rabbit-slide-zundan-rubykaigi2015-lt 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.rabbit +1 -0
- data/2015sf_Heroku_logo_RGB.png +0 -0
- data/Do you trust that certificate?.pdf +0 -0
- data/README.md +16 -0
- data/Rakefile +17 -0
- data/anmitsu.jpg +0 -0
- data/cert-in-gems.rab +250 -0
- data/config.yaml +19 -0
- data/heroku-logotype-horizontal-purple.png +0 -0
- data/hyuki-cr3.jpg +0 -0
- data/pdf/rubykaigi2015-lt-cert-in-gems.pdf +0 -0
- metadata +86 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 48b804f10b65db3a5097ef5f35cc4a713d9bc80d
|
4
|
+
data.tar.gz: 994cb1571fc743c965a63bfc7c4bffed64677496
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 7a4f59ce560b480c0db2e5379dffd53f2b62c9825d7e013059b504224f7f70faeb9f13bffff9a3e7010f0fe5271fba21fb6090ed3d9561ad8fb7aaa608f2d923
|
7
|
+
data.tar.gz: 7a251c6f183d9a06f990553db82f1960be4f277fd8bfb048af44149adf8cee7eda4ff5a6b91a7b4968daab2fc79f9cafbc17196976cd2d3c5659b8a6f9910ca7
|
data/.rabbit
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
cert-in-gems.rab --paper-size=792,612
|
Binary file
|
Binary file
|
data/README.md
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
Do you trust that certificate?
|
2
|
+
------------------------------
|
3
|
+
A [rabbit](http://rabbit-shocker.org/) presentation presented as a [Lighting Talk at RubyKaigi 2015](http://rubykaigi.org/2015/presentations/lt).
|
4
|
+
|
5
|
+
I hope to communicate to developers of web apps, especially of those handles payment information, that they should be aware of what they trust when developing an app. This should make the app more secure and make the developers aware of when to update gems or certs.
|
6
|
+
|
7
|
+
## Usage
|
8
|
+
Install rabbit and run `rake`
|
9
|
+
|
10
|
+
## Abstract
|
11
|
+
Some developers don't seem to take too much care of which CA certificates they trust when connecting to external services from their web apps. Certificates may come with the OS the app is running on or Ruby gems the app depends upon. This is not secure nor good for continued operation of the app. I will try to let the listeners know this fact and request to think the best way to maintain certificates depending upon the needs of their apps.
|
12
|
+
|
13
|
+
## License
|
14
|
+
[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0/)
|
15
|
+
|
16
|
+
Copyright 2015 by zunda <zundan at gmail.com>
|
data/Rakefile
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
require "rabbit/task/slide"
|
2
|
+
|
3
|
+
# Edit ./config.yaml to customize meta data
|
4
|
+
|
5
|
+
spec = nil
|
6
|
+
Rabbit::Task::Slide.new do |task|
|
7
|
+
spec = task.spec
|
8
|
+
# spec.files += Dir.glob("doc/**/*.*")
|
9
|
+
# spec.files -= Dir.glob("private/**/*.*")
|
10
|
+
spec.add_runtime_dependency("lightning-talk-with-code.rb")
|
11
|
+
end
|
12
|
+
|
13
|
+
desc "Tag #{spec.version}"
|
14
|
+
task :tag do
|
15
|
+
sh("git", "tag", "-a", spec.version.to_s, "-m", "Publish #{spec.version}")
|
16
|
+
sh("git", "push", "--tags")
|
17
|
+
end
|
data/anmitsu.jpg
ADDED
Binary file
|
data/cert-in-gems.rab
ADDED
@@ -0,0 +1,250 @@
|
|
1
|
+
= Do you trust that certificate?
|
2
|
+
# : subtitle
|
3
|
+
# SUBTITLE
|
4
|
+
#: author
|
5
|
+
# zunda
|
6
|
+
#: institution
|
7
|
+
# Heroku/Support
|
8
|
+
# : content-source
|
9
|
+
# RubyKaigi 2015
|
10
|
+
#: date
|
11
|
+
# 2015-12-12
|
12
|
+
: allotted-time
|
13
|
+
5m
|
14
|
+
: theme
|
15
|
+
lightning-talk-with-code
|
16
|
+
|
17
|
+
= @zundan
|
18
|
+
# image
|
19
|
+
# src = anmitsu.jpg
|
20
|
+
# relative_height = 100
|
21
|
+
= @zundan
|
22
|
+
# image
|
23
|
+
# src = 2015sf_Heroku_logo_RGB.png
|
24
|
+
# relative_width = 100
|
25
|
+
= @zundan
|
26
|
+
# image
|
27
|
+
# src = heroku-logotype-horizontal-purple.png
|
28
|
+
# relative_width = 100
|
29
|
+
|
30
|
+
= Important!
