Subresource integrity

A new feature in Google Chrome 45 is the ability to add meta data inline to <script> and <link rel=”stylesheet”> elements which will allow the browser to determine if the resource which has been downloaded is the same as the author intended.

This is done by adding integrity  metadata to the element inline such as:

<link rel=”stylesheet” href=”this_is_verified.css” integrity=”sha256-qvuZLpjL9TNV6yI1kNdGCPnSTrWM6Y0ILEzzyvA9hGY=”>

You would generate the base64 encoded version of the SHA256 hash with the following command:

cat this_is_verified.css| openssl dgst -sha256 -binary | openssl enc -base64 -A

If the hash doesn’t match the file and the integrity is compromised the browser will not load the resource.

This is currently in development for Firefox as well, though no news on Edge or Safari for implementation.

Using Smart DNS to access US Netflix

Whilst looking for a router I could set up as VPN gateway to the US to access the larger library of content they have available on Netflix, I landed upon OverPlay.net I signed up for a full VPN account, with access to Smart DNS.

Smart DNS allows you resolve the American Netflix, by only changing your DNS records. This is useful as most devices that allow you to use Netflix, which may not necessarily have full VPN support will allow you to change your DNS records. Allowing you to keep your full speed from your ISP, and not having to tunnel through a VPN for a service that doesn’t require encryption.

To Quote OverPlay:

By enabling the SmartDNS service on your OverPlay account (visit the My Account area of our website, and choose the Server Details tab) and then performing the incredibly simple configuration change, you’ll instantly enable access to websites currently blocked at your office, school, or location. With no software to install, it even works on connected devices – iPads, AppleTVs, roku or BoxeeBox… the list is endless! Furthermore, if you make the simple configuration change on your local router, you’ll even benefit from the SmartDNS service on your entire network.

Please note that this service differs from our standard offering in a few ways. Firstly, this isn’t a VPN! It doesn’t encrypt traffic, everything still goes via your ISP. Don’t use this service if you need the extra safety provided by the VPN! Second, unlike the VPN service, the supported websites are whitelisted – obscure sites may not yet be supported, and others simply may not be compatible. Don’t worry though, if SmartDNS doesn’t unblock, you can fall back to our standard VPN service!

Visit OverPlay to have a look at the Smart DNS service.

A guide to avoid online censorship & staying safe.

In the past few years you will have seen more and more news about items like SOPA & the Digital Economy Act which were attempts to curb your privacy and rights online by using piracy, child pornography and terrorism as guises to try and push these through.

Even without these recently in the UK the courts have decided that 5 major ISPs must block the piratebay, and thus ending all piracy.

However, these blocks can be circumvented easily and securely using VPNs. There are other guides online to using proxies, however they are not as safe as using a private VPN service.

A VPN allows you to tunnel all your traffic from your device to a server elsewhere using SSL allowing you to totally hide your traffic from your ISP, and making it appear to any sites or services that use that you are coming from the server, rather than your specific device (and it’s associated IP address).

Step 1 – Signing up for a VPN service

I would suggest using a service like http://yourprivatevpn.com, there are 3 packages you can choose from depending on your requirements.

  • Silver provides 2mb download speed, useful for streaming iplayer & general internet usage.
  • Gold provides 6mb download speed, useful for HD streaming and big downloads
  • Premium provides unlimited download speed (50mb), useful for those heavy downloaders among you.

Step 2 – Using the service

YourPrivateVPN comes with a tool for windows and guides for Mac & Linux on how to use the VPN, however the main features are servers in 6 countries (UK, Germany, Switzerland, Netherlands, America & Canada) which allow you to seem to be coming from these countries and helps further anonymise your browsing.

You should use the VPN when doing any browsing that you feel would be looked unfavourable upon by your ISP or the government. By using the VPN none of your traffic is seen by your ISP and therefore can’t be blocked, shape or monitored.

So by using a VPN on Virgin Internet you can visit thepiratebay.se or any other site the British Government and court system decides isn’t in its interest.

When this type of stuff happens in China or Libya it’s called oppression.

Ideas when to use a VPN:

  • When using free internet in places like Starbucks, McDonalds, Airports
  • When using paid for internet in hotels or abroad and are unaware of who is looking at your browsing habits.

Step 3 – Be safe, be private.

That’s it really.

 

Rainbow Tables

So Rainbow Tables, the how in ‘How did you crack my password of xuher7863sl in less than a minute?’

The basics of Rainbow Tables are built upon the way that passwords are stored in most cases on servers on on your local computer. Passwords are stored as hashes which are one way operations meaning there is no mathmatically way to turn the gibberish looking string of letters and numbers that is displayed into the original text.

There are many types of hashing functions, with varying complexity and security. The most prevalent hash used on web servers hosting forums, CMS and games use MD5. Without going into the complexities of the hashing function a simple string such as ‘password’ becomes: 5f4dcc3b5aa765d61d8327deb882cf99 .

However no matter how many times you turn ‘password’ into an MD5 hash you will always get the same result, so this provides us an opportunity to create a database of passwords and their corresponding hash. So if you have an unsalted hash then you can simply do a lookup in a Rainbow Table and go ‘what password has the hash of: 5f4dcc3b5aa765d61d8327deb882cf99 ? and you will get the answer: password.

So how do you get around this issue of if someone obtains your hashes and starts to look them up one by one using one of the many hash lookup services (such as GDataOnline) ? Well prevention is cheaper than a cure, and the prevention is too salt your hashes with other random characters by prefix the password with (for example) hsdfh788 and then turning that into an MD5. This instant renders every Rainbow Table useless as they have only been created to compare against original text not hsdfh788password.