Once again, jasypt (”Java Simplified Encryption”) makes me smile.
Java comes with a comprehensive set of encryption utilities: JCE. I had to do some decryption the other day and ended up with this code.
public class Decryptor {
private static final String ALGORITHM = "PBEWithMD5AndDES";
private final Base64 base64 = [...]
This is one of those things that I have to put up there in case anybody else has the same obscure setup that I do…
I run postfix on FreeBSD, using the ports system. This means I have a tendency to just use portupgrade to upgrade to the latest version of anything I happen to [...]
One more little library that I’ve come to love: jasypt. It’s a simplified veneer over the top of the gargantuan java security apparatus. All I wanted to do was encrypt a String before putting it in a Cookie.
BasicTextEncryptor encryptor = new BasicTextEncryptor();
encryptor.setPassword(key);
String cipherText = encryptor.encrypt(clearText);
It nicely base64 [...]
I’ve just been listening to Security Now about Cross-Site Scripting. It makes my blood boil. No, not all the ads and endless, aimless waffling. The talk about Cross-Site Scripting (aka XSS) being a problem because code and data can be intermingled in the page.
No, it’s not.
XSS is a problem because we have [...]
Last night, I spent a long while trying to get mod_security working on this web server. Installation was simple, thanks to the FreeBSD ports system. Configuration was another matter entirely.
Not having much experience of web application firewalls, I opted for the ModSecurity Core Rules to give me a head start. These are [...]
This morning I was trying to add a new machine to my wireless network. Unfortunately, I’d forgotten the password… To the Keychain Access batcave!
Unfortunately, the “Airport network password” is stored in the system keychain, instead of my login keychain. Whilst I can unlock the system keychain, when I ask it to show [...]
Working round the Rails showstopper.
(pdcawley)++
(svk)++
I now have the fixed version of typo (soon to be 4.0.2), around an hour after it was committed.
As to the whole “full disclosure” thing by the rails team? They handled it pretty badly. As somebody else commented, it didn’t work for OpenBSD a while back and if anybody [...]
Some time ago, I wrote about The Wrong Defaults, explaining how nearly all templating systems for the web default to “insecure”.
Well, it looks like some rails people are paying attention: Auto sanitized templates with Erubis
Aristotle points out a post from Anne van Kesteren about draconian error handling. FWIW, I agree with Aristotle. But both of them are really missing the point.
The simple fact of the matter is that the defaults in all of our tools are wrong. Yup, you heard right.
When you’re working with some server-side [...]