Monthly Archives: December 2015

Tell your SSL vendor to randomize the serial number of your certificate !

Are you using SSL for your business ?

Like many of you, we rely on SSL for checking our mails, and doing bank transfers. As I said previously, local banks reduce the amount of money spent of papers by actively encouraging clients to use Internet Banking. I have the latest Android on my mobile phone, and I can connect to Internet Banking using the latest security technologies. However, not everybody can afford the latest android smartphone. A lot of people are still using Android KitKat in Mauritius. If tomorrow, MCB or SBM decide to deprecate SHA-1 for their SSL (a hash algorithm which is getting dangerously weak), and go with SHA 256 (a more secure hash algorithm) only, a lot of clients might not be able to connect to Internet Banking. Why ? It's because many widely-used software do not support SHA-256 very well.

What can we do with certificates with SHA-1 hash ?

CloudFlare proposed here that generating certificates containing SHA-1 hash should randomize the serial number to make it more difficult to forge those digital certificate and impersonate your business. Note that this does not mean that you should not advise your clients to upgrade their hardware and software and relax. It buys your clients more time to properly budget for their upgrade costs of their hardware and software to be SHA 256 ready.

For example, uses SSL. We asked on our SSL vendor forum about randomizing the serial number. We recommend to Banks such as MCB and SBM to ask their SSL vendors about the possibility of randomizing the serial number, with 20-bit entropy. Any other businesses that rely on SSL for their business should consider formulating the same request to their SSL vendors. If your SSL vendor flatly refuses, then you have a reasonable argument for moving to another SSL vendor.

Wrong advice on Tor Usage from presentation on Tor has a presentation on tor on the following page . On the same page, SM mentions that HTML5 elements could be used to leak information about an Internet User even with Tor. This is correct. Several developers were aware of the problem, and there were plans to fix this in orweb. See this URL for : details . This vulnerability was reported in 2013, and fixed in the same year . The presentation, by, took place in 2014.

Firefox as the solution ? uses firefox from Google Playstore, and configures it to work with Tor. From a security perspective, Firefox leaks more metadata than Orweb or tor-browser, due to the lack of patches that Orweb has. In fact, if you look at Tor-browser, you will realize that it's a modified version of Firefox, with a number of patches added on to protect the privacy of the users. Those patches are not in Firefox. Those patches provide several additional layers of security that Firefox on Android DOES NOT provide. The tor project constantly reworks the patches for their Tor-browser and applies the same design principles in Orweb/Orfox. See the design requirements for Orweb, OrFox and Tor-browser here We tested with Orweb & Orfox, and both do not leak, according to It is highly questionable to use Firefox, even with a Mobile proxy, as by default, Firefox is not designed to be as secure as Orweb, Orfox, and Tor-browser.


We recommend Internet users who want to remain anonymous to use orweb/orfox on Android and Tor-browser on their PCs instead of Firefox, and avoid the example presented on ^-^

Find user IP address with Cloudflare & Nginx

A content delivery network (CDN) is a distributed network of servers that delivers content, typically webpages, to users based on their geographic location. A CDN would serve you from a less distant location on the network.

CloudFlare provides such a CDN service. A friend recommended me to use CloudFlare around a year or so, and I do not regret accepting.

Find user IP address with Cloudflare & Nginx

CloudFlare Global Network, Source:

I noticed considerable performance gain when I switched to CloudFlare.

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=51 time=114 ms
64 bytes from icmp_seq=2 ttl=51 time=115 ms
64 bytes from icmp_seq=3 ttl=51 time=113 ms
64 bytes from icmp_seq=4 ttl=51 time=113 ms
64 bytes from icmp_seq=5 ttl=51 time=114 ms

--- ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 113.856/114.509/115.854/0.847 ms

CloudFlare bundles other features, among which the Firewall allows you to set rules for rogue visitors.

Get the user’s IP address with Nginx

CloudFlare proxies requests to your webserver and as such, your webserver log would record CloudFlare’s IP addresses. In order to obtain the user’s IP address in a request, you would need to activate the True-Client-IP Header from CloudFlare’s administration panel. However, that requires an Enterprise plan. It is not available in the free service.

There is one workaround using the ngx_http_realip_module in Nginx. It allows a change of the client address to one that is specified in the header field. CloudFlare specifies the same in the CF-Connecting-IP field. The technical story can be summed up as follows in the http context of Nginx:

http {

    real_ip_header   CF-Connecting-IP;


The IP addresses specified are those of CloudFlare and they can be obtained here. I suggest checking the page from time to time for updates or you might even monitor changes on the page (^^,) …

Ubuntu & openSUSE come bundled with ngx_http_realip_module. If Nginx is complaining about an unknown directive in your distribution, then you most likely need to compile Nginx with the --with-http_realip_module parameter.