|
31
|
+
# image
|
32
|
+
# src = hyuki-cr3.jpg
|
33
|
+
# relative_width = 100
|
34
|
+
= Introduction to modern cryptography
|
35
|
+
= www.hyuki.com/cr/
|
36
|
+
# image
|
37
|
+
# src = hyuki-cr3.jpg
|
38
|
+
# relative_width = 100
|
39
|
+
|
40
|
+
= Transport Layer Security
|
41
|
+
= Secure Socket Layer
|
42
|
+
= TLS/SSL
|
43
|
+
= https://
|
44
|
+
|
45
|
+
= A web application
|
46
|
+
= Receives requests
|
47
|
+
= Calls external resources
|
48
|
+
= That handles secret information
|
49
|
+
|
50
|
+
= How does app trust them?
|
51
|
+
= PKI
|
52
|
+
= Public-key infrastructure
|
53
|
+
= Server certificate
|
54
|
+
= Signed by Certificate Authority
|
55
|
+
= Certificate chain
|
56
|
+
ssl.zunda.ninja:443
|
57
|
+
|
|
58
|
+
COMODO RSA Validation Secure Server CA
|
59
|
+
|
|
60
|
+
COMODO RSA Certification Authority
|
61
|
+
|
|
62
|
+
|
|
63
|
+
AddTrust External CA Root
|
64
|
+
|
65
|
+
= One day
|
66
|
+
= Error
|
67
|
+
= Error
|
68
|
+
# blockquote
|
69
|
+
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
|
70
|
+
|
71
|
+
= I did not change anything!
|
72
|
+
= but
|
73
|
+
= Something outside has changed
|
74
|
+
= Error
|
75
|
+
# blockquote
|
76
|
+
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
|
77
|
+
|
78
|
+
= Certificate chain
|
79
|
+
ssl.zunda.ninja:443
|
80
|
+
|
|
81
|
+
[NEW] Some Server CA
|
82
|
+
|
|
83
|
+
[NEW] Some Certification Authority
|
84
|
+
|
|
85
|
+
|
|
86
|
+
[NEW] Unknown CA Root
|
87
|
+
|
88
|
+
= 2014-09 1024 bit hash
|
89
|
+
= 2015-09 SHA-1
|
90
|
+
= Replace with new certs
|
91
|
+
= On new CA certs
|
92
|
+
= That app does not know
|
93
|
+
= Certificate chain
|
94
|
+
ssl.zunda.ninja:443
|
95
|
+
|
|
96
|
+
[NEW] Some Server CA
|
97
|
+
|
|
98
|
+
[NEW] Some Certification Authority
|
99
|
+
|
|
100
|
+
|
|
101
|
+
[????]
|
102
|
+
|
103
|
+
= Error
|
104
|
+
# blockquote
|
105
|
+
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
|
106
|
+
|
107
|
+
= So ...
|
108
|
+
= $ bundle update
|
109
|
+
= well ...
|
110
|
+
= Include new CA cert in app
|
111
|
+
= Monkey patch to use it
|
112
|
+
= Net::HTTP
|
113
|
+
# enscript ruby
|
114
|
+
module Net
|
115
|
+
class HTTP
|
116
|
+
alias_method :original_use_ssl=, :use_ssl=
|
117
|
+
|
118
|
+
def use_ssl=(flag)
|
119
|
+
self.ca_file = File.dirname(__FILE__) + \
|
120
|
+
'/../../certs/cacert.pem'
|
121
|
+
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
122
|
+
self.original_use_ssl = flag
|
123
|
+
end
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
= ActiveMerchant
|
128
|
+
# enscript ruby
|
129
|
+
module ActiveMerchant
|
130
|
+
class Connection
|
131
|
+
def configure_ssl(http)
|
132
|
+
return unless endpoint.scheme == "https"
|
133
|
+
http.use_ssl = true
|
134
|
+
if verify_peer
|
135
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
136
|
+
http.ca_file = File.dirname(__FILE__) + \
|
137
|
+
'/../../certs/cacert.pem'
|
138
|
+
else
|
139
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|
144
|
+
|
145
|
+
= System's CA certs
|
146
|
+
= Where are they?
