Python upped, Persona non grata, Markdown marked and more – Snippets

Snippets
Python 3.3.5 released: The latest update to Python 3.3 fixes two regressions, in zipimport and executing scripts and alleviates a potential denial of service. Mac users should pay specific attention as this 3.3.5 version now fully support OS X 10.9 fixing a bug which could cause “previous versions of Python to crash when typing in interactive mode”.

Persona (non grata): Mozilla’s Persona is being “transferred to community ownership”. As yet another project is cut adrift from Mozilla in a fuzzy, vaguely friendly way, its worth making a note that you shouldn’t bet on Mozilla projects for the long term, unless they are called Firefox or run on a phone. Mozilla’s habit of creating projects which don’t fulfill one of their needs seems to have created this problem but at least on the plus side, they are not decommissioning it so they aren’t pulling a Google Reader. Which is good given folks like microco.sm use Persona for login.

Markdown editing for the web: Markdown is everywhere there days and whats been missing is a good editor for Markdown formatted plain text which can be embedded in the browser as a replacement for the WYSYWIGto-no-particular-format editors. And here it could well be in the form of EpicEditor, complete with import, export, in-place preview, full screen (with 50/50 edit/preview), custom parsers, extensions, event hooks and theming and more and all invokable from a single line of JavaScript.

Loose bits: Ivan Ristic shows you how to roll your own Apple ‘goto fail’ TLS bug test server though the process is worth noting for future SSL/TLS tests – Or, post GNUtls’s ‘goto cleanup’ fail, you can get your head down and help audit GNUtls with this handy list of “places to look” where unchecked data comes into the library – Or you can kick back with the 6809, a great CPU, and now being emulated in JavaScript.

Android’s SSL downgrade, Mozilla’s SSL, Linux PRNG and SafeCurves – Security Snippets

SecuritySnippets

  • Android’s Cipher Downgrade: According to this blog posting, Android’s Cipher suite – that is the list of ciphers it uses in order when it is establishing a secure connection – changes in late 2010 and saw AES256-SHA removed and RC4-MD5 put in its place. This means Android 2.2.1 has a better default cipher than Android 2.3.4 and everything that follows. The analysis shows that Google were apparently following Java’s cipher list changes, but that in 2011, Java 7 got a better cipher list and Android, being based on Java 6, didn’t. There’s details in the post of how to fix that and the comments touch on some of the reasons for the oddness.
  • Mozilla SSL: Looking for a place to start when coming up with how to configure your secure server’s SSL/TLS? Check out Mozilla’s Server Side TLS Wiki page which gives their recommended ciphersuites, priorities, forward secrecy hints, OCSP stapling info and a number of recommended server configurations. NGINX gets rated for “best TLS support at the moment” and the page finishes up with a how-to on building with OpenSSL and a run down of all the configuration parameters.
  • SafeCurves: As you may know, Elliptic Curve crypto got a knock in the recent NSA reveals when it appears that the NIST standard curve in use had been believed to be manipulated, probably to make it easier to crack. At safecurves.cr.yp.to research is ongoing into a range of curves from various standards in a quest to find a safe and secure curve. Crypto-wonks will love this paper and there’s code to let folks independently verify the results.
  • Extra: Red Hat’s Security Update: A small reminder came my way that the recent RHEL 6.5 beta release includes lashing of crypto updates as part of the wider refresh of Red Hat’s OS. OpenSSL and NSS are updated and get TLS 1.1 and 1.2 support now.