI/PRC (Mobipocket) as long as these files are unprotected. Other files like EPUB and LIT could be easily converted by the popular Calibre application which is Open Source and still in active development.

Files in the supported formats could be transferred using USB or the more convenient email service. The latter option also allows to use the Whispersync service which allows to keep the books on all reading devices (including desktop and mobile apps) in sync. This includes the current page position, bookmarks, notes and highlights.

Beware of pirating

It's a fact that all DRM systems used in this market are already broken. And therefore it's only limiting the users who, for example, can't read a DRM protected EPUB on their Kindle. At least there are Calibre plugins available who could remove DRM and free from such limitations.

The rest could be compared to music pirating. There are hundreds of websites, providing mainly EPUB, MOBI and the less usable PDF, and of course publishers try to take them down. The only difference is the file size. It is easier to bundle books into a big archive for sharing and there are also websites who provide the files on their own servers instead of using one-click hosting.

Missing: Wood upgrade option

And that's totally different from the introduction of MP3 players. An audio CD could be easily converted to digital formats. Even the other way around is possible. In fact the CD is still the easiest and often the only way to get a high quality, lossless codec using version. A book instead could not be converted in such a way. Sometimes you find bundle editions where you get the book and ebook, but you are always paying for the additional version. I only knew one publisher who provides ebook redeem codes within its science books.

The next step would be to get DRM-free ones like it's done in the music market for years now and I would even like to see cloud conversions like Apple iTunes Match offers.

Providing redeem codes or a service that asks you random text positions to claim a ebook version could be easily done. But the publishers fear illegal duplicates, something they not really had to deal with in case of the restrictions of physical books.

People might wonder why to repurchase a book they already own properly and thence just take the free pirated version.

Resume

All in all I'm quite happy with the new way to read books. It's easier to have your books with you, in situations where you wouldn't like to take multiple or even only one book with you. And the first time in my life I could do remarks without the fear to somehow demolish the clean book.

So I switched to Kirby

31st May 2012 | Comments

I've used Jekyll, or to be specific, the framework Octopress for this blog. It's quite simple: You write your article as a text file, then run a compiler who creates various HTML files for articles, archives list etc. and after that you can upload everything. Sounds nice, but I somehow disliked the process of recompiling the whole blog everytime you change something. And Jerkyll is written in Ruby which I'm currently not really aware off.

Then I heard of Kirby which is a smart file-based CMS and currently powers this site. Templates and the engine is written in PHP while blog articles (or pages) are text files again.

What's wrong with WordPress?

There is nothing wrong with WordPress, it's a great software with a lot of opportunities. It comes with a multi-user interface, has a lot of features and is running many big websites. In case the backend or template is missing a feature it could be easily added by installing a plugin. Thanks to the community various plugins are available and the WordPress architecture allows to hook a plugin into nearly every step of the website generation process.

But this is also the handicap of WordPress. It has too many features I don't need and it got quite complex. For me as a single user who knows how to build websites, it isn't needed to provide a media management system, a user administration and a big repository of more or less good plugins. For me a blogging system could be more simple. Just some part that generates the website by using the templates I wrote and one that manages the content. And that is exactly what Kirby provides.

So what are the features?

For me the main feature is its simplicity. Content is saved as files in a folder structure which also represents the structure of the website. Additionally there is a clear separation of content, engine and template. For example just replace the engine folder in case of an update.

Take a look at my folder structure:

Maybe you already thought about it: Thanks to this great file based content management you could easily add content by FTP, SFTP, git, Dropbox synchronization etc. Every text file has parameters like Tile, Date and Text which is formatted with an extended version of the great Markdown syntax.

Additionally templates and everything are written in PHP which runs on nearly every webspace you could find and also code could be easily adapted.

On the downside

The easy, well structured content management could also be a problem because it is limited to what it is intended for. Just an example: I like the way how WordPress blogs usually generate URLs: http://blog.example.com/2012/05/31/test/ But in Kirby folders could not be a number without text and also you would have to create extra folders for years, months and days. Pretty complex and messy.

I think you could hack some mod_rewrite code and modify the template to simulate these type of URLs while still using the current, flat structure. But this was never intended by Kirby and isn't the best solution.

A quite interesting topic are comments. Currently I'm using Disqus as external service to integrate comments into my blog. I think as soon as somebody reads my blog articles he should have an easy way to reply. And normally I would prefer to handle comments myself and save them with my content system, but Kirby itself has no concept for visitor input. Fortunately the developer of Kirby has just released the alpha version of a forum generated with Kirby and a comment system would be quite similar.

Also keep in mind that while Kirby is declared as Open Source, you must purchase a license to use it in production. But you can try for free and you will get really great support. For me, it was worth the money.

Kirby on lighttpd

It's quite easy to get Kirby running on a lighttpd server: Install PHP support and unzip the Kirby files to the document root of your domain. Then create this simple lighttpd configuration to port the .htaccess functionality to lighttpd for supporting pretty urls:

# /etc/lighttpd/conf-available/20-rewrite.conf

server.modules += ( "mod_rewrite" )

$HTTP["host"] == "example.com" {
    url.rewrite-once = (
        "^/content/(.*)\.txt$" => "/index.php",
        "^/(site|kirby)/(.*)$" => "/index.php"
    )

    url.rewrite-if-not-file = (
        "^/panel/(.*)$" => "/panel/index.php",
        "^/(.*)$" => "/index.php"
    )
}

This will block all direct file access of text files as well as files within the only internally used folders. Also all requests are directed to the index.php files of either the panel extension or the Kirby engine itself. If you use Kirby within a subfolder, just add the name to the beginning of each path (e.g. "^/subfolder/(.*)$" => "/subfolder/index.php").

Place the configuration in /etc/lighttpd/conf-available/20-rewrite.conf and activate it with sudo lighty-enable-mod rewrite && sudo service lighttpd reload. That's it.

Voilà

Now you can change settings, adapt the template and write documents like this one:

Title: So I switched to Kirby
-----
Date: 31.05.2012
-----
Text:

I've used [Jerkyll](http://jekyllrb.com/), or to be specific, the framework [...]

Yeah, that just was meta.

I'm alive

14th March 2012 | Comments

This blog will contain posts about topics that run into me while I’m lost in the Internet. Don’t expeced something focused or regularly updated. If you need tech news, use one of the common news sites. If you want a lot of links and latest releases of the Internet, use Twitter. See you soon.