|
147
|
+
= System's certs
|
148
|
+
# enscript sh
|
149
|
+
$ openssl version -d
|
150
|
+
OPENSSLDIR: "/usr/lib/ssl"
|
151
|
+
|
152
|
+
$ ls /usr/lib/ssl
|
153
|
+
certs@ misc/ openssl.cnf@ private@
|
154
|
+
|
155
|
+
$ ls -l /usr/lib/ssl/certs
|
156
|
+
... /usr/lib/ssl/certs -> /etc/ssl/certs/
|
157
|
+
|
158
|
+
= openssl/ssl.rb
|
159
|
+
# blockquote
|
160
|
+
If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
|
161
|
+
cert_store are not set then the system default certificate store is
|
162
|
+
used.
|
163
|
+
|
164
|
+
= openssl/ssl.rb
|
165
|
+
# enscript ruby
|
166
|
+
module OpenSSL
|
167
|
+
module SSL
|
168
|
+
class SSLContext
|
169
|
+
def set_params(params={})
|
170
|
+
# snip
|
171
|
+
if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
|
172
|
+
unless self.ca_file or self.ca_path or self.cert_store
|
173
|
+
self.cert_store = OpenSSL::X509::Store.new
|
174
|
+
end
|
175
|
+
end
|
176
|
+
return params
|
177
|
+
end
|
178
|
+
end
|
179
|
+
end
|
180
|
+
end
|
181
|
+
|
182
|
+
= System's certs
|
183
|
+
# enscript ruby
|
184
|
+
module ActiveMerchant
|
185
|
+
class Connection
|
186
|
+
def configure_ssl(http)
|
187
|
+
return unless endpoint.scheme == "https"
|
188
|
+
http.use_ssl = true
|
189
|
+
if verify_peer
|
190
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
191
|
+
http.ca_path = nil
|
192
|
+
http.ca_file = nil
|
193
|
+
else
|
194
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
195
|
+
end
|
196
|
+
end
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
200
|
+
= Anyway
|
201
|
+
= Remember what we trust
|
202
|
+
|
203
|
+
= What are coming?
|
204
|
+
= 2016-06-01
|
205
|
+
= Symantec certs on Google products?
|
206
|
+
|
207
|
+
= Will there be updates?
|
208
|
+
= On Ubuntu
|
209
|
+
* :
|
210
|
+
* 2013-01-19
|
211
|
+
* 2013-06-10
|
212
|
+
* 2013-09-06
|
213
|
+
* 2014-03-25
|
214
|
+
* 2014-10-19
|
215
|
+
* 2015-04-26 ((-((<launchpad - ca-certificates|URL:https://launchpad.net/ubuntu/+source/ca-certificates/+changelog>))-))
|
216
|
+
|
217
|
+
= On ActiveMerchant
|
218
|
+
* 2007-03-03
|
219
|
+
* 2011-09-15
|
220
|
+
* 2015-01-16 ((-((<activemerchant - active_merchant|URL:https://github.com/activemerchant/active_merchant/commits/master/lib/certs/cacert.pem>))-))
|
221
|
+
|
222
|
+
= Remember and be prepared!
|
223
|
+
|
224
|
+
= Once more
|
225
|
+
= www.hyuki.com/cr/
|
226
|
+
# image
|
227
|
+
# src = hyuki-cr3.jpg
|
228
|
+
# relative_width = 100
|
229
|
+
|
230
|
+
= CRL
|
231
|
+
= Certificate Revocation List
|
232
|
+
= How are we updating this?
