funkatron.com

We don’t sign Spaz with a code signing certificate generated by one of the 4 (as of this writing) certificate authorities Adobe accepts. This means that when you install Spaz, you get a scary “Publisher:UNVERIFIED” warning. This is why we don’t sign, from a letter I wrote when asked about it in Spring 2008:

If I sign Spaz with a paid-for Thawte cert, I am on the hook every year for a Thawte cert. I can’t change my cert signer or go back to a self-signed cert without breaking auto updating (at least as I understand it), and I’m therefore locked into a $300 expense every year. That’s not terrible for a commercial app backed by a company, but that’s a pretty significant chunk of change for a free, open-source app developed by one person as a hobby to lay out.

I’m familiar with how certs work, and how Thawte handles certification as compared to other, less expensive cert vendors. Were I convinced that Thawte did some kind of verification process/background checking on the applicant I could see the value, but at least with SSL certs, they certainly didn’t do anything more than vendors who donate free certs to EDUs.

Currently, there are 3 other CAs in addition to Thawte, and the prices range between $180 and $300 per year. Some of these CAs do seem to do a little more background checking. Still, the same arguments apply, especially the one related to cost.

Spaz doesn’t generate revenue, and relies on donated time from myself and a handful of other generous folks. Committing to a yearly expense in the hundreds of dollars seems unwise.

If this is something you would like to see change, I’d encourage you to ask Adobe to make code signing a realistic option for Free, Open-Source Software like Spaz by providing certificates free-of-charge – after a reasonable review process – to projects like ours.

Do you work in social media? Do you develop social networking sites? Do you like it when people do not hack your Facebook account? If you answered “yes” to one of the above, then you simply must attend Security for the Social Set, a Core Conversation I’m leading at SXSW. It will take place on Sunday morning at 11:30 a.m.

I’m excited to be able to lead this conversation, especially because I think security – especially practical solutions – is woefully under-represented in social media discussion. It’s my hope that we can raise awareness of these issues, identify where the biggest problems lie, and start sorting out how to address them.

I am told the Core Conversations will suck less this year. Last year it was often hard to hear people in your group if there was a raucous group next to yours. This year each group should have their own room, which will be a lot better, I think.

Hope to see you there!

I love me some JSON. It saves me tons of parsing headaches when exchanging data between web services because it maps so well to concepts shared among most common programming languages. It’s super easy to take a PHP object, convert it to JSON, and then push it to a Javascript (or a Ruby, or a Python) app.

Because JSON is valid JavaScript code, the most common method for converting it into native JS objects is to just eval the JSON. This is an extremely bad idea, because it opens your app up to all sorts of code injection attacks. Even with “trusted” sources, a security failure on your source’s end, or just a disgruntled employee, could wreak havoc on your apps and your users. I’d recommend reading Douglas Crockford’s “JSON and Browser Security”. Go ahead; I’ll wait.

jQuery, which we’ll use for all our examples because it’s awesome, will in many cases automatically parse JSON responses for you. This, as we learned above, is a Bad Thing. The following Ajax methods will automatically parse JSON in jQ (as of 1.2):

• jQuery.getJSON() – always
• jQuery.ajax() – if type is ‘json’
• jQuery.get() – if type is ‘json’
• jQuery.post() – if type is ‘json’

So my rules of thumbs are:

1. never, ever use $.getJSON()
2. never, ever set the type option to ‘json.’

