Archive for the ‘servers’ Category

File Under: Security, servers, Web Basics
Jan
31
2012

Google, Microsoft, Yahoo, PayPal Go After Phishers With New E-Mail Authentication Effort

By

Major e-mail providers, including Google, Microsoft, and Yahoo are teaming up with PayPal, Facebook, LinkedIn, and more, to implement a new system for authenticating e-mail senders to try to prevent the sending of fraudulent spam and phishing messages.

The protocol that powers e-mail, SMTP, dates back to a more trusting era; a time when the only people who sent you e-mails were people you wanted to send you e-mails. SMTP servers are willing to accept pretty much any e-mail destined for a mailbox they know about (which is, admittedly, an improvement on how things used to be, when they’d accept e-mails even for mailboxes they didn’t know about), a fact which spammers and phishers exploit daily.

Making any fundamental changes to SMTP itself is nigh impossible; there are too many e-mail servers, and they all have to interoperate with each other, an insurmountable hurdle for any major change. So what we’re left with is all manner of additional systems that are designed to give SMTP servers a bit more information about the person sending the e-mail, so that they can judge whether or not they really want to accept the message.

The two main systems in use today are called SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Both systems use DNS to publish extra information about the e-mail sender’s domain. SPF tells the receiving server which outgoing servers are allowed to send mail for a given domain; if the receiving server receives mail from a server not on the list, it should assume that the mail is fraudulent. DKIM embeds a cryptographic signature to e-mail messages and an indication of which DNS entry to examine. The receiving server can then look up the DNS entry and use the data it finds to verify the signature.

These systems are not perfect; though both are used widely, they haven’t been adopted universally. This means that some legitimate mail will arrive that doesn’t have SPF or DKIM DNS entries, and so mail servers can’t depend on its presence. Common legitimate operations can also break them; many mailing list programs add footers to messages, which will cause rejection by DKIM, and forwarding e-mails causes rejection by SPF. As a result, failing one or other test is not a good reason to reject a message.

These systems also make it hard to diagnose misconfigurations; receiving servers will typically just swallow or ignore mails sent by systems with bad SPF or DKIM configurations.

The large group of companies, which includes the biggest web mail servers and some of the most common corporate victims of phishing attempts, is proposing a new scheme, DMARC (“Domain-based Message Authentication, Reporting & Conformance”), in an attempt to tackle these problems. DMARC fills some of the gaps in SPF and DKIM, making them more trustworthy.

DMARC's position within the mail receipt process (illustration by dmarc.org)

DMARC is based on work done by PayPal in conjunction with Yahoo, and later extended to Gmail. This initial work resulted in a substantial reduction in the number of PayPal phishing attempts seen by users of those mail providers, and DMARC is an attempt to extend that to more organizations. As with SPF and DKIM, DMARC depends on storing extra information about the sender in DNS. This information tells receiving mail servers how to handle messages that fail the SPF or DKIM tests, and how critical the two tests are. The sender can tell recipient servers to reject messages that fail SPF and DKIM outright, to quarantine them somehow (for example, putting them into a spam folder), or to accept the mail normally and send a report of the failure back to the sender.

In turn, this makes SPF and DKIM much safer for organizations to deploy. They can start with the “notification” mode, confident that no mail will be lost if they have made a mistake, and use the information learned to repair any errors. DMARC also allows recipients to know if a domain should be using SPF and DKIM in the first place.

Without a global rollout, DMARC can’t solve all phishing and spam problems. The companies that have signed up to support the project include major recipients of phishing attempts—the various free e-mail providers—and sites against which phishing attacks are regularly made. Mail sent between the organizations will be verified using the SPF/DKIM/DMARC trifecta. Anyone using the major mail providers and the major services should see a substantial reduction in fraudulent mail. Senders and recipients who want to receive similar protection can implement DMARC themselves by following the specification that the DMARC group is working on.

Given the constraints imposed by SMTP, we may never get an e-mail system that is entirely free of malicious and annoying junk. SMTP e-mail was never designed to be trustworthy, and systems like SPF and DKIM are constrained by the inadequacies of SMTP’s design. Nonetheless, mechanisms such as DMARC can still make a big difference, and with the support of these major companies, e-mail might get that little bit safer.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Illustration by dmarc.org

Tags:
File Under: Programming, servers, Web Basics
Jan
17
2012

Protest SOPA: Black Out Your Website the Google-Friendly Way

By

On Wednesday Jan. 18, Reddit, Wikipedia and many other websites will black out their content in protest of the Stop Online Piracy Act (SOPA), the Protect Intellectual Property Act (PIPA) and the Online Protection and Enforcement of Digital Trade Act (OPEN). Organizers of the SOPA Strike are asking interested sites to black out their content for 12 hours and display a message encouraging users to contact their congressional representatives and urge them to oppose the legislation.

