Tag Archive for 'httpd'

What’s Wrong With OpenDNS?

Published
by
Tyler
on July 10, 2006
in Internet, OpenDNS and Personal
. Comments Tags: , , , , , , , , , , , , .

OpenDNS is surely going to prove to be a useful tool for those not intimately familiar with the internet. OpenDNS, provides some unique functionality compared with other DNS servers in that it detects typos and prevents phishing. For example, say you type http://www.longren.og into your browser. That URL obviously doesn’t exist, notice the .og at the end? OpenDNS will recognize the typo and will redirect the user to http://www.longren.org.

Smart huh? Yes, but it could have it’s drawbacks. This post highlights what could be a potential security risk in OpenDNS. It has to deal with intrusion detection systems (IDS) not realizing which URL is actually being requested. That post uses the mod_speling apache httpd module as an example.

If I send a request for indexh.tml, mod_speling detects the mistake and will serve back index.html. The problem is any security products like an IDS/IPS won’t have this intelligence to try and “fix” the request before they analyze it. The IDS/IPS simply sees and logs a request for indexh.tml Modspelling, like this feature in OpenDNS, allows an attacker to side step the attack signatures on a IDS/IPS to exploit a site because the web server will “fix” the attack once it reaches its target.


I disagree with the logic behind the authors claims. Why? Simply because I have a feeling OpenDNS was built with that taken into consideration. I’m betting there’s some sort of database internally that lets every piece of the network know exactly what is being served when a typo is detected. Everything from the IDS boxes to the DNS servers themselves. Maybe I totally missed the point of what that post was trying to get across.

Another thing OpenDNS should work on ASAP is transparency. I’d really like to know the false positive rate on phishing sites. How many legitimate sites get flagged as a phishing site? A publicly available reporting system would also be nice. Something to show DNS changes in particular would be nice for helping to maintain the integrity of the database.

But, I’m sure these questions will be answered in the near future, after all, today is the company’s first day with exposure to the “public”. There’s already mention of a new feature on the most recent post at the OpenDNS blog.

One important feature which is not yet available, but will be soon, is self-service control over the DNS settings. Ryan’s article, understandably, doesn’t mention this capability, since it’s not yet live.

The point? We’re going to put more control in your hands, so if you want to turn off features like typo correction or phishing prevention, you’ll be able to. Account management is the top priority now, to help demonstrate the power of control over your DNS. We think transparency and control will show you (not just tell) that we’re making the right choices.

Ryan’s article is of course the article that was in Wired this morning. See, they’re already taking steps to provide more transparency, hopefully it will continue.

Harper Reed is also a bit skiddish with OpenDNS still, like me. I think OpenDNS has great intentions though, so I’m not too worried. Founder of OpenDNS, David Ulevitch, already has a pretty outstanding reputation in the internet community, probably due mostly to the success of EveryDNS. OpenDNS is out to do good on the internet, just like EveryDNS. That doesn’t mean they can’t do harm, as we saw with Blue Security.

I’m pretty sold on OpenDNS overall. I put their DNS servers in my DHCP server config tonight after I got home from work. And the Nevada office as well as a couple servers in Ankeny are using OpenDNS now too.

Popularity: 5% [?]

Apache httpd 2.2.0

Published
by
Tyler
on December 2, 2005
in Internet, Linux, Open Source and Personal
. Comments Tags: , , , , , , , , , , .

The Apache httpd server version 2.2.0 has been released. You can see the official announcement in the mailing list archives.

The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.0 of the Apache HTTP Server (”Apache”).

We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.0 is available for download from:
http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html


The upgrade went very well for me. I was already running 2.0.55 though. The only thing I had to do was recompile PHP, which wasn’t a problem. I haven’t noticed any problems at all so far, as expected.

Popularity: 3% [?]

Apache 2.0.55

Published
by
Tyler
on October 14, 2005
in Internet, Open Source and Personal
. Comments Tags: , , , , , , , , .

The Apache web server version 2.0.55 was released today. The previous 2.0 release was made back in April of this year. 2.0.55 fixes a flaw that was discussed on Slashdot in July. It’s mentioned in their official 2.0.55 announcement.

If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length.
proxy_http: Correctly handle the Transfer-Encoding and Content-Length request headers. Discard the request Content-Length whenever chunked T-E is used, always passing one of either C-L or T-E chunked whenever the request includes a request body.

Popularity: 2% [?]

cheap xbox 360 games - buy from zavvi
cheap xbox 360 games - zavvi

No Teletrack Payday Loans - mobile phones - Web Design - Cheap Electricity - Cheap Gas - Credit Cards - Loans
Search Engine Optimisation - Mobile Phone - Bike Insurance - Landlords Insurance - Search Engine Marketing - Mobile Phone