|
233
|
+
|
234
|
+
= SSL and TLS1.0 will be disabled
|
235
|
+
= PCI Compliance
|
236
|
+
= Payment Card Industry
|
237
|
+
|
238
|
+
= Remember what we trust
|
239
|
+
|
240
|
+
= URLs
|
241
|
+
* ((<暗号技術入門|URL:https:/www.hyuki.com/cr/>))
|
242
|
+
* ((<Phasing out Certificates with 1024-bit RSA Keys|URL:https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/>))
|
243
|
+
* ((<SHA-1|URL:https://ja.wikipedia.org/wiki/SHA-1>))
|
244
|
+
* ((<AWS to Switch to SHA256 Hash Algorithm for SSL Certificates|URL:https://aws.amazon.com/security/security-bulletins/aws-to-switch-to-sha256-hash-algorithm-for-ssl-certificates/>))
|
245
|
+
* ((<Sustaining Digital Certificate Security|URL:https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html>))
|
246
|
+
|
247
|
+
= CC BY-ND 4.0
|
248
|
+
Presented as a lightning talk in RubyKaigi 2015 on 2015-12-12
|
249
|
+
|
250
|
+
Copyright 2015 by zunda <zundan@gmail.com>
|
data/config.yaml
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
---
|
2
|
+
id: rubykaigi2015-lt
|
3
|
+
base_name: cert-in-gems
|
4
|
+
tags: []
|
5
|
+
presentation_date:
|
6
|
+
version: 1.0.0
|
7
|
+
licenses: []
|
8
|
+
slideshare_id: rubykaigi2015-lt
|
9
|
+
speaker_deck_id:
|
10
|
+
ustream_id:
|
11
|
+
vimeo_id:
|
12
|
+
youtube_id:
|
13
|
+
author:
|
14
|
+
markup_language: :rd
|
15
|
+
name: zunda
|
16
|
+
email: zundan@gmail.com
|
17
|
+
rubygems_user: zundan
|
18
|
+
slideshare_user: zunda
|
19
|
+
speaker_deck_user:
|
Binary file
|
data/hyuki-cr3.jpg
ADDED
Binary file
|
Binary file
|
metadata
ADDED
@@ -0,0 +1,86 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rabbit-slide-zundan-rubykaigi2015-lt
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- zunda
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2015-12-17 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: rabbit
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 2.0.2
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: 2.0.2
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: lightning-talk-with-code.rb
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
description: I hope to communicate to developers of web apps, especially of those
|
42
|
+
handles payment information, that they should be aware of what they trust when developing
|
43
|
+
an app. This should make the app more secure and make the developers aware of when
|
44
|
+
to update gems or certs.
|
45
|
+
email:
|
46
|
+
- zundan@gmail.com
|
47
|
+
executables: []
|
48
|
+
extensions: []
|
49
|
+
extra_rdoc_files: []
|
50
|
+
files:
|
51
|
+
- ".rabbit"
|
52
|
+
- 2015sf_Heroku_logo_RGB.png
|
53
|
+
- Do you trust that certificate?.pdf
|
54
|
+
- README.md
|
55
|
+
- Rakefile
|
56
|
+
- anmitsu.jpg
|
57
|
+
- cert-in-gems.rab
|
58
|
+
- config.yaml
|
59
|
+
- heroku-logotype-horizontal-purple.png
|
60
|
+
- hyuki-cr3.jpg
|
61
|
+
- pdf/rubykaigi2015-lt-cert-in-gems.pdf
|
62
|
+
homepage: http://slide.rabbit-shocker.org/authors/zundan/rubykaigi2015-lt/
|
63
|
+
licenses: []
|
64
|
+
metadata: {}
|
65
|
+
post_install_message:
|
66
|
+
rdoc_options: []
|
67
|
+
require_paths:
|
68
|
+
- lib
|
69
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
70
|
+
requirements:
|
71
|
+
- - ">="
|
72
|
+
- !ruby/object:Gem::Version
|
73
|
+
version: '0'
|
74
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
75
|
+
requirements:
|
76
|
+
- - ">="
|
77
|
+
- !ruby/object:Gem::Version
|
78
|
+
version: '0'
|
79
|
+
requirements: []
|
80
|
+
rubyforge_project:
|
81
|
+
rubygems_version: 2.2.2
|
82
|
+
signing_key:
|
83
|
+
specification_version: 4
|
84
|
+
summary: Do you trust that certificate? ------------------------------ A [rabbit](http://rabbit-shocker.org/)
|
85
|
+
presentation presented as a [Lighting Talk at RubyKaigi 2015](http://rubykaigi.org/2015/presentations/lt).
|
86
|
+
test_files: []
|