The post Find user IP address with Cloudflare & Nginx appeared first on HACKLOG.

Juniper backdoor explanation

A simple explanation of a backdoor

Irshaad Abdool contacted concerning the Juniper vulnerability here Unfortunately, reverse engineering a firmware image, and explaining assembly code doesn't cut it for a lot of the young IT folks :)

The vulnerability

A strcmp() call was inserted. strcmp() is used for string comparisons. If it's successful, you can proceed, if Not, you are denied. In this particular case, this was inserted right before the normal authentication with SSH (or telnet). So you had your normal login, that went through the normal SSH (and telnet) code, but right before that, you had a special user that could login, and bypass the normal SSH and telnet login. That's in summary how this vulnerability works.

If you have any questions, please send them to us :)

Belgacom & the Juniper backdoor in Mauritius

Juniper Security vulnerability

After Ajay Ramjatan talked about Juniper's latest vulnerability, decided to dig further to know the critical infrastructure in Mauritius that rely on the affected Juniper series. To make it simple, it's an "authorized code that allows someone to remotely decrypt VPN traffic".

Belgacom in Mauritius

Belgacom is present in Mauritius and is selling bandwidth to various ISPs. It obtained its license in 2012. According to Frederic Jacobs' analysis on gist , Belgacom is vulnerable to this vulnerability. The question which we would like Belgacom to answer is how much of Internet traffic from Mauritius is going through vulnerable Juniper equipment ? While, looking for a twitter account for the Mauritian branch, we found none. So, we decided to ask to Belgacom main branch, in the hope that they can explain to us what is the impact on the Internet in Mauritius. Our tweet : here .

Let's see where this lead :)

MaxCDN sponsors GNU Bash logo redesign

bash-orgOn 16 December 2015, Chet Ramey, the maintainer of GNU Bash announced an excited piece of news, that of new logo proposals for GNU Bash. The iconic Bash logo seen on the left was taken from

Depending on the number of votes from the community, one of the below designs could soon sport GNU Bash.


Bash, which is a short form of writing Bourne Again Shell, is a Unix shell that comes bundled in Linux distributions and OS X. Released in 1989, GNU Bash was welcomed as a free software replacement for the Bourne shell.

Unfolding the story behind the Bash logo designs

maxcdn-logoI had this chat with Justin Dorfman, a fellow designer at MaxCDN, who had the idea of the GNU Bash logo redesign. As Justin explains, MaxCDN encourages its staff to contribute to Open Source in various ways.

Now, Justin is a huge fan of Bash, he adores stickers and realizing that GNU Bash doesn’t have an attractive logo, he wrote to Chet Ramey in September asking whether he would be okay with MaxCDN sponsoring a logo redesign. Chet showed the green light and Justin also obtained approval for resources from MaxCDN.

Justin says ProspectOne, the company behind jsDelivr and another freelancer were hired for the task. When the proposals were sent to Chet, he chose three designs by ProspectOne but could not further decide which one to select. Therefore they decided to let the final choice be that of the community and Chet sent the announcement on the bug-bash mailing list.

On the first day ~200 votes were recorded. A user by the name ‘anlar’ then posted about voting for the new bash logo on Reddit, which garnered 160 comments. At the time of writing this post over 12,000 votes were recorded, with logo no. 2 earning 79.3% of the votes.


I thank Justin who provided me an insight of the story behind the new Bash logo. Below are some of the designs that were among the initial proposals.


Is the final GNU Bash logo decided yet? Nah. You still have time to vote for your favorite. Please visit the page, and cast your vote now.

The post MaxCDN sponsors GNU Bash logo redesign appeared first on HACKLOG.

Tor Users in Mauritius

How many tor users in Mauritius ?

Tor is an anonymizing Network, which is free of access by anybody. It hides your Internet Traffic. It is used world-wide by Journalists, dissidents, and various groups. The question of the number of Tor users in Mauritius has been on the mind of for a while. We expect at most around, 200 Users at most. Upon looking at the Tor statistics, we realised that there are around 700 active Tor Users from Mauritius !! We were shocked ! URL here: Tor from Mauritius.

Why is that number so high in Mauritius ?

One of the first acts of Internet Censorship in Mauritius occured in 2007, when ICTA ordered all of the ISPs to block facebook. We believe that this caused people to get interested in technologies such as Tor that protect their online privacy, and prevent censorship.

More cases of censorship ?

