Category Archives: Web

Eliminating Mixed Content Warnings with Amazon Associates

Mixed-ContentOnce I enabled SSL for tidgubi.com for free, I realized that most Amazon.com content is plain HTTP, so it was causing Google Chrome to give me mixed content (encrypted page with some unencrypted elements) warning messages:

Two as I dug into the HTML, I found that the Amazon Banner Ads, Widgets, and Payments Button were the cause of the mixed content warnings.

Banner Ads and Widgets

All of the Amazon Associates banner ads and widgets can be loaded over HTTPS; however, the banners any widget that displays product images load these images over HTTP. I couldn’t figure out a way to force the widget/javascript based ads to use HTTPS for images, but I was able to find a little trick to get the iframe based ads to use HTTPS. To do this, simply add &internal=1 to the end of the URL in the iframe’s src attribute and removed http: from the beginning of the URL. Removing http: tells the browser to use the same type of connection that was used to load the page, so these links automatically switch between HTTP and HTTPS. For example my "Kindle Banner" is <iframe src="//rcm-na.amazon-adsystem.com/e/cm?t=tidgubi-20&o=1&p=48&l=ur1&category=kindlerotating&f=ifr&internal=1" width="728" height="90" scrolling="no" border="0" marginwidth="0" style="border:none;" frameborder="0">

Warning: "internal=1" is used in Amazon’s example banners, so while it doesn’t strip associate IDs from links, it might cause these clicks not to count.

Donate/Pay Button

There are two easy fixes for the Donate/Pay button image.

The first option is to download the image and host it on from your webserver. For me the donate image is now at www.tidgubi.com/wp-content/themes/tidgubi/img/golden_small_donate_withmsg_whitebg.gif.

The second option is to link to Amazon’s SSL image server. To do this, just replace http://g-ecx.images-amazon.com with https://images-na.ssl-images-amazon.com. Since Amazon uses a different domain name for HTTP and HTTPS, there aren’t any tricks with HTML to switch how the image is loaded. If you always use HTTPS, it will make the page marginally slower since it needs to establish an HTTPS connection to ssl-images-amazon.com each time. If a page dynamically generates this HTML, you can dynamically pick the imager server based on the protocol used to load the main webpage.

Free SSL on Dreamhost

Dreamhost supports SNI to enable SSH/TLS on their shared hosting offerings. While I wanted to enable SSL/TLS on my site, I thought I would have to buy a certificate from one of the major Root Certificate Authorities. I was happily surprised when I found StartSSL.com which offers free SSL Certificates. StartSSL.com is a trusted root CA on MacOS, Windows, and Mozilla; so compatibility is not a major concern. StartSSL.com is located in Israel, so I feel more comfortable with this free offering than say a Russian company.

Generating a CSR

The first step is to generate a Certificate Signing Request (CSR). You need a computer with OpenSSL to follow these steps. All files below should be located in the same folder and all commands should be run from within this folder.

  1. DigiCert has a very nice CSR Creation Tool. Fill in the required fields, click ‘Generate’, and copy the generated command. StartSSL only supports RSA keys.
  2. (optional) Gather additional entropy.
    1. Go to a number of entropy providing sites or password generating sites. Copy the output into text files in the folder you will be generating your CSR in. The exact format of the text isn’t important, as OpenSSL will just add the data to the entropy pool. For the examples later, I’ll assume you’ve named your file(s) entropy1.txt, entropy2.txt, etc./li>
    2. Some sites to gather entropy from are:
    3. Add -rand entropy1.txt:entropy2.txt:entropy3.txt to the command from Step 1.
  3. (optional) Use a stronger hash algorithm
    1. If you’re using RSA add -sha256 to the command from Step 1. You can use -sha512; however, sha512 is not commonly used with certificates and might not be supported by all servers and clients. sha256 might not be supported by older clients. Currently OpenSSL only supports SHA-1 with DSA and ECDSA certificates.
  4. Run the command from Step 1 with any optional adjustments, for example:
    • openssl req -new -newkey rsa:2048 -nodes -out www_tidgubi_com.csr -keyout www_tidgubi_com.key -sha256 -rand entropy1.txt:entropy2.txt -subj "/C=US/ST=California/L=San Luis Obispo/O=Kenji Yoshino/CN=www.tidgubi.com"
  5. The .key and .csr files will be used later.

Get your CSR Signed

Begin by registering with StartSSL.com. Make sure you do this from a private computer, because StartSSL.com will generate an identification certificate and install it in your browser. This certificate will be used to identify you on subsequent visits to StartSSL.com.

  1. Click ‘Validations Wizard’
  2. Select ‘Domain Name Validation’
  3. Enter your domain without any prefixes (e.g. www)
  4. You will need to specify an email address associated with your domain to verify domain ownership. Another verification code will be sent to this email address.
  5. Enter the verification code in StartSSL.
  6. Click ‘Certificates Wizard’
  7. Select ‘Web Server SSL/TLS Certificate’
  8. Skip having StartSSL generate a CSR for you.
  9. Copy and paste the entire CSR including the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
  10. Select your domain and click ‘Next’
  11. Add the “www” subdomain (Startssl requires you to add one) and click ‘Continue’
  12. Copy the entire certificate text including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Save the text to a .crt file.
  13. Download the intermediate CA file and optionally the root CA file.
  14. If you downloaded the root CA, combine the two files by running cat sub.class1.server.ca.pem ca.pem > chain.pem. The root CA provides browsers with the full certificate chain. Most browsers do not need the root CA to be included to trust the intermediate CA, so it is up to you if you want to include the root CA.