Although it was rumored that Google might join in the protest, that does not appear to be the case. The search giant does, however, have some advice for anyone who would like to black out their site and ensure that doing so doesn’t harm their Google search rank or indexed content. [Update: It appears Google will be participating in some fashion. A Google spokesperson tells Ars Technica that "tomorrow [Google] will be joining many other tech companies to highlight this issue on our U.S. home page.” WordPress and Scribd will also be participating. You can read the full story on Ars Technica.]

Writing on Google+, Google’s Pierre Far offers some practical tips in a post entitled, “Website Outages and Blackouts the Right Way.” The advice mirrors Google’s previous best practices for planned downtime, but warrants a closer look from anyone thinking of taking their site offline to protest the SOPA/PIPA/OPEN legislation.

Far’s main advice is to make sure that any URLs participating in the blackout return a HTTP 503 header. The 503 header will tell Google’s crawlers that your site is temporarily unavailable. That way your protest and blacked out website won’t affect your Google ranking nor will any protest content be indexed as part of your site. If you use Google’s Webmaster tools you will see crawler errors, but that’s what you want — your site to be unavailable, causing an error.

Implementing a 503 header page isn’t too difficult, though the details will vary according to which technologies power your site. If you’re using WordPress there’s a SOPA Blackout plugin available that can handle the blackout for you. It’s also pretty easy to create a 503 redirect at the server level. If you use Apache ensure that you have the Rewrite module installed and then add something like the following code to your root .htaccess file:

    RewriteRule .* /path/to/file/myerror503page.php

That will redirect your entire website to the 503 error page. Now just make sure that your myerror503page.php page returns a 503 error. Assuming you’re using PHP, something like this will do the trick:

    header('HTTP/1.1 503 Service Temporarily Unavailable');
    header('Retry-After: Thu, 19 Jan 2012 00:00:00 GMT');

For more details, be sure to read up on the HTTP 503 header and see the rest of Far’s Google+ post to learn how to handle robots.txt and a few things you should definitely not do (like change your robots.txt file to block Google for the day, which could mean Google will stay away for far more than just a day). Even if you aren’t planning to participate in the anti-SOPA blackout tomorrow, Far’s advice holds true any time you need to take some or all of your site offline — whether it’s routine server maintenance, rolling out an upgrade or as part of a political protest.

[Image by SOPAStrike.com]

Tags: , ,
File Under: servers
Jan
5
2012

Open Source Upstart Nginx Surpasses Microsoft Server

By

For the first time since it sprang onto the web in 2004, Nginx (pronounced “engine-ex”), the lightweight open source web server that could, has overtaken Microsoft IIS to become the second most used server on the web.

Nginx currently powers some 12.18 percent of the web’s active sites — including big names like Facebook and WordPress — which means Nginx has just barely squeaked ahead of Microsoft IIS which currently powers 12.14 percent of websites. While Apache is still far ahead of both with over 57 percent of the market, of the top three, only Nginx continues to grow in market share.

These market share numbers come from NetCraft, which has been tracking data like server type and server operating system since 1995. It’s worth noting that Nginx is only ahead in the “active sites” survey which throws out results like parked domains and registrar placeholder pages (full details of NetCraft’s methodology can be had here).

Unlike Apache, which, while robust and powerful also uses considerably more resources, Nginx was designed to be fast and lightweight. The server can handle a very large number of simultaneous connections without suffering a performance hit or requiring additional hardware.

The combination of lightweight and fast has made Nginx the darling of the web in recent years with everyone from Facebook to Dropbox relying on it in one form or another. Indeed, another part of Nginx’s success lies in its versatility. The server can be used for everything from a traditional high performance web server to a load balancer, a caching engine, a mail proxy or an HTTP streaming server.

Having recently moved several primarily static websites to Nginx I can also vouch for another of Nginx’s strengths — outstanding documentation.

If you’d like to give Nginx a try head on over to the official site and download a copy today.

Tags:
File Under: Backend, Location, servers, Web Basics
Aug
31
2011

OpenDNS and Google Working with CDNs on DNS Speedup

By

A group of DNS providers and content delivery network (CDN) companies have devised a new extension to the DNS protocol that that aims to more effectively direct users to the closest CDN endpoint. Google, OpenDNS, BitGravity, EdgeCast, and CDNetworks are among the companies participating in the initiative, which they are calling the Global Internet Speedup.

The new DNS protocol extension, which is documented in an IETF draft, specifies a means for including part of the user’s IP address in DNS requests so that the nameserver can more accurately pinpoint the destination that is topologically closest to the user. Ensuring that traffic is directed to CDN endpoints that are close to the user could potentially reduce latency and congestion for high-impact network services like video streaming.

