Adobe Flash updater on Mac OS X – or how not to implement updaters

Posted on January 18, 2012 by David van Enckevort

Since Apple stopped distributing Adobe Flash with Mac OS X there was a need for a new way to notify the user about new updates to Flash. There are several ways Adobe could have implemented this, but the way they chose to do it is probably the worst option.

The Flash Updater popup can be presented when you visit any webpage containing Flash content.

So what’s so wrong about it?

In my opinion, a lot.

  • If you go to any page that has Flash embedded it might trigger the update notification.
  • The update screen will not tell you which version you have installed, or which version will be installed.
  • It is very disruptive to your workflow.

So why is this all so bad?

First of all the fact that it can pop up at any webpage is setting users up to become victim of a “pop-up download”. A malicious website could easily create a pop-up that looks like the Adobe update notification and trick you into downloading and installing malware. The fact that there were a large number of reports of malware posing as an Adobe Flash update in 2011 seems to confirm this fear.

Not knowing which update you install is problematic, because it will it make hard for you to verify that the update was installed correctly. Finally the disruption to your workflow, because you need to close all your browsers to make the update, will mean that people are very likely to skip the update if they are in the middle of something serious.

How could it be improved?

In my opinion the update check should be decoupled from your browser usage. Probably the best solution would be if Apple would get its act together with the App Store and provide clear and prompt update checks (preferably on a configurable interval). However the chance is very small, since Apple doesn’t even allow a browser plugin in the App Store and Apple’s process to approve updates is at times not very transparent and slow.

What you can do

First of all, install a browser extension like Plugin Customs or Click To Plugin, so you know when there is flash content and therefor having more insight in when Flash is used. A plugin like NoScript or JavaScript Blocker can also help to limit the chances to be victim of a pop-up download. Second instead of trusting the Adobe Flash update notification you could use a tool like MacUpdate to regularly check for updates and install them.

Posted in Mac, Software | Leave a comment

Create a DNS redirector with Apache RewriteMaps

Posted on January 17, 2012 by David van Enckevort

Ever wanted to make a clean URL like http://site.example.com/ refer to a specific page op your web server (e.g. http://www.example.com/blog/site/)? Many hosting providers offer you this option with a redirector service, but it is also easy to create your own redirector.

Requirements

To create a redirector you need to meet a couple of requirements:

  • Full access to your Apache httpd configuration;
  • The ability to create new DNS records;
  • In this tutorial it is assumed that name based virtual hosts is already configured and working in Apache.

How it works

An DNS redirector works in two steps. First, when the web browser visits the website it will end up at the redirector site, which will then instruct it to fetch the webpage in the correct location. To make this work the redirector keeps a record of which URL belongs to which hostname.

Configuration

DNS

In the DNS we need to create new records for each of the hostnames we want to use with our redirector. The DNS record will refer to the IP Address of our redirector, either directly through an A record or through a CNAME record that points to the hostname of our redirector. If we assume the redirector resides at redirector.example.com your DNS record  for site.example.com could look like this:

site    CNAME    redirector.example.com.

If all your hostnames belong to the same domain you could also create a wildcard DNS entry. Your DNS record would then look like this:

*    CNAME    redirector.example.com

Apache

Now that we have configured DNS we need to make the redirector work. This requires us to create two new configuration files. First of all we need a new virtual host configuration for the redirector, and next to that we need a file that describes the mappings between the hostnames and the URLs they should resolve to.

Since this mapping file is referred to in the virtual host configuration we will start with the mapping file. There are different options for the mapping file, but in its easiest form it could be a plain text file with the hostname and the URL on a line separated by a space, like this:

site.example.com http://www.example.com/blog/site

When you have more than one redirection, each one goes on its own line.

So with the mapping file there we now have a look at the virtual host configuration.

