måndag 25 juli 2016

Two-factor authentication with TOTP applications

Many websites and online services offer two-factor authentication (2FA) using SMS or using a Time-based One-Time Password (TOTP) application (some services also offer an email link, but I will not cover it here, although it also adds security in a similar way).

It is highly recommended to use two-factor authentication to sign in to websites. It adds one layer of information besides the password, which makes signing in to online websites a bit more secure. The only way someone can get into your account is if they acquire both your password and the secret key on your phone.

I prefer TOTP over SMS, because SMS is sometimes more unreliable and slower. (I won't discuss which method is more secure; there are potential vulnerabilities in both use cases depending on device and platform)

Time-based One-Time Password

A Time-based One-Time Password algorithm calculates a one-time password from a shared secret key and the current time. It is a standard described in RFC 6238. It requires that the user saves a secret key on a device, typically a smartphone. Some offer this as a QR code that can be quickly scanned.

The password in the TOTP application is changing every 30 seconds, both in the client and server. You need to enter the password that is currently visible.

The good thing with TOTP is that it is a standard that can be implemented in a generic application. There are services that require the use of their own application, but in my opinion they misses the point. I like to have one single application on my phone with TOTP authentication to a lot of services. Google Authenticator is a good example that implements TOTP. There are even clients for PAM so that you can use it to add security to e.g. server authentication. I use SailOTP on my Jolla phone with Sailfish operating system. For Android, there is a FOSS app available: FreeOTP.

Sites that use 2FA

Here is a good list of sites that use 2FA. Most big online services support 2FA, like Google, Facebook, LinkedIN, Dropbox, Github etc. Note that not every of them use TOTP, but have their own implementation or use some other kind of authentication. For instance Steam have their own implementation of TOTP and you need their own client to use it (but as far as I can tell it is almost following the standard). Paypal's support for SMS 2FA is half broken at least outside of US, though. It works once it is set up, but setting it up is almost impossible due to the broken website.

Steam and TOTP

The following is not supported by Steam, but you can use Steam with a standard TOTP application if you can manually enter the secret key and it supports 5 character passwords (like e.g. SailOTP).

To add the Steam secret key to the TOTP application, you need to install the Steam client on a device first. On an android device (or on the Jolla phone Android layer), the key is located in the file "(/opt/alien)/data/data/com.valvesoftware.android.steam.community/files/Steamguard-$STEAMID" in the string "otpauth://totp/Steam:$STEAM_USERNAME?secret=$SECRET&issuer=Steam" where $SECRET is the secret key. You can add this key manually to the TOTP application.

Screenshot of the SailOTP application in Sailfish (with censored accounts and passwords of course):

söndag 10 juli 2016

Firefox Tracking Protection for all users

Firefox Tracking protection is a great feature used in Private browsing mode. But turning on Firefox tracking protection permanently has several benefits. According to researchers it makes pages load 44% faster and reduces data usage by 39%. You will also get rid of most personalized advertisement, thus the increased performance. Personally, I prefer to choose my advertisement myself.

You can turn on the feature in Firefox by typing about:config in the location bar and hitting enter. Type and find privacy.trackingprotection.enabled and double-click it to toggle it to true.

But how to turn this feature on for all users on the same PC? Usually family members are not tech-savvy enough to mess around in the Firefox configuration interface. Behold, if you are an administrator, you can set a machine-wide setting.

You can tell Firefox to read system preferences by creating a file defaults/pref/local-settings.js in the Firefox installation directory. Then set the default preferences in mozilla.cfg. Mozilla calls this locking preferences, but it doesn't necessarily have to lock them like in a corporate environment. Depending on the setting, the user can still override it. It is worth studying the difference between defaultPref, pref and lockPref in the preference file.

This is a small script that creates the preference files if they don't exist and adds the settings if they don't exist. I leave it as an exercise to the reader if they want the script to change existing settings. Note that the Firefox installation directory can be different in a different Linux distribution.

# set default trackingprotection on in Firefox for all users
if [ `getconf LONG_BIT` = "64" ]; then
if [ ! -d "$firefoxdir/defaults/pref" ]; then mkdir -p "$firefoxdir/defaults/pref" ; fi
if [ ! -f "$firefoxdir/defaults/pref/local-settings.js" ]; then
    touch "$firefoxdir/defaults/pref/local-settings.js"
    echo '//' >> "$firefoxdir/defaults/pref/local-settings.js"
    echo 'pref("general.config.filename", "mozilla.cfg");' >> "$firefoxdir/defaults/pref/local-settings.js"
    echo 'pref("general.config.obscure_value", 0);' >> "$firefoxdir/defaults/pref/local-settings.js"
    if ! grep -q "general.config.filename" "$firefoxdir/defaults/pref/local-settings.js" ; then
        echo 'pref("general.config.filename", "mozilla.cfg");' >> "$firefoxdir/defaults/pref/local-settings.js"
    if ! grep -q "general.config.obscure_value" "$firefoxdir/defaults/pref/local-settings.js" ; then
        echo 'pref("general.config.obscure_value", 0);' >> "$firefoxdir/defaults/pref/local-settings.js"
if [ ! -f "$firefoxdir/mozilla.cfg" ]; then
    touch "$firefoxdir/mozilla.cfg"
    echo '//' >> "$firefoxdir/mozilla.cfg"
    echo 'defaultPref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
    echo 'pref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
    if ! grep -q "privacy.trackingprotection.enabled" "$firefoxdir/mozilla.cfg" ; then
        echo 'defaultPref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
        echo 'pref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"

[1] http://lifehacker.com/turn-on-tracking-protection-in-firefox-to-make-pages-lo-1706946166
[2] http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf
[3] http://kb.mozillazine.org/Locking_preferences

tisdag 5 juli 2016

SleepyHead in Fedora Copr

Fedora Copr is an automated build system with a repository as output. You upload the source, select desired build systems (Fedora, Redhat) and get one or more rpm packages in repositories automatically.

There is now a Fedora 24 Copr repository for SleepyHead:


This means you can install SleepyHead from command line with:

sudo dnf copr enable johanh/sleepyhead

sudo dnf install sleepyhead

As long as the repository is enabled, you will also receive any updates to SleepyHead when updating your system with dnf update.