Domain: slproweb.com
Stories and comments across the archive that link to slproweb.com.
Comments · 8
-
Re:NSA is so annoyed right now
Good point, I believe they can patch it here http://slproweb.com/download/Win32OpenSSL_Light-1_0_1g.exe
They would need to copy libeay32.dll ssleay32.dll and libssl.dll and overwrite all copies on their system, not just in the windows\system folder
-
Re:OHH MY EYES!!> their site looks like 1990s took a trip to the future and vomited
I echo my sibling's comment in that I have no problem at all with the website's style - I'd far rather have a simplistic straightforward HTML-driven site than some stupid Javascript-redirect-driven graphic-design student project. This is really important for security-related software distribution sites where it's necessary to be absolutely sure where your downloads are coming from.
The site does however have some problems with organisation of content - e.g. it'd be nice if they followed some more de-facto site-structure conventions like having a "Downloads" link to a page which provides the source tarballs, and states explicitly that there are no binaries available
... and maybe even provides links to the more common Linux distro repositories where binaries may be found, even places where (gasp) Windows binaries can be found .... like http://www.stunnel.org/download/binaries.html (the place I always used to go to get my Windows OpenSSL binaries, but which seems a little unmaintained these days) .... or http://www.slproweb.com/products/Win32OpenSSL.html (which is a lot more up to date, and professionally organised).There is an openssl.org page with info about Win32 binaries
:
http://www.openssl.org/related/binaries.html
(which links to the www.slproweb.com site) but it's not easy to find (IMHO).And then there's the awful documentation, as many others have mentioned. I'd offer to help out with that if I was half-way crypto-competent enough to do so.
But the site's retro style is fine
... the use of colours is restful on the eyes, and avoids use of the stupid 2-point flyspec fonts so beloved of those whose eyes are much younger than mine and who aren't worrying about damaging them :) -
Re:Like the JPEG "virus" - secure C code How to...Any programmer worth his salt knows that he has to check for invalid data, yet so many software developers (both open source and closed source) let code go to production levels that fails to perform even the most basic of validations.
Doesn't do any good if your boss doesn't want you to spend the extra time coding the data validation code in order to get the job done now to keep expenses down. As we all know, time *is* money. (as is paying labor/brainpower/both)
So much for an ounce of prevention is worth a pound of cure.
If you truly care about 'secure code', do what this guy does.
Below text is from a .chm file for his secure webserver. I posted the text here a few times before but always cause the Slashdot link to that post to 'scroll' off my post list (no, I'm not subscribing just to get access to my entire posting history...) Maybe I can keep the link to this post handy in case I have to do this again... Also, I am not a shill for this guy touting his product -- I am a fan of simple, elegant, secure code as you'll see below....
My only complaint is that the text below should be on a normal HTML web page as it should be required reading to all programmers everywere. The simple technique described below will make software secure at a fundamental level and make it all but impossible to exploit....Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Micro<cough>soft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:
// Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}
// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);
// This prints the contents of str.
printf("%s\n", str);
return 0;
}
(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is extremely dangerous. Why? It is because there is only room reserved for 256 places in the computer's memory. What happens if the user enters data for 1000 places? This is w -
Re:Like the JPEG "virus" - secure C code How to...Any programmer worth his salt knows that he has to check for invalid data, yet so many software developers (both open source and closed source) let code go to production levels that fails to perform even the most basic of validations.
Doesn't do any good if your boss doesn't want you to spend the extra time coding the data validation code in order to get the job done now to keep expenses down. As we all know, time *is* money. (as is paying labor/brainpower/both)
So much for an ounce of prevention is worth a pound of cure.
If you truly care about 'secure code', do what this guy does.
Below text is from a .chm file for his secure webserver. I posted the text here a few times before but always cause the Slashdot link to that post to 'scroll' off my post list (no, I'm not subscribing just to get access to my entire posting history...) Maybe I can keep the link to this post handy in case I have to do this again... Also, I am not a shill for this guy touting his product -- I am a fan of simple, elegant, secure code as you'll see below....
My only complaint is that the text below should be on a normal HTML web page as it should be required reading to all programmers everywere. The simple technique described below will make software secure at a fundamental level and make it all but impossible to exploit....Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Micro<cough>soft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:
// Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}
// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);
// This prints the contents of str.
printf("%s\n", str);
return 0;
}
(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is extremely dangerous. Why? It is because there is only room reserved for 256 places in the computer's memory. What happens if the user enters data for 1000 places? This is w -
Re:It's part of Microsoft's plan - MOD PARENT UP!I heartily agree!
But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.
Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye .dll hell!) and the apps that they put out that use it from the ground up to avoid all the exploits and what not like this programmer (.chm) does... (His Win32 OpenSSL 'repack' was very useful to me on a past project. Here is his 'about me' page. Just on the strength of the blockqoute below, I know this guy knows what he is doing and deserves any work/support you can send his way....)
There is more to life than 'just making a buck', but when this is done at the corporate level, it transforms everybody it touches to seen-it-all, done-it-all cynics who keep their funds close to them, part with them only when necessary (food/clothing/shelter/heat/lights/vehicle fuel and maintennance/public transport fares/occasional recreational spending) and do anything they can to escape its clutches (i.e. use adblock when online, and A/V devices capable of 'adskipping').
(I 'posted' the text below in an earlier comment here but I can't find the link to it right away. Note, I'm not a shill for this guy, just an admirer of simple, elegant, secure C program code that I can learn from and use in future projects.... It would be nice if the following, complete text was on a standard webpage instead of being imbedded in a compiled HTML file (.chm) =/ )Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in: // Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}
// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);
// This prints the contents of str.
printf("%s\n", str);
return 0;
}(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is ext -
Re:It's part of Microsoft's plan - MOD PARENT UP!I heartily agree!
But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.
Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye .dll hell!) and the apps that they put out that use it from the ground up to avoid all the exploits and what not like this programmer (.chm) does... (His Win32 OpenSSL 'repack' was very useful to me on a past project. Here is his 'about me' page. Just on the strength of the blockqoute below, I know this guy knows what he is doing and deserves any work/support you can send his way....)
There is more to life than 'just making a buck', but when this is done at the corporate level, it transforms everybody it touches to seen-it-all, done-it-all cynics who keep their funds close to them, part with them only when necessary (food/clothing/shelter/heat/lights/vehicle fuel and maintennance/public transport fares/occasional recreational spending) and do anything they can to escape its clutches (i.e. use adblock when online, and A/V devices capable of 'adskipping').
(I 'posted' the text below in an earlier comment here but I can't find the link to it right away. Note, I'm not a shill for this guy, just an admirer of simple, elegant, secure C program code that I can learn from and use in future projects.... It would be nice if the following, complete text was on a standard webpage instead of being imbedded in a compiled HTML file (.chm) =/ )Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in: // Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}
// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);
// This prints the contents of str.
printf("%s\n", str);
return 0;
}(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is ext -
Re:It's part of Microsoft's plan - MOD PARENT UP!I heartily agree!
But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.
Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye .dll hell!) and the apps that they put out that use it from the ground up to avoid all the exploits and what not like this programmer (.chm) does... (His Win32 OpenSSL 'repack' was very useful to me on a past project. Here is his 'about me' page. Just on the strength of the blockqoute below, I know this guy knows what he is doing and deserves any work/support you can send his way....)
There is more to life than 'just making a buck', but when this is done at the corporate level, it transforms everybody it touches to seen-it-all, done-it-all cynics who keep their funds close to them, part with them only when necessary (food/clothing/shelter/heat/lights/vehicle fuel and maintennance/public transport fares/occasional recreational spending) and do anything they can to escape its clutches (i.e. use adblock when online, and A/V devices capable of 'adskipping').
(I 'posted' the text below in an earlier comment here but I can't find the link to it right away. Note, I'm not a shill for this guy, just an admirer of simple, elegant, secure C program code that I can learn from and use in future projects.... It would be nice if the following, complete text was on a standard webpage instead of being imbedded in a compiled HTML file (.chm) =/ )Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in: // Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}
// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);
// This prints the contents of str.
printf("%s\n", str);
return 0;
}(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is ext -
How to stop stack/heap exploits for *GOOD!*This coder's approach makes sense AND WORKS!
(Note: I am not a shill/user of his software but am a fellow coder always on the lookout for good, elegant, useful code and ideas to use in future projects....)
From
http://www.slproweb.com/download/ProtoNova_ID.chm
Discussion on Security
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in: // Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}
// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);
// This prints the contents of str.
printf("%s\n", str);
return 0;
}(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is extremely dangerous. Why? It is because there is only room reserved for 256 places in the computer's memory. What happens if the user enters data for 1000 places? This is where the danger comes in. The stack is where function calls like "main" are stored. When 1000 memory locations are copied from the user to str, the stack beyond the 256 is overwritten with whatever the user has entered. Typically, this will result in a crash when the function "main" "return"s...however, if those 1000 places in memory are carefully crafted, they can execute arbitrary code when "main" "return"s. This could be anything from a virus to a complete system takeover.
So, what is the solution to this? It should be obvious: Don't put anything the user enters, even remotely related, onto the stack...ever: // Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{ // Tells the computer to create a place _on the stack_ for // storage of a pointer to memory _on the heap_.
char *str;
// This just tells the user how to use the program. // Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BetterProgram TypeInAReallyLo