<VirtualHost *:80>
    ServerName redirector.example.com
    ServerAlias *.example.com
    DocumentRoot /var/www/vhosts/redirector.example.com

    RewriteEngine On
    RewriteMap redirector txt:/etc/apache2/redirector-map.txt
    RewriteRule ^/ ${redirector:%{HTTP_HOST}|http://www.example.com}/}? [R,L]

</VirtualHost>

The virtual host configuration is mostly quite standard. The important lines are the following:

ServerAlias *.example.com
Allow Apache to serve any hostname within the example.com domain with this virtual host configuration
RewriteEngine On
Enables the RewriteEngine
RewriteMap redirector txt:/etc/apache2/redirector-map.txt
Tell that we use the file /etc/apache2/redirector-map.txt as a plain text mapping file, and refer to it by the name “redirector”.
RewriteRule ^/ ${redirector:%{HTTP_HOST}|http://www.example.com/}? [R,L]
Probably the most complex line, so we’ll take it apart below:
RewriteRule ^/
Rewrite any request that matches the pattern ^/. The pattern is a regular expression, and will match any request starting with a /, so this rule will match all requests.
${redirector:%{HTTP_HOST}|http://www.example.com/}?
Instruct Apache to use the map named redirector and use the hostname passed by the browser as the lookup key (%{HTTP_HOST}). If no match is found in the map the URL behind the | will be used instead. The question mark at the end removes any parameters on the URL.
[R,L]
Options for the RewriteRule: R instructs the rewrite engine to construct a redirection response and L instructs it that no further rewrite rules should be evaluated.

Testing

If you are ready you can quickly test your configuration, even before the DNS updates are available with the curl command line utility. The following command will show the Location header as returned by the redirector for the given hostname (after Host:).

curl --silent -H "Host: site.example.com" --head redirector.example.com | egrep '^Location'

Concluding remarks

In this example we created a very simple redirector. There is room for a lot of improvements. An obvious improvement would be to offer an administrative interface. This could be done by changing the redirector to a script that reads the records from a database and a small admin site that allows you to add or remove records from this database. However if you only serve a few dozen redirects and they don’t change often this is probably overkill.

With the same technique we can not only create a redirector that is based on the hostname, but just as easy we can create one that uses the path as the key for the mapping file. In essence this is the same as URL shortening services like tinyurl.com offer.

Posted in Apache, Linux, Software | Tagged , , , , , | 2 Comments

Certificate validation mess on Mac OS X

Posted on September 4, 2011 by David van Enckevort

The recent events at Diginotar turned my attention again to the way Apple handles certificates in MacOS X. Apple makes use of certificates not only in the browser for the standard SSL/TLS support, but it is also an integral part of the security system of Mac OS X. Both the App store and the application firewall make use of certificates:

  • All applications in the App store must be signed by the developer.
  • The application firewall whitelists uses the certificate of an application to maintain the whitelist over different releases of the software.
  • The application firewall whitelists Apple’s software based on the signature with the Apple certificate.

So far, things look good. However, when I tested what happens with the websites that use a diginotar PKIOverheid certificate I noticed that they were still accepted even though the Dutch Government revoked the intermediate certificate and updated OCSP to reflect that.

A quick look at the keychain preferences showed me that OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) were both disabled.  I changed both settings to ‘Required when certificate indicate’ and Safari started to behave like I expected. (I know there is a different solution as outlined here, but I don’t want to keep track of things the computer can keep track of for me)

So, everything is fine? Not really! With this setting I noticed something annoying. The App store didn’t work anymore and was dreadfully slow.

It looks like Apple is doing loads of CRL and OCSP requests during startup of the application and some more when trying to install or update an application. However, by playing around with the keychain settings I found out that the CRL requests fail and therefor the installation is (correctly) denied. I don’t mind that, but there are a couple of things that do bother me.

  1. Why does it make the App store dreadfully slow? The certificates only have to be validated upon installation, a secured connection to the App Store should be sufficient protection for the catalogue.
  2. Why do I get such a cryptic error message?
  3. But above all, how it is possible that the App Store contains packages that fail to install if CRL validation is set to “Required when certificate indicate”.

