tianjara.net | Andrew Harvey's Blog

So as of now when I download the document at http://www.commbank.com.au/personal/international/travel-money-card/default.aspx using,

wget --save-headers -U 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322)' --server-response 'http://www.commbank.com.au/personal/international/travel-money-card/default.aspx'

from both IP address (140.168.75.39, 140.168.129.72) that get resolved, within that page I get a link to https://www.commbank.prepaidcardsupport.com/cbacustomer/html/LoginFrameTravel.html

Looks weird. The commbank linking to www.commbank.prepaidcardsupport.com? At first I thought I was been man in the middle'ed, so I tried retrieving this document from various vantage points in the Internet with the same results. So either it wasn't a MIM or the MIM was happening at a point common between both vantage points (ie. the banks network, or the telstra network above the banks network).

So maybe this is legit? I checked the whois for prepaidcardsupport.com but it is registered by proxy (not a good sign) and its HTTPS certificate isn't trusted by the default iceweasel install (again not a good sign).

Anyway this reinforced to me a big problem surrounding sites that think it is okay to not offer HTTPS for most of their site but switch to HTTPS just for parts of the site where you log in. This opens you up to man in the middle attacks against your plain HTTP pages allowing the attacker to replace the switch to HTTPS for areas that you log in with just plain HTTP (hence allowing further man in the middle attacks). -- Of course this is ignoring the issue that current implementation of PKI using CA's isn't terrible secure at all.

This is why open source development and open collaboration in a community is great:

1. Someone posts a question about a problem they have: http://groups.google.com/group/mapnik/browse_thread/thread/85ede4787e2dc32b/b87dc582e2cf1035
2. I see this question find it interesting so I have a go at writing a solution. I release this freely and openly to anyone on github under a free software license (CC0): https://gist.github.com/1675606/eb39d06c948bae471fee902a3cb688f28cefc9da
3. Original poster gets back to me thanking me and finding the solution I wrote useful.
4. Someone else comes along and forks my code https://gist.github.com/1953554 adding some cool extra functionality to, building on my work to make something new and useful.
5. We continue to build on the solution collaboratively https://gist.github.com/1675606/e8bfe1525478ada610ebc7f4d14eb433ed2866b1

None of this would have been possible without a platform to openly and freely communicate inside a community (1), free licensing and open sourcing of solutions allowing others to legally build upon others works (2), git and github a program and platform that allows one to publish derivative works that are visible to the original author but without needed permission or interaction with the original author (4, 5).

Albeit small, it is extremely rewarding to see this unfold upon my own work.

On my new sysadmin front I've migrated my site tianjara.net to Linode's Tokyo facility which has a better RTT than Freemont where it was previously located.

Along the way I learnt that I probably should have lowered the DNS TTL entry before the move so that when the IP address changed DNS servers didn't take as long to pick up on the change.

My site is also now IPv6 enabled. It took a little bit of work setting up lighttpd correctly (as it recently changed the way it could handle IPv6 network interfaces), and also a bit of confusion with ufw, which although I had set IPV6=yes I needed to re-add my rules to allow from Anywhere (v6) in addition to Anywhere. It is a shame most Australian ISP's are a little slow with IPv6 deployment... this made it tricky to test.

I've also deployed an SSL certificate for https://tianjara.net, self-signed and added to the web of trust via monkeysphere. (not that I could actually test it though).

On a related note, I was looking through my server logs and found what looks like the Catholic Education Network proxy server (but run by http://www.editure.com.au/) telling me the school and login of every student that visits my site (through plain HTTP) using a HTTP header like,

X-SINA-ProxyUser: [school]/[username]

Sure different people have their own expectations of privacy and the pupils at schools using CENET services may all be fine with this, but some may not, and many are probably not old enough to necessarily make the best decision on their own. I hope those students know that every site they visit gets told their school/username.