To force the issue, I set my type to ‘text’ in my ajax calls. For example:

<script type="text/javascript" charset="utf-8" src="/js/jquery.js"></script>
<script type="text/javascript" charset="utf-8">
    $.ajax('http://twitter.com/statuses/public_timeline.json', function(data, textStatus) {
        alert('Status is '+textStatus);
        alert('JSON data string is: '+data);
    }, 'text');     
</script>

In the example above, we’re including the jquery library with the first <script> tag, and then calling the jQuery.ajax() method in the second. We’re passing three parameters:

1. the URL we’re pulling the JSON string from. In this case, it’s the Twitter public timeline
2. an anonymous function that’s called when the request is successful
3. the type of data we’re getting, as a string. Using ‘text’ ensures no extra processing is done on the response string

So this is great, but all we’ve got is a string of serialized data, which isn’t terribly useful. Thankfully, there’s a handy library at JSON.org that takes care of parsing JSON without using eval without using eval on non-JSON code¹. The library gives us two methods: JSON.parse() for turning a JSON string into a JS object, and JSON.stringify() for turning a JS object into a JSON string. So let’s utilize JSON.parse() in our code, and actually do something with that data:

<script type="text/javascript" charset="utf-8" src="/js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="/js/JSON2.js"></script>
<script type="text/javascript" charset="utf-8">
    $.get('http://twitter.com/statuses/public_timeline.json', function(data, textStatus) {
        alert('Status is '+textStatus);
        alert('JSON data string is: '+data);

        // this will give us an array of objects
        var public_tweets = JSON.parse(data);

        // iterate over public_tweets
        for(var x=0; x < public_tweets.length; x++) {
            var twt = public_tweets[x];
            var elm = '<div class="tweet" id="'+twt.id+'"> \
                <a href="'+twt.user.url+'"><img src="'+twt.user.profile_image_url+'" /></a> \
                    <div class="tweet-text">'+twt.text+'</div> \
                </div>';
            $('BODY').prepend(elm);
        }
    }, 'text');
</script>

In the modified example above, the second script tag loads the JSON2 library. We then use the JSON.parse() method to turn the data string into a JavaScript object – in this case, and array of Twitter message objects. Then we iterate over the array, building a string of HTML for each entry and prepending it to the <body> tag (so the newest item is on top).

Note: If you’re using this code on a remotely-hosted html page (or loading it as a local file under Firefox 3), it won’t work, and if you check in your error console you’ll probably see a security warning. That’s because our $.get() call directly accesses the Twitter API hosted on Twitter.com, which is almost certainly not the domain your files are hosted on. When we try to do so, it violates the same-origin policy enforced by browsers. The only workaround that I think is safe is to set up some sort of proxy on your domain to pass requests – other approaches like JSONP rely on eval()ing the result, which is what we’re trying to avoid here. I’ll try to cover setting up a local domain proxy in a future post.

By handling JSON with a parser rather than just using eval(), we mitigate the risk of code injection. This helps us protect both our application and our users.

Remember when you went to SXSWi last year, and you said “I love the parts where I meet cool people and eat free food and drink free booze and throw up, but I wish the presentations and panels weren’t so goddamn fluffy?” Me too. That’s why Alex Payne (aka “The Guy Who Has Actual Name Recognition”) and myself submitted the talk “Security for the Social Set.”

The idea is that we give some solid, useful information about the security problems social networking apps have to deal with, and how to deal with them. While we can’t get too focused on specific languages and frameworks, client-side defense with JavaScript will certainly be demonstrated, and I intend to show examples in PHP and probably a couple other platforms (coughRailscough). It will be hard to get into heavy detail within the alloted time, but it’s my hope that we can kickstart awareness and understanding of fundamental secure web app programming techniques.

Plus, I need a justification for dropping the coin for hotel and air fare on this boozefest, so please, vote for us.

• Security for the Social Set (SXSW 2009)

Oh, and a few other meaty talks you should consider include:

• Practical JavaScript Development
• More Secrets of JavaScript Libraries (this was packed last year)
• 200s, 304s, HTTP Compression, and You
• Hackproofing Ruby-on-Rails Web Applications
• Functional Programming Without A (Strictly) Functional Language
• Unit Testing Back to Front: Prove it Works!

Just a quick note that my slides from my OSCON 2008 talk, “Securing the PHP Environment With PHPSecInfo,” are now online.

• [PDF](http://funkatron.com/content/Securing the PHP Environment With PhpSecInfo-OSCON2008.pdf)
• Slideshare