A new DHS report released on August 2, BREACH vulnerability in compressed HTTPS, detailed how an attacker could derive information from the length of a compressed encrypted stream.
From the report:
While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size.
The article states what the symptoms are, as well as potential fixes. Basically, disable HTTP compression.
Sorry for the deluge of posts today. This next one is a must read for web developers.
I’m not sure when it was first posted, but I just came across it today, the Google HTML/CSS Style Guide.
There are some useful reminders in there, and also some curveballs (beyond “Use Valid HTML where possible”):
- Omit protocol from embedded resources – this means your JS and CSS includes should use “//” as opposed to “http://”. This means whenever your code runs over HTTPS it won’t generate all those annoying popup windows.
- Don’t use Entity references – an interesting point. If your entire environment revolves around UTF-8, there is no need to encode special characters (except for < > and & because they are HTML code). Bye bye —
- Omit optional tags – skipping a few lines of code must save Google millions annually, but it’s interesting. I don’t know if I can stop writing “<head><title>Title Here</title></head>” … but according to HTML5 specifications it’s an optional tag, and you can just write “<title>Title Here</title>”.
- Hexadecimal Notation – Use 3 character notation where possible. I’ve been doing this, but didn’t realize it was a best practice (this may save Google hundreds of thousands of dollars a year, me? nothing).
- Alphabetize CSS declarations – I guess this makes sense, so there is at least SOME organization to CSS declarations
- Property name stops – For some reason Google WANTS room between a CSS property and the value (“value: 0px” vs “value:0px”). Seems odd to me, but at least it’s what I’ve always done
Ran into this one today. A site with only SFTP/SSH access, and the server required the “FTP” method of updating plugins/WordPress. Remember FTPS is not SFTP. FTPS runs over HTTPS/SSL, while SFTP runs over SSH. Confusing?
Fortunately there’s a nice little plugin called, SSH SFTP Updater Support.
You must download it, then upload the contents of the zip into /wp-content/plugins/, then Activate the plugin in the admin. It will add an SSH2 (which is used for SFTP) option to your “Updates” screen.
Worked for me.