Brandon Sterne » The Whole Brevity Thing

Content Security Policy – Preview Builds October 1st, 2009

I posted this over at the Mozilla Security Blog but wanted to share it here as well. I am excited to report that Content Security Policy is available for testing! We’ve been working hard on implementing the CSP spec and now the new features are ready to be put to the test.

I would like to encourage any interested parties, whether web security researchers or website administrators, to head over to Mozilla Try Server and grab a preview build of Firefox with CSP enabled:

	Windows:	1256079015-win32.zip
	Mac OS X:	1256079015-macosx.dmg
	Linux:	1256079015-linux.tar.bz2

Once you have it, you can test the core functionality of CSP at the demo page I set up on my Mozilla web space. There is a lot more information about this project there and I look forward to any feedback you have to share with me.

Content Security Policy – Update April 7th, 2009

Leave a comment

I published another set of changes to the Content Security Policy proposal. We are getting very close to the implementation phase now, and I’ve made a final call for feedback. Sid and I are in the process of moving the documentation to the Mozilla Wiki, where the final specification will live.

Python AES Implementation – Update April 4th, 2009

Leave a comment

I fixed two bugs in my AES implementation. The first was a padding bug which resulted in the loss of up to a block of data when decrypting certain ciphertexts. The second bug was a more serious security problem caused by the use of a static initialization vector.

Content Security Policy (was Site Security Policy) September 5th, 2008

Leave a comment

I updated my web security proposal with a fairly large set of changes. I removed Cross Site Request Forgery from the scope of the proposal and instead will focus on the implementation of the Origin header. The syntax has also been expanded to allow policy creation for a larger set of content types, e.g. not just JavaScript.

Site Security Policy June 4th, 2008

Leave a comment

I published a proposal for a set of browser security features that I hope to get turned into an open web standard and implemented in a future version of Firefox. The goal is create a mechanism that allows websites to communicate security policies to the browser which dictate how web content should behave.

Python CIDR Block Converter December 14th, 2007

5 comments

I wrote a Python script that converts a CIDR Block into a list of individual IP addresses, one-per-line. I found that I needed to repeat some network-related tasks across an entire subnet, and this script provides an easy way to automate these kinds of tasks in a shell environment. The source code and sample usage for the script follow:

Source Code: cidr.py

Sample Usage:

brandon@zodiac ~ $ cidr 192.168.1.5/30
192.168.1.4
192.168.1.5
192.168.1.6
192.168.1.7

One item to note is a key difference between the way this program computes a CIDR block and others I have seen. The lazy way to convert a CIDR block to a list of IPs is to calculate the number of IP addresses in the subnet, (2^(32 – $subnetSize)), and simply increment the base IP address that number of times. This method is deficient because, as in the example usage above, the base IP address that is specified may fall somewhere in the middle of the range of IP addresses (not necessarily at the beginning).

In my script, I calculate the CIDR block members the correct way. I am converting the base IP address to its binary form, zeroing-out the number of least significant bits as specified in the subnet size, and starting the enumeration of IP addresses at the bottom of that range.

« Previous
1
2
3
4
5
6
7
Next »