The new protocol extension has already been implemented by OpenDNS and Google’s Public DNS. It works with the CDN services that have signed on to participate in the effort. Google and OpenDNS hope to make the protocol extension an official IETF standard. Other potential adopters—such as Internet ISPs—are free to implement it from the draft specification.

It’s not really clear in practice how much impact this will have on network performance. It’s worth noting that GeoIP lookup technology is already used by some authoritative DNS servers for location-aware routing. The new protocol extension will reportedly address some of the limitations of previous approaches.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: Backend, servers, Web Basics
Nov
12
2009

Move Over, HTTP. Say ‘Hello World’ to SPDY

By

Google plans to introduce a new protocol for web transactions it says is more than 50 percent faster than HTTP.

A post on Google’s Chromium blog describes the new protocol, SPDY, pronounced “Speedy”:

SPDY is at its core an application-layer protocol for transporting content over the web. It is designed specifically for minimizing latency through features such as multiplexed streams, request prioritization and HTTP header compression.

The Chromium team, which is in charge of developing the Chrome browser and its associated technologies, reports that SPDY has been able to load web pages 55 percent faster than the HTTP protocol in lab conditions using simulated home-network connections. The team says its goal is to make SPDY eventually run twice as fast as HTTP.

HTTP is the language currently used by servers and browsers for the vast majority of common tasks on the web. When you request a web page or a file from a server, chances are your browser sends that request using HTTP. The server answers using HTTP, too. This is why “http” appears at the beginning of most web addresses.

So, Google’s proposal would involve rewriting the web’s most commonly used and baked-in transaction method.

“HTTP has served the web incredibly well,” the post’s authors write. “We want to continue building on the web’s tradition of experimentation and optimization, to further support the evolution of websites and browsers.”

If such a massive shift were to ever take place (and nobody’s promising it will at this point), it would require a whole lot of buy-in from outside Google. To that end, the company is releasing its early-stage documentation and code for SPDY along with a call for feedback.

It may seem like a brash move, but the Chromium team seems to enjoy ruffling feathers. In September, the same group released the Chrome Frame plug-in for Internet Explorer which essentially embeds Google’s browser inside Microsoft’s, giving the ability to render websites that IE wouldn’t normally be able to handle.

To contribute to the SPDY discussion, visit the Chromium Google Group.

Image: Warner Brothers

See Also:

Tags: , ,
File Under: Programming, servers
Jul
22
2009

Cool Tutorial: Django in the Real World

By

Django’s big sell is that it’s easy.

Compared to other open-source (or even proprietary) frameworks for building specialized, database-driven websites, Django makes the core tasks remarkably easy and fast to complete. A developer with working knowledge of databases and Python can get a site up and running in less than an hour.

But once your code is written, what comes next?

That question forms the basis of a talk given by Jacob Kaplan-Moss, one of Django’s lead developers, at the OSCON Open Source Convention in San Jose, California Tuesday. His slides are now online (PDF, 1.7MB)

The concentration is on testing, staging and deployment. There are also recommendations for fine-tuning performance. And even if you don’t know Python or if you’ve never used Django, the presentation is still helpful since it’s full of general advice about building and deploying web applications.

Also, there’s a great series of tutorials hosted by the Django Project itself, and there’s a beginner’s Django tutorial right here on Webmonkey.

Illustration: Stefan Imhoff

See Also:

File Under: Business, servers
Apr
3
2009

Register.com Victimized by DDoS Attack

By

Register.com is having a rough week. The popular domain registrar and website hosting company has been having coughing fits for a few days. Service has been intermittent, with some users complaining of outages on the company’s web servers as well as its e-mail and data storage services.

Turns out the problem was the result of a DDoS attack.

Today, this e-mail was sent out, and the company posted the same note on its website:

For the past three days Register.com has been experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack – an intentionally malicious flooding of our systems from various points across the internet. We know the disruption of business this has caused our customers is unacceptable, and we are working round the clock to combat it. (For more information about DDoS attacks, please see http://en.wikipedia.org/wiki/Denial-of-service_attack.)

While we are still under attack, our counter-measures are currently minimizing the disruption to your services. We are using all available means to halt this criminal attack on our business and our customers’ business.

We are committed to updating you in as timely manner as possible, please continue to check back here for additional updates or go to www.twitter.com/Register_com.

Thank you for your patience.

File Under: Events, servers
Oct
29
2008

PDC 2008: SensorMap Is Some Hot (and Cool) Tech

By

Los Angeles — Microsoft has already left its mark on software, consumer devices, gaming and the web. Next, the company is turning its attention to green technology, environmental research and effects climate change.

At its annual Professional Developers Conference, the company debuted some new distributed computing technology the Microsoft Research team has created to collect data on energy use, transportation efficiency and global climate change.

During Wednesday morning’s keynote, Microsoft Research’s Feng Zhao showed off the pocket-sized devices his MSR SenseWeb team created to monitor any number of environmental factors. Microsoft has deployed hundreds of these sensors, each no bigger than a cell phone, around downtown Seattle, Singapore and Taipei, in the mountains near Davos, Switzerland and glaciers in Juneau, Alaska.

