Expect-CT

While I have been using HTTPS for a while now and even went through trouble to include my domains for HSTS preloading, one security improvement I never opted to do was inclusion of HTTP Public Key Pinning header (HPKP for friends).

While not impossible to do, on short lived certificates (e.g. Let’s Encrypt) it was simply too much trouble to bother. And I wasn’t the only one to think so - less than 400 sites (out of top 1 million) decided to bother. Stakes were simply too high that a small mistake on web configuration side might kill your website connectivity.

And so, with Chrome 67, Google is abandoning it.

Replacement for HPKP is offered in the form of the new CT-Expect header. Major benefits are both ease of configuration (just include header) and reliance on the already existing certificate transparency reports to detect issues. While not offering low-level control as HPKP does, it does increase certificate security significantly.

For my site, turning it on was as easy as adding a single directive in Apache httpd.conf:

Header always set Expect-CT "max-age=86400"

While this does require some support on the side of certificate authority, it’s nothing major. And you should probably run away if your authority has issues with it. When even free Let’s Encrypt supports certificate transparency, there is no excuse for others.

Whether this header will stick around for a while or also die in obscurity is hard to tell. However, it’s simplicity does make lasting implementation probable.

Omitting Quotes From DebuggerDisplay

Using DebuggerDisplay is both simple and really helps with troubleshooting. However, its automatic quoting of strings can sometime result in less than optimal tooltip display.

For example, if you have Key and Value field with “Foo” and “Bar” as their respective content, you might end up with the following attribute:

DebuggerDisplay("{Key}: {Value}");

This will result in "Foo": "Bar" tooltip text. While not a big deal, these excessive quotes can be a bit of annoyance. Fortunately, you can tell DebuggerDisplay to stops its auto-quoting:

DebuggerDisplay("{Key,nq}: {Value,nq}");

This will result in much nicer-looking Foo: Bar output.

Firefox and Java Console

When you’re dealing with a lot of Linux servers, having a Linux client really comes in handy. My setup consisted of Linux Mint 18 and I could perform almost every task. I say almost because one task was always out of reach - viewing HP iLO console.

Two options were offered there - ActiveX and Java. While ActiveX had obvious platform restrictions, multi-platform promise of Java made its absence a bit of a curiosity. Quick search on Internet resolved that curiosity quickly - Firefox version 53 and above dropped NPAPI plugin system support and HP was just too lazy and Windows-centric to ever replace it. However, Firefox 52 still has Java support and that release is even still supported (albeit not after 2018). So why not install it and use it for Java iLO console?

First we need to download Firefox 52 ESR - the latest version still allowing for Java plugin. You can download these from Mozzila but do make sure you select release 52 and appropriate release for your computer (64-bit or 32-bit).

With the release downloaded, we can install it manually into a separate directory (/opt/firefox52) as not to disturbe the latest version. In addition to Firefox, we’ll also need IcedTea plugin installed:

tar -xjf ~/Downloads/firefox-52.8.0esr.tar.bz2

sudo mv firefox /opt/firefox52

sudo apt install -y icedtea-plugin

Of course, just installing is worthless if we cannot start it. For this having a desktop entry is helpful. I like to use a separate profile for it as that makes running side-by-side the newest and this release possible. After this is done you’ll find “Firefox 52 ESR” right next to a normal Firefox entry.

mkdir -p ~/.mozilla/firefox52

sudo bash -c 'cat << 'EOF' > /usr/share/applications/firefox52.desktop 
[Desktop Entry]
Name=Firefox 52 ESR
GenericName=Web Browser
Exec=/opt/firefox52/firefox --no-remote --profile ~/.mozilla/firefox52
Icon=firefox
Type=Application
Categories=GNOME;GTK;Network;WebBrowser;
EOF'

The final step is going to “about:plugins” within Firefox 52 ESR and selecting “Always Activate” for IcedTea plugin.

Now you can use Firefox 52 ESR whenever you need the Java Console.

Resolving Interrupted Yum Upgrade

Running recent CentOS update on machine with 512 MB of RAM caused yum to run out of memory. Thinking nothing of it, I stopped it to see what can be done. After stopping all services I was greeted with “Warning: RPMDB altered outside of yum” and “Found 93 pre-existing rpmdb problem(s), ‘yum check’ output follows”.

After trying a lot of things, I found the one that works. Removing older package without removing its dependencies and reinstalling the newer one worked a charm:

rpm --erase --nodeps --noscript ^^yum-plugin-fastestmirror-1.1.31-42.el7.noarch^^
yum reinstall -y ^^yum-plugin-fastestmirror^^

Of course, the same can be scripted but I leave that to more daring souls. :)

PS: Yes, the same procedure works on Red Hat too.

Changing Default Settings For Scanner

As I started scanning a batch of documents, I got annoyed by Windows Fax and Scan default settings. So I went to search for scanner dialog where you used to be able to set these things only to find it replaced by nicer looking and utterly useless interface. Again, Microsoft decided to remove the old dialog and replace it with nothing.

However, I knew settings were read from somewhere so I used Process Monitor to see what scanner was up to. That lead me to %USERPROFILE%\AppData\Local\Microsoft\UserScanProfiles directory full of XML files. And yes, scanner profiles were in that directory.

The first change I wanted was to have scanner load my last used settings by default. Fortunately settings are kept in (numbered) XML files and, knowing Photo was the current default profile, all it took was moving <default/> tag from that profile to one named “Last used settings”. Next time I tried scanning, my last values were offered as defaults.

However, while there, I also decided to customize two default settings. Instead of deciphering settings, just scan as you normally would and copy everything from WiaItem downward into the appropriate file.

My preferred settings ended up being:

<ScanProfile>
  <ProfileGUID>{F4798F9B-5FDE-4471-BC0D-4BF692AB32D8}</ProfileGUID>
  <DeviceID>{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\0001</DeviceID>
  <ProfileName>Photo</ProfileName>
  <WiaItem>{FB607B1F-43F3-488B-855B-FB703EC342A6}</WiaItem>
  <Properties>
    <Property id="6147" type="3">600</Property>
    <Property id="4103" type="3">3</Property>
    <Property id="4108" type="3">2</Property>
    <Property id="4106" type="72">{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}</Property>
    <Property id="6154" type="3">0</Property>
    <Property id="6155" type="3">0</Property>
    <Property id="6164" type="3">0</Property>
  </Properties>
</ScanProfile>

<ScanProfile>
  <ProfileGUID>{814B8B4D-45B3-440D-B40B-BC34D10B21E5}</ProfileGUID>
  <DeviceID>{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\0001</DeviceID>
  <ProfileName>Documents</ProfileName>
  <WiaItem>{FE131934-F84C-42AD-8DA4-6129CDDD7288}</WiaItem>
  <Properties>
    <Property id="3097" type="3">2</Property>
    <Property id="6151" type="3">5100</Property>
    <Property id="6152" type="3">6600</Property>
    <Property id="6147" type="3">600</Property>
    <Property id="4103" type="3">0</Property>
    <Property id="4108" type="3">2</Property>
    <Property id="4106" type="72">{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}</Property>
    <Property id="6154" type="3">0</Property>
    <Property id="6155" type="3">0</Property>
    <Property id="3088" type="3">32</Property>
    <Property id="6164" type="3">0</Property>
  </Properties>
</ScanProfile>

PS: Yes, adding a new XML in directory will result in a new profile - just don’t forget to change its GUID value.