Configure SSL on Dreamhost

  1. Login ot your panel at panel.dreamhost.com
  2. Click ‘Manage Domains’
  3. Click ‘Add’ or ‘Certificates’ in the Secure Hosting column. If adding, leave unique IP as none and click ‘Add Now’, and then ‘Edit’.
  4. Select ‘Manual Configuration’
    • Delete or replace the CSR text (it is just informational)
    • Copy the text from your certificate including “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
    • Copy our your private key including “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“
    • Copy the certificate chain, either the intermediate CA certificate or the intermediate and root CA certificate concatenated together.
    • Click ‘Save Changes Now!’
  5. It too about 4 minutes for changes on tidgubi.com to take effect.

Now your Dreamhost site allows SSL. Dreamhost only uses the TLS_RSA_WITH_RC4_128_SHA cipher suite with TLSv1.0 or SSLv3.0, so while it doesn’t provide great security, it’s better than nothing. I’m now tunneling my administrative traffic through TLS and SSH. From Securing Administration of Shared Hosting, I just changed 80:www.tidgubi.com:80 to 443:www.tidgubi.com:443 to specify the HTTPS port (443) instead of the standard HTTP port (80).

Yodlee Security

This review was performed on February 5, 2014 and is part of a series of comparisons of financial management sites.

Yodlee Labs has been around for a while. While it doesn’t have the slickest interface, it seems to be compatible with the most financial institutions.

moneycenter.yodlee.com uses a EV certificate with a 2048 bit RSA key.

moneycenter.yodlee.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites. They also allow 2 key TDES to be negotiated.

Security Claims

  • Yodlee Labs – Security Policy
    • “Data and Password Encryption”
    • “Network Intrusion Detection Systems”
    • “Physical Security Measures”
    • “Rigorous Audits and Inspections”
    • “No Yodlee employees have access to your password.”
    • “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
    • “Users’ passwords are transmitted and stored in encrypted format at all times.”
    • “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
    • “multiple layers of firewalls are used to guard against unauthorized access to the network.”

Analysis of claims

Yodlee has all of the right security claims. They discuss solid site security and even electronic shielding. The shielding is probably more than is necessary, but it’s nice as long as there’s not a trade off to gain the shielding. They discuss firewalls and IDSs to provide logical network security. The encryption claims of data in transit and encryption of bank passwords is good. That no Yodlee employees have access to your [Yodlee] password, implies that they are hashing your Yodlee password instead of encrypting it. This ensures that someone who manages to compromise the password database cannot decrypt your Yodlee password. They also discuss frequent security audits of their infrastructure.

The two things Yodlee does not mention are how the encryption key for your bank passwords is protected and scanning of the Yodlee website for potential vulnerabilities.

Inconsistencies

I was able to identify 1 minor inconstancy.

  1. They claim 128-bit encryption; however, they support a cipher suite with a 112-bit key.

Conclusion

Since the the “how” for encrypting passwords is more of a nice to have, and vulnerability scanning might be included in the security audits, I give Yodlee an A- for their security policy.

LearnVest Security

This review was performed on February 1, 2014 and is part of a series of comparisons of financial management sites.

LearnVest mixes financial services, free advice, and account aggregation.

www.learnvest.com uses a EV certificate with a 2048 bit RSA key.

www.learnvest.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites.

Security Claims

  • Safe & Secure
    • “128-bit secure socket layer technology (SSL) and SHA-256 encryption”
    • “secured by VeriSign, scanned daily by McAfee SECURE”
    • “LearnVest’s data is guarded 24/7”
    • “We use biometric checkpoints, multiple keylock entry and constant video surveillance.”
    • “Your money can’t go anywhere.”
    • “LearnVest will never sell your username, password or any identifiable information about you to anyone.”
    • “LearnVest’s privacy policy has been vetted and approved by TRUSTe”
  • Security & Legal
    • None.

Analysis of claims

LearnVest’s security claims are pretty good. Their site physical security sounds great. The SSL/TLS claims sound good as does being VeriSign secured and scanned by McAfee. While secondary to security, their privacy policy sounds good and is vetted by TRUSTe. LearnVest also mentions that its user interface does now allow users to transfer money.

The three things that LearnVest does not discuss are protection of bank passwords, an Intrusion Detection System (IDS), and scanning/analysis for Site exploits (e.g. SQL injection).

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “SHA-256 encryption” – None of the cipher suites supported by LearnVest include SHA-256 and some enabled cipher suites use MD5.

Conclusion

Without protecting bank passwords, using an IDS, or testing for security vulnerabilities; I can only give LearnVest a C for their security policy.

Google Chrome Print Selected

Chrome Print SelectedI accidentally stumbled upon this hint, because Marriott’s site as of January 2014 does not print nicely. The menus expand on their print css, so the real content shows up after a page long list.

Anyway, Google Chrome has a built in “Print Selected” function, but the option only appears when you have text selected. Just select the portion of the page you want to print, click on the “Menu” icon (3 horizontal lines), and select “Print…”. Near the bottom of the Chrome Print dialog, a new checkbox has appeared labeled “Selection only”. Check this option, and Chrome will update the preview.