It is very likely that we will see more attempts by the government of Mauritius to censor the Internet. ICTA has deployed a blackbox to block child pornography. However, the setting up of the blackbox was shrouded in secrecy as Internet Users were not invited to the public consultation. has been advocating the use of Tor in Mauritius since day one, on top of our other initiatives such as promoting signal, an SMS/voice encrypted communication medium, which is easy to use. We have also sent patches to Tor & Signal to try to make those privacy tools better.

Conferences about Freedom, Privacy and Security in Mauritius

We would like to see more conferences about protecting the privacy of Internet Citizens in Mauritius. The government should implement measures to protect our privacy, as written in the Constitution of Mauritius. The High number of Tor Users in Mauritius is a sign that people feel that their privacy is not being respected by the Government of Mauritius.

Vote for your favorite Bash logo

Chet Ramey, maintainer of GNU Bash, the popular shell that comes bundled with Linux distributions, announced earlier that he received new logo proposals for Bash. In his message on the bug-bash mail list, he invites Bash users to vote for their favorite among the three logo proposals that he received from Justin Dorfman.



Chet shared a Google form allowing people to cast their vote. I like the second proposal and voted for the same. At the time I voted the form recorded 12 responses, out of which the second logo received 11.


If you’d like to see your favorite logo sport GNU Bash, cast your vote now :)

The post Vote for your favorite Bash logo appeared first on HACKLOG.

Evaluating linphone (Part I)

Feedback from France

Jean Elchinger wrote to us arguing that promoting signal is not a good idea. Instead, he proposed the idea of linphone for encrypted voice calls. decided to evaluate linphone, and see if we could recommend it to Internet citizens in Mauritius.

What is Linphone ?

Linphone is a VOIP application that relies on the SIP protocol. Optionally, it supports encryption. However, this is not enabled by default. You can use linphone over wifi or even across 3g/4g networks.


We grabbed linphone from Google Play Store. The installation went more or less smoothly. We had to create a SIP account, and wait for the registration mail. Once you confirm by clicking on the link in the mail, it takes a few minutes until your account is usable. [linphone could have implemented a "WAITING for account activation" instead of saying "account deactivated". We found this slightly confusing]. Compared to signal, it takes longer to get up to speed. The advantage of linphone is that you can use the same client, as it supports MAC OS X & Linux.

Encrypting our voice calls

As we said earlier, linphone is closer to a VOIP client, and does not enforce, encryption by default. This requires users to go to settings > network > media encryption and selecting one of the options available.

Voice quality

We are waiting for other to create their SIP account to test the voice quality. This will be done in a future blog post.

Source code quality

When talking about online security, one of the first things does is to look at the source code, and see how well designed is the code. In the case of linphone, so far, we find the code to be quite good. We did suggest improvements to the randomization functions, and submitted a patch to the linphone developers. Geeky details here.

Recommendation for the masses ?

Will recommend linphone to Internet Users in Mauritius ? We could recommend it to technically savvy people who distrust Google. However, we feel that the UX & account creation process could be simplified further. Right now, signal is much more user friendly, and thus more suitable for massive user adoption.

BCP38 and Orange (Part II)

More gruelling tests

Yesterday, I was sitting behind a Linux-based modem. This time, I hooked my MAC OS X machine directly to the modem, and used the PPPoE client on the MAC to get a public IPv4 address. This has the advantage of eliminating any address rewriting by the Linux-based router.

Refresher: What is BCP-38 ?

BCP-38 is a recommended Internet Standard that essentially aims at eliminating Source Address Spoofing. This has been the cause of a lot of trouble lately on the Internet. A few days ago, A massive DDOS attack was launched againt the DNS infrastructure of the Internet. Had BCP-38 been implemented all over the world, we would see less of those attacks. Those attacks are crippling to the Internet, as almost any service (facebook, twitter, instagram) relies on DNS to work so that users can reach them.

Orange and BCP-38

Running spoofer for MAC again:
>> CAIDA IP Spoofing Tester v0.8d
>> Copyright 2015 The Regents of the University of California
>> Copyright 2004-2009 Rob Beverly

The results

After running the test for a while, It gives you a URL which gives you a summary. Quoting from my URL :
Test run at: 2015-12-15 01:54:43
Test from:
Test OS: OSX
Sourced Probes: 93
Can spoof private address no
Can spoof routable address no
Largest neighbor prefix that can be spoofed none


Surprisingly, Orange(Mauritius) implements a fairly complete BCP-38. It is not possible to spoof a number of IP addresses from within the Orange network. Orange deserves some praise for their level of BCP-38 :) As for other ISPs such as Emtel and Bharat, we are currently looking at testing their BCP-38 compliance level.