Each sensor records information about wind speed, temperature, humidity and other metrics. The devices are customized for each location — the sensors in Davos are connected to high-tension power lines, and they measure shortwave radiation. The ones in Seattle have cameras and study traffic patterns. The sensors on the Alaskan glacier measure water discharge.

Anyone can go to the SensorMap website to dig in to the sensor data, view time-based graphs and generate custom reports. The site will remain a public source of data for tracking changes in the environment.

As Microsoft Research’s director Rick Rashid quipped, “We’re using the cloud to keep track of clouds.”

It seems purely altruistic, but there’s a practical reason for Microsoft’s investment — the company is using the same tech to monitor the data centers which will power its new Windows Azure cloud computing platform. As the company builds the physical infrastructure for Azure, it’s also been installing sensors and feeding data into what it calls the Data Center Genome project. The sensors measure energy usage, heat and power distribution and efficiency within the warehouse-sized server complexes.

Zhao showed what the Genome data looks like. He revealed that hundreds of sensors had been deployed throughout the Los Angeles convention center, which is hosting the conference. On the stage’s jumbo screen, he showed a satellite photo of the building with a overlaying grid marking the energy sensor array.

He played back the collected data as an animated heat map, sped up over time, to show heat rising in parts of the building as attendees filed in to view the previous day’s Windows 7 keynote, then fanned out into the sessions and the expo hall afterwards.

It gave a detailed view of exactly how efficiently the air conditioning system cooled the building — including huge blue spots where the HVAC vents were pumping chilled air into areas of the hall that were entirely empty and devoid of people for hours.

File Under: servers, Software & Tools
Oct
15
2008

Opera MAMA Reports Web Standard Usage

By

Opera has announced the Metadata Analysis and Mining Application (MAMA), a search engine for web developers looking for backend analytics. Basically, the reports are regular search results, but with the focus on things like the number of <font> tags used on the web, or the shocking fact that less than 5% of websites pass the W3C’s validation test.

The wealth of data was culled from 3,509,180 URLs over 3,011,668 domains. All of this data will help you win geek bar fights over internet trivia questions like:

Q: What is the most popular web server on the internet?

A: Apache. Apache serves about 50.76 percent over 2,011,088 domains (67.72 percent). IIS: 35.84 percent over 769,375 domains (25.91 percent).

Q: How many web developers are good enough to write code that passes W3C validation?

A: 145,009 out of 3,509,180 URLs passed validation — only 4.13 percent.

Q: Which country uses Ajax the least?

A: Japan showed the least usage of XMLHttpRequest, while Norway (Opera’s home country) exhibited the highest usage rates at 10.1 percent.

Otherwise, this is a great source of data to help drive standards forward. In many ways, standards bodies were moving on blindly and adding cool features as they are developed. Perhaps with the plethora of data Opera provides on the web, decisions can be made on practical numbers.

The capability to run searches of your own isn’t available to users, but the key findings report is available on Opera’s developer’s site. The reports include many of the most popular questions.

Luckily for us, Opera has offered to run some reports for Webmonkey.

So you tell us: What questions you have for the MAMA oracle? We’ll send them to Opera and post them later. Leave your questions in comments.

See Also:

Tags: , , ,
File Under: servers
Jul
29
2008

Apple Fails to Patch DNS ‘Cache Poisoning’ Attack

By

barbed wireThe previously hypothetical DNS cache poisoning bug you’ve no doubt heard about has made its way into the wild. That isn’t all that surprising given that there are no less than three publicly available exploits, which have been downloaded some ten thousand times.

What’s disturbing isn’t that the code is in the wild and potentially on your DNS server. No the problems is that, despite a concerted effort by vendors, there are still countless unpatched servers out there.

Apple especially has failed to protect its users. Even the normally Apple-supportive Tidbits blog has called the company out for failing to patch its OS X Server software.

The really sad thing in Apple’s case is that Internet Systems Consortium BIND DNS server, which is what OS X Server uses, was one of the first patched systems made available. Apple has simply declined to pass the patch on to its users leaving them vulnerable to DNS cache poisoning and other attacks.

So how do you know if your ISP has patched your DNS Server? Well, the short answer is you probably don’t. You could dig through and see if your ISP has made an announcement. Or maybe call customer service (good luck with that).

Or you could just replace your DNS server with one that you know is secure. It isn’t hard to do at all and we’ve got a new OpenDNS tutorial to walk you through the few steps it takes to setup OpenDNS as your DNS servers. OpenDNS isn’t affected by this latest bug and as an added bonus it’s generally faster than what your ISP uses.

[via Slashdot]

See Also:

Tags:
« OLDER POSTS