To have a reliable system we should be able to trust that it is correctly configured. The default configuration on Mac OS X is a mess. An important function, CRL and OCSP online validation of certificates is disabled by default. When we enable it an integral part of the Mac OS X ecosystem fails, because of an apparent incorrect configuration of the developer certificates used to sign software in the App store.

Posted in Mac, Software | Tagged , , , , | Leave a comment

Java source and documentation on Mac OS X Lion

Posted on August 2, 2011 by David van Enckevort

If you develop in Java on Mac OS X you might have noticed that the JavaDoc documentation and sources from the JDK are missing. Luckily it is very easy to solve.

  1. Download the latest Developer Package from the Apple Developer Downloads Website. (Currently called “Java for Mac OS X 10.7 Developer Package”) and install it.
  2. Add the following jar files to the search path for your JavaDoc (adjust the version in the path if necessary):
    • /Library/Java/JavaVirtualMachines/1.6.0_26-b03-383.jdk/Contents/Home/appledocs.jar
    • /Library/Java/JavaVirtualMachines/1.6.0_26-b03-383.jdk/Contents/Home/docs.jar
  3. Add the following jar file to the search path for your class sources (adjust the version in the path if necessary):
    • /Library/Java/JavaVirtualMachines/1.6.0_26-b03-383.jdk/Contents/Home/src.jar

In NetBeans you can find these settings in Tools» Java Platforms. You can remove the URLs to the Oracle website.

Posted in Java, Mac, Software | Tagged | Leave a comment

Configuring SpamAssassin on Debian

Posted on June 13, 2011 by David van Enckevort

SpamAssassin is probably the de-facto standard anti-spam solution. If you run a mail server on Debian it is easy to install.

In this guide I will assume you have configured postfix as your mailserver. I also assume that you want to configure a global SpamAssassin instance running as a separate user.

Installation

To install SpamAssassin you need to install the following packages:

apt-get install pyzor razor spamassassin spamc

The packages pyzor and razor are optional, but they offer very valuable additional checks.

Configuring SpamAssassin

For security reasons we want SpamAssassin to run as a separate user. For this reason we create a new user called spamd:

useradd -r -m -d /var/lib/spamd -c ‘SpamAssassin Daemon’ spamd

Then as this user we need to initialize the pyzor and razor clients:

su - spamd
razor-admin -create
razor-admin -register
pyzor discover

This will create the /var/lib/spamd/.razor and /var/lib/spamd/.pyzor directories with the configuration for these plugins.

Now we still need to configure SpamAssassin itself. There is a nice tool on the web to create a suitable configuration file for you. Make sure you take note of the remarks on the items you need to enable and save the configuration as /etc/spamassassin/local.cf.

The SpamAssassin daemon needs to be configured and enabled by editing /etc/default/spamassassin. Change the OPTIONS line and add -u spamd so it reads as follows:

OPTIONS="--username=spamd --allow-tell --create-prefs --max-children 5 --helper-home-dir"

The option –username=spamd tells the daemon to run as the user spamd, while –allow-tell allows learning through the spamc client. To enable the daemon don’t forget to set ENABLED=1 in /etc/default/spamassassin

Configuring Postfix

Postfix needs to be configured to route the e-mail to spamd, this is done by editing the /etc/postfix/master.cf file and create a new interface.

spamassassin unix -     n       n       -       -       pipe
        user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Also the smtp interface must be changed to use spamassassin as a content filter by changing the following line in /etc/postfix/master.cf:

smtp      inet  n       -       -       -       -       smtpd
 -o content_filter=spamassassin

Since postfix will pass on the recipient to spamc, we need to tell postfix to deliver the e-mail to each user separately. To do this add the following line to /etc/postfix/main.cf

spamassassin_destination_recipient_limit = 1

After you finished these changes you should start the SpamAssassin daemon and reload postfix to activate the changes:

/etc/init.d/spamassassin start
/etc/init.d/postfix reload

And the test your configuration by sending some e-mail. To verify you should send at least a clean mail and a test spam e-mail. To create a test spam e-mail you can create a mail with the following line somewhere in the body:

  XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Posted in Debian, Linux, Software | Tagged | Leave a comment