When I buy electronic devices, I always keep an eye on their power consumption. Especially the power drain that you’ll get 24/7. For most devices, this is their “standby” power consumption, but some devices are left on all day long. My broadband router, a TP-Link Archer C7 running OpenWRT 15.05 Chaos Calmer, is in this last category.
Archive for the ‘Networking & Security’ Category
When I buy electronic devices, I always keep an eye on their power consumption. Especially the power drain that you’ll get 24/7. For most devices, this is their “standby” power consumption, but some devices are left on all day long. The b-box 3 of Proximus is in this last category.
Skynet Belgacom Proximus, has been rolling out IPv6 since 2013. However, you need a B-Box 3 in order to get it. Recently, my B-Box 2 decided to stop working, so I got a (free) upgrade to a B-Box 3 (but see below).
As you may know, HTTP/2.0, as implemented by most browsers, only runs over TLS (which is a good thing). Unfortunately, it makes debugging the protocol a bit harder, since protocol analyzers can’t look inside the TLS layer anymore. And while the in-browser debugging tools have become very good, I find myself in need of a Wireshark session to figure things out: In particular: which resources were pushed by the server?
So I found myself Men-In-The-Middle-ing myself with ZAP regularly. Today I learned that I can simply ask my browser to tell me the missing pieces: the master secret and the client random value (used to look up the correct master secret from the raw packet), or, if you are still not using PFS, part of the encrypted pre-master secret (for look-up), and the full (plaintext) pre-master secret.
Just set the
SSLKEYLOGFILE environment-variable to the path of a writable text file (appended to). Works in both Chrome and Firefox! And make sure you unset the environment for safe surfing afterwards!
Wireshark can be configured to read in this file in the Preferences → Protocols → SSL → (Pre)-Master-Secret log filename.
I’ve been struggling a bit with IPv6 source address selection. Normally, when you initiate a new connection, you only specify the destination address (or have DNS resolve the name to an address). The choice of the source address is usually left to the OS by setting it to
:: (IPv6’s version of
RFC 6724 specifies how this selection should happen. Karl Auer explains it in a bit less painful way on his blog. But sometimes I want to influence the chosen address: how can I twist these rules to match my wishes? Karl also has an interesting post on this. In summary, use any combination of:
- Deprecate the addresses that you don’t want to use:
ip addr change 2001:db8::1:1/128 dev tun preferred_lft 0
- Make your own label to group addresses:
- Use privacy extension addresses
I’ve been struggling with my dd-wrt setup lately. So I started looking around for potential alternatives. One thought was to use a Raspberry Pi as router, but I was worried about its performance. So I did a few tests.
Facebook, Twitter and Google have the nasty habit of tracking your every move on the internet. This ABE-script prevents this:
# Allow Facebook scripts and objects to be included only # from Facebook pages Site .facebook.com .fbcdn.net .facebook.net Accept from .facebook.com .fbcdn.net .facebook.net Deny INCLUSION(SCRIPT, OBJ, SUBDOC) # also stop google+ widget Site plus.google.com Accept from plus.google.com Deny INCLUSION(SCRIPT, OBJ, SUBDOC) # and twitter Site platform.twitter.com Accept from twitter.com Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
I found myself firing up a calculator every time I needed to base-convert a number from/to hex or octal. So I wrote a very simple HTML-page that I added to my dashboard that does just this.
I often find myself changing routes on my OS X system. Usually, however, I’m systematically adding the same routes over and over again, because they were automatically removed after a reboot, network change or whatever. Enter.