Month: July 2014

July 26, 2014

Pentadactyl – My secret firefox superpower

I always hated having to move my hands off keyboard to get things done. I love key bindings. After having tried many extensions, I stumbled upon vimperator. It was simply awesome, all I wanted and some more. Unfortunately, it was a bit buggy and I had to abandon it. I missed it for long, until recently, I stumbled upon its fork, pentadactyl, almost by accident.

Pentadactyl uses vim key bindings in firefox, gets GUI rid of all clutter, gives me an extremely powerful scripting interface, and works without a glitch. Everything is customizable, as it should be. I was a fan of vim since long. The composable commands, scripting interface, and a vast collection of plugins made it my favorite editor. I am obsessed with vim. I emulate it everywhere I can. tmux for terminal session management, vimpc for music, and pentadactyl in firefox, vi emulation in eclipse, the list goes on.

For those of my friends who marveled at my firefox use, navigating everywhere with lightning speed, using a command line interface or succinct key bindings for all operations, for those of you obsessed with the simplicity and power of vim, here’s my secret superpower. Pentadactyl. If you are a regular vim user, it should take you just a few minutes to get the ball rolling, you can thank me later.

I’ve started building my .pentadactylrc file very recently. Any tips are most welcome.

On a semi related side note, if you do any serious programming, you need to learn how to use a decent editor. I prefer vim, but emacs is perfectly fine too. If you are thinking of notepad, get away from me before I hit you hard.

July 13, 2014

Blame the browser, not OCSP

Let us talk about OCSP. If you do a little background reading, you’ll discover that almost all implementations do a soft-fail by default, and soft-fail is worse than not having OCSP at all, since it gives a sense of false security. Adam Langley from google discusses the absurdity of soft-fail in this blog post nicely. However, I refuse to accept his claim that CRLset is a good idea and that chrome does it better. Firefox allows me to enable OCSP hard-fail, something that I can not do in Chrome, and hence I abandoned chrome.

What if the browser enabled OCSP by default, and in case of a failure, prompts the user with a warning that says something like “I am not absolutely sure that the connection can be trusted.”, provides a link “More Details” that shows the technical details, and allows the user to choose if he/she wants to proceed. Or highlight the address bar in yellow or something for failed OCSP. Or show a unobtrusive notification .

OCSP is not the magic bullet, agreed. It is a convoluted solution to the revocation problem that demands compromise in one way or other. But if browsers had adopted it in better ways instead of defaulting to soft-fail, the web would have been a much secure place. And I believe compromising a lot of security for little convenience is a bad gamble.

People talk of single point of failure if OCSP hard-fail is enabled, that OCSP servers would be overloaded, and stuff. A compromise between soft-fail and hard-fail as default should work, and I’m sure we can come up with solutions to mitigate the SPOF if enough thought is given to it.

On a related note, I hope OCSP stapling gets more widely adopted. It solves many issues with current implementations, avoids the absurdities of soft-fail and SPOF concerns of hard-fail. Coupling it with a warning notification of the sort discussed above in major browsers will increase its adoption rates.

This post was triggered by a OCSP hard-fail notification for bugs.launchpad.net few minutes ago. I get a OCSP failure very very rarely. I suggest you switch to firefox and enable it for better security. To enable OCSP hard-fail on Firefox, go to Preferences > Advanced > Certificates > Validation and tick both the options.

Related articles:

July 9, 2014 Aside

My first adventure with phusion passenger

I spent more than a day stuck with using phusion passenger for a production deployment of an app I made for a client. This is a short note to remind myself of it in future and to help anyone stuck with the same.

The symptoms were pretty bad. Phusion passenger “simply did not work” with nginx. The standalone mode works like a charm, but nginx integration mode gives me directory listings, serves files in public, but does not start the app at all. Nothing in nginx logs to help. The server config is perfectly fine, checked it a hundred times, and tried a bazillion variations.

The problem: A missing passenger_root directive in http block of nginx.conf. I haven’t found anywhere that it is necessary, and given that I used phusion passenger’s repository to install nginx and passenger, I expected the setup to work out of the box.

If your passenger-deployed app doesn’t seem to start at all, just check if your http block has the passenger_root directive. In my case, it had to be set to /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini.  It might be different in your case, just do a locate phusion_passenger/locations.ini to get the appropriate path.

After two days of scratching my head, reading through nginx and passenger docs a dozen times, just added it on a whim and it now works! I can now sleep in peace.

Also, look at passenger_nodejs if you use nvm. You don’t need system-wide node if your passenger_nodejs points to the proper node binary.

This post also highlighted the need for better config If I intend to blog about code. Not being able to visually distinguish code-snippets and inlined commands is a big bummer.