Skip to content

Instantly share code, notes, and snippets.

View olov's full-sized avatar

Olov Lassus olov

89 followers · 0 following
  • Linköping, Sweden
View GitHub Profile
@olov
olov / internetbank_http_public_site_problem.md
Last active August 27, 2015 05:46

Background

Major Swedish bank SEB serves their public site HTTP, with no HTTPS version available. The front page http://www.seb.se has a big Login button that then takes the user to the secure HTTPS part of their site, where the user then logs in. I hope to be able to explain why this is bad for users because it gives Attackers more opportunity. I hope to convince SEB to acknowledge this and stop serving their public site over HTTP, going HTTPS only. I started noticing this problem a few years back, contacted them a year ago or so for deaf ears, contacted them again recently and kindly got a person listening to me but I failed to get an acknowledgement of any sort. I proposed that I write something up instead.

Scenario

Victim normally logs onto internet bank by typing www.seb.se into URL bar in web browser, either typing it out fully or just part of it and selecting the auto-completed URL. Alternatively, Victim has put a bookmark on http://www.seb.se, and clicks that bookmark to come to the front

@olov
olov / autoindent commented out lines
Last active August 29, 2015 13:56
// let's begin with this function. f() was previously commented out using Cmd--
function context() {
if (foo) {
// f();
g();
}
}
// we remove the if-statement and let its block run unconditionally instead.
@olov
olov / ng-annotate_plus_assetgraph.txt
Created May 19, 2014 12:49
ng-annotate + assetgraph
Process (almost) all files with ng-annotate options {add: true, regexp: "^$"}
I say almost because there should be no risk that already minified files (i.e. matching the filename pattern *.min.* or something similar) need processing by ng-annotate. So we're saving the nature and build times by excluding them.
Add means "add annotations but don't remove or rebuild those already existing, if any". That's what you want. The weird-looking regexp-option really just means disable the support for short declaration forms.
This is a short declaration form:
myMod.controller("MyCtrl", function($scope, $timeout) {
});
@olov
olov / gist:40e4bf5181e8a5f7e849
Created October 10, 2014 19:58
networks sux and browsers may surprise you
index.html
...
<script src="a.js"></script>
<script src="b.js"></script>
<script src="c.js"></script>
a.js:
var globalfoo = 42;
b.js:
@olov
olov / whatever.js
Created November 13, 2014 07:33
bind-comments
// yoyoyomamama comment on the file (note blank line after it)
// comment bound to function
function foo() {
// comment bound to if-statement
if (a) {
// comment bound to first block
b(); // comment bound to statement
@olov
olov / betterbrowser.md
Last active August 29, 2015 14:20
better browser experience

random thoughts

funding: a mix i suppose. volonteer work, i mean we do tons of volonteer work daily in terms of writing open source code, providing documentation and stuff like that. fundraising from persons (like wikimedia) and small and big companies that care about these things. funding should cover operations.

ads: the browser should come with a ad-blocking tech by default. this can happen because the browser does not come from a company/community that relies on ad revenue to pay salaries. the internet, especially the desktop internet, is horrible to use without ad-blocking tech and ads and lack of privacy goes hand-in-hand like nothing else.

privacy: i'm not a cookie expert but my gut-feeling tells me there's more to do in terms of creating a browser that tries to make the end-user as anonymous as possible and prevent the mega-tracking cookie networks that build up massive profiles about people, while still allowing web sites to function. also see search below. also https-only within a reasonable time

@olov
olov / gist:952530
Created May 2, 2011 22:53
d8 --shell shaper.js
V8 version 3.3.1 [console: readline]
d8> var hello = Shaper.parseExpression("document.getElementById('hello')")
d8> var templ = Shaper.parseExpression("$.getElementById($$)")
d8> Shaper.match(templ, hello)
1
@olov
olov / references.rb
Last active September 25, 2015 17:58
Jekyll markdown references plugin by Olov Lassus: Keep all your markdown reference-style link definitions in one file (_references.md)
# references.rb has moved to https://github.com/olov/jekyll-references
@olov
olov / gist:2731048
Created May 19, 2012 14:36
the Bash mp3 links
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20Cashkeeper.mp3
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20Come%20on.mp3
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20Join%20the%20bash.mp3
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20Tears%20and%20smiles%20%28edit%29.mp3
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20To%20it%20%28now%29.mp3
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20Una%20mas%20%28edit%29.mp3
http://dl.dropbox.com/u/283098/the%20Bash/the%20Bash%20-%20Where%27s%20your%20mind.mp3
@olov
olov / #httpsfirst
Created March 4, 2013 16:35
Would you be OK with your internet bank saying "our position is
that we recommend a private connection over HTTPS but you can
always scrap that and send your private login credentials in
clear text directly in the URL instead. Over HTTP of course, if
you find that convenient. Choice is good and we want to make you
happy"?
I wouldn't, because it would tell me that they are clueless about
security or that they don't care about their user's money and/or
privacy.