Nhữ Bảo Vũ @vunb - Tumblr Blog

Regular Expression DoS and Node.js

Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get 500 Internal Server Error. For some reason the site is down. You can’t do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.

Availability is not often treated as a security problem, which it is, and it’s impacts are immediate, and deeply felt.

The attack surface for Node.js in regards to loss of availability is quite large, as we are dealing with a single event loop. If an attacker can control and block that event loop, then nothing else gets done.

There are many ways to block the event loop, one way an attacker can do that is with Regular Expression Denial of Service (ReDoS).

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

#javascript #redos

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

appearin

Since appear.in is built on WebRTC we are closely following the debate on which codecs should be used in WebRTC. One of our developers, Dag-Inge Aas, got the opportunity to interview Brendan Eich when he was visiting Oslo recently. Eich is the CTO and co-founder of Mozilla and the creator of...

vunb

Brendan Eich on the future of JavaScript and video codecs

Installation Instructions for SSL/TLS on Nginx Server

(Thanks to Ingmar Steen for the instructions) First, use the StartSSL™ Control Panel to create a private key and certificate and transfer them to your server. Then execute the following steps (if you use a class 2 certificate replace class1 by class2 in the instructions below):

Decrypt the private key by using the password you entered when you created your key:

openssl rsa -in ssl.key -out /etc/nginx/conf/ssl.key Alternatively you can also use the Tool Box decryption tool of your StartSSL™ account.

Protect your key from prying eyes:

chmod 600 /etc/nginx/conf/ssl.key

Fetch the Root CA and Class 1 Intermediate Server CA certificates:

wget http://www.startssl.com/certs/ca.pem wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Create a unified certificate from your certificate and the CA certificates:

cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/conf/ssl-unified.crt

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on; ssl_certificate /etc/nginx/conf/ssl-unified.crt; ssl_certificate_key /etc/nginx/conf/ssl.key;

Tell nginx to reload its configuration:

killall -HUP nginx And you’re done!

More: https://www.startssl.com/?app=20

#startssl #nginx

node-webkit: Control camera and microphone with getusermedia api

The getUserMedia API lets users grant web apps access to their camera and microphone without a plug-in. This is the first step in enabling high quality video and audio communication as part of WebRTC, a powerful new real-time communications standard for the open web platform.

In addition, getUserMedia can be combined with other platform features like CSS filters and WebGL to render effects as the is captured. For example, you canrotate the video and add hipstery filters, play a xylophone with motion detection,try on glasses with face detection, and step into a photobooth with crazy effects like “Snow” and “Fire”. The good news is, those features are all possible in node-webkit.

#nodejs #node-webkit

appearin

More improvements in appear.in for iPhone!

Thanks for the great feedback for our iPhone app, folks! We are super happy to get so many positive comments! As promised, we are updating the app with new features little by little. The three largest improvements so far are:

1) Invite function: you can now share the link to a room by clicking the share icon in the top right corner, and then choose to invite people via SMS, e-mail, or other social networks you are using on your phone. You can also just copy the link and paste it wherever you like!

2) Screen sharing: You can now receive shared screen content from someone using appear.in on a desktop computer. Here’s how it looks:

3) Knocking on locked rooms: Visitors that try to enter your room while it is locked, will now be asked to knock, and you as the owner will then see a photo of them, with the option to let them in or reject them. Here’s how it looks when someone knocks on your room in the app:

Screen sharing and knocking are features many of you know already from using appear.in in your desktop browser, and we hope they will be as useful on your iPhone.

4) Background mode: Sometimes you need to check something while in an appear.in conversation with someone. On you computer this has never been a problem, as the browser window doesn’t care if it’s on top. But to achieve this on iPhone, we need background mode. So now you can check the bus schedule or weather forecast while making beach plans with your friends in appear.in!

When you press the home button while you’re in a conversation, appear.in will minimize to a red banner on the top of your screen, so that you can always see that you are still in the conversation. Your video will be turned off, so that you are participating with audio-only. To go back to the conversation, simply click the red banner, and then your video will be automatically turned on again. To leave the conversation, click the back arrow in the top left corner of the app.

Even though it’s July and summer vacation time, parts of the team are eagerly working. So stay tuned for new updates and features available on the iPhone app! We also hope to make improvements for Android in the future.

vunb

Great work !

#video conferencing

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

appearin

Some of you have probably noticed the possibility of knocking when requesting to enter a locked room. Until recently, a snapshot of the person that is knocking has appeared in the video conversation. Now we have found a new and more instant solution for our users; live knocking! With this new...

vunb

#video conferencing #webrtc

Bài học haivl #1

Bên lề QH, ĐB Hà Minh Huệ, Phó chủ tịch Thường trực Hội nhà báo Việt Nam cho rằng việc câu view hay tạo ra sự giật gân câu khách, là hành vi sai trái, cần phải lên án:

Theo tôi, nhanh nhưng phải chính xác, còn nếu nhanh mà không chính xác là đáng phê phán. Tuy nhiên còn một yếu tố nữa chi phối đó là sự non kém về nghiệp vụ, và đạo đức nghề nghiệp dẫn đến những sai sót. Non về nghiệp vụ là anh không biết quy định của anh được làm đến đâu; về đạo đức nghề nghiệp, anh làm sai nhưng không hiểu và thậm chí nghiêm trọng hơn có thể dẫn tới vi phạm pháp luật.

http://www.thongtincongnghe.com/article/64988

#haivl

Trending Blogs

Last Seen Blogs

Nhữ Bảo Vũ