rjmailer in the real world
One of my little pet projects is the rjmailer java email sending library. It does one specific thing, sending email, but does it with a twist: it actually tells you a lot about how the delivery went compared to other email sending solutions.
This is useful for example when you are about to sign up to an online service that requires your email to be validated by sending an email message with a link for you to click to activate your account. If you spell your email address incorrectly the registration will fail, but you will not typically get any feedback that the email delivery failed.
With rjmailer it is possible to build an online service that tells the users if an email delivery failed right away in the web form that was used to register. Having this information can help the user to correct a spelling error or remove messages from a full inbox.
I released the initial public version of this piece of software back in april, but I haven't really had any time to start using it at work until now. This past week I spent a few hours modifying one of our projects, http://biblesearch.org, to use rjmailer when sending out account activation links and report back to the user if there was an issue sending out the mail. Feel free to try it out if you want, registering is free. Just fill out the form at the new user registration page.
While adding this feature I found a few small issues in rjmailer, so there is a new version available for download
Filed under rjmailer | Comment (0)My DNSSEC validator
As readers of this blog might have noticed I started to experiment with DNSSEC a few months ago. DNSSEC is basically a way of adding cryptographic keys and signatures to your DNS data that gives resolvers the ability to cryptographically verify the correctness of your DNS records using a series of cryptographic operations.
DNSSEC protects the DNS system against a certain group of security problems such as the kaminskybug, where an attacker tricks a DNS server to return the wrong data to end users. If an attack against the DNS system is successful that means serious trouble, since we depend on it to work reliably in a vast number of online activities. An attacker that controls the DNS system can trick people to for example supply their account information to their online bank and use that to steal money. Whenever there is the potential for large scale fraud you can pretty much be sure that someone will try to break it, and that is why DNSSEC is important.
So, we need DNSSEC. What's stopping us from using it? A few things, but the most important obstacle in my opinion is that it is a complex set of standards and that it is difficult to understand. There are some presentations and HOWTO documents online that attempts to explain and help people get started, but the learning curve is steep. One thing that I ran into when experimenting with my own zones was that somehow I managed to corrupt the signatures of one zone and I couldn't easily pinpoint what the problem was.
When confronted with this I got the idea to build an online service that tries to answer a simple question. What data was used and what cryptographic operations was performed to actually verify one specific DNS record? The answer to that question can be thought of as a chain of operations and records where one link connects to the other from all the way from the record being verified down to the DLV root key.
I decided to write the service in Python and it was one of the most fun programming projects that I have worked on in years. In a way it was basic research but with a clear application and an end result that I think could be a useful contribution. I even wrote my own RSA signature verification functionality, with a lots of help from Python's excellent large integer support.
The service can be found at http://dnssec.resare.com Feel free to give it a spin. There are no doubt bugs and errors that will be fixed and other modifications that will be made, but the basic functionality is in place.
Thanks to Alex for the beautiful HTML design, to the python dns library dnspython that I use extensively and the airspeed templating library.
Filed under Cryptography, Programming, System administration | Comments (2)sha1sum rewritten in python using openssl
I like how I can use the sha1sum tool on my Linux boxes to create a file with checksums of a collection of files and then use the tool again to verify the files against the checksums.
I've been missing that functionality on my Mac, so I wrote a small wrapper to the openssl command that provide the same basic functionality using Python. Python is really handy when it comes to writing small scripts like that does some string handling and calls other programs and since the basic checksumming functionality already is available in the openssl package it simple, short and neat.
As usual, feel free to use this any way you want.
#!/usr/bin/python import subprocess import sys def checksum_file(filename): sp = subprocess.Popen(["/usr/bin/openssl", "sha1", filename], stdout=subprocess.PIPE) retval = sp.communicate()[0] return retval[retval.find("= ") + 2:-1] def verify(checksumfile): f = open(checksumfile, "r") for line in f: line = line[:-1] (sha1, fn) = line.split(" ") calc = checksum_file(fn) if calc != sha1: print "%s: FAILED" % fn sys.exit(1) else: print "%s: OK" % fn def usage(): print "Usage: sha1sum [-c CHECKSUM_FILE] [FILE]..." sys.exit(1) if __name__ == '__main__': if len(sys.argv) == 1: usage() if sys.argv[1] == '-c': if len(sys.argv) != 3: usage() verify(sys.argv[2]) else: for f in sys.argv[1:]: print "%s %s" % (checksum_file(f), f)Filed under Programming, System administration, Uncategorized | Comment (0)
Video problems on svt.se or svd.se? Blame qbrick.com
The Swedish public broadcasting corporation offers lots of content online on SVTPlay. Unfortunately have not worked for a while for me, and today I decided to track down the problems. It turns out to be a rather non-obvious interaction between a new feature in my resolving name server and the nameservers of the streaming provider Qbrick not following the DNS Specification.
Unlike most of the internet i use Unbound instead of bind as my nameserver. It offers great DNSSEC support as well as a well maintained code base. One recent feature is the use of mixed case labels when sending queries to other nameservers, as outlined in the DNS0x20 document. This is one countermeasure to the DNS Spoofing attacks that is an increasing problem on the internet these days, and it depends on the fact that name servers should treat queries that only differs in the case as if they were equals. In other words, mobizoft.qbrick.com and MobiZoft.Qbrick.com should be treated as the same.
The exact wording of the specification can be found in RFC1035 section 2.3.1:
Note that while upper and lower case letters are allowed in domain names, no significance is attached to the case. That is, two names with the same spelling but different case are to be treated as if identical.
Unfortunately, Qbrick's nameservers fail to implement this specification, and mixed case questions gets answered with the NXDOMAIN reply code, which means that there is no data for the given domain name. I hope that Qbrick will get their act together and fix this soon, but in the meantime it can be a good idea to use the use-caps-for-id: no directive if you are using unbound.
In summary it is a bit annoying that errors like these are so hard to find and correct. Most video displaying flash plugins will not report a meaningful error, and the fact that SVT uses an external provider for their streaming video solution puts the problem even further away from the end user.
Update 091104: I have now gotten in contact with Qbrick. They recognize the problem but state that they have an ongoing project to replace the DNS solution and they will not address this issue until the new solution is in place.
Filed under System administration | Comments (5)