Azure diaries: can’t access KeyVault

Context: as a tenant administrator you can't inspect KeyVault contents created by other people ("you are unauthorized to view these contents"). Solution: assign yourself appropriate permissions like this: Locate the KeyVault in the Azure portal: go to "Access policies"click "+Add Access Policy"Key permissions: everything under "Key Management Operations" and "Cryptographic Operations"Accordingly for key and certificate … Continue reading Azure diaries: can’t access KeyVault

Secure messaging in the browser

By observing news and public discussions I feel that there is a growing awareness of data privacy and an increasing demand for secure person-to-person communication. In order to address my communication needs, I plugged together a few Javascript libraries and started the Webencryption [1] project on Github. What is Webencryption? Webencryption is a rather crude … Continue reading Secure messaging in the browser

RSA is partially cryptographically homomorphic

Homomorphic cryptography [1], should it ever become available as a product, will have an intriguing property: computers will be able to operate on encrypted data without either having to- or being able to decrypt it. Competitive or regulatory pressure leads many organisations to distrust public (or private) clouds with their data and algorithms, so they … Continue reading RSA is partially cryptographically homomorphic

Advanced web security topics

(Updated 22 May 2020) This post discusses web security issues that I come across - so far thankfully mostly by reading about them. It is a work in progress which I'll keep updating. The post title includes "advanced" because the topics discussed here involve clever, non-trivial hacks, are novel at the time of their publication … Continue reading Advanced web security topics

Securing a development server

In this post I talk about setting up and securely operating development tools like Jenkins and Gitlab on a server connected to the internet. All applications run behind a firewall and a reverse HTTP proxy which allows only HTTP requests from selected users through who authenticate themselves with client certificates. Putting web-facing software on the … Continue reading Securing a development server

Running varnish as unprivileged user

Since I haven't found any documentation on the topic of running varnish as non-root, I proudly present: how to run varnish as non-root. A warning ahead: this will require fiddling with init scripts, so make sure to keep backups. Also, scripts will be overwritten with each package update. Changes to /etc/init.d/varnish Ulimit calls are not … Continue reading Running varnish as unprivileged user

Reddit as an OAuth provider for a Java backend

OAuth (2) and Java work well together, there are plenty of libraries available which handle the general case and the more specific peculiarities of the various OAuth providers. Despite solid implementations like my favourite Spring Social [1] framework  the state of OAuth is at best fragmented. Not only because Spring Social is not as well … Continue reading Reddit as an OAuth provider for a Java backend

Eclipse/SVN keeps asking for keystore password on a mac

For my current project I'm working on a Mac and Eclipse kept asking for the OS keystore password every time SVN was accessed.  The eclipse error log says: "StorageException: No password provided." While I am sure that there are proper solutions to this problem, relaxing a constraint in the OS keystore did the job for … Continue reading Eclipse/SVN keeps asking for keystore password on a mac