what the hell happened to .ico website images while i was not paying attention.

missing things used to be here

You know those small images that used to be by the website name, animated gifs seem to have been broken by the browsers and one zoo website had a ‘broken’ ico file. How that happened is open to speculation.

So i got tasked to fix something that might be deemed a new feature. Not that it appears to be deemed html and as i do not really keep up to date since html5 is still the latest and greatest.   But it seems that ico images have become strangley like one side of the tribe you dont share a banana with.

You want a xml file to tell microcrap windows 8 and 10 what file to show ? Sure not a fucking pain in the arse.

Apple wants svg and a html header or two and the image file size is getting bigger and bigger over time well they are apple.

Andriod has its own way of doing the same shit and would also love a manifest file for my html. It works so it looks ok and that will do. Its a page of html not an app but thats the google way i bet these (my blog do not work.


Microsoft hence forward microcrap got a 2mb file as an ico to show on a desktop because by the time i got round to there fucked up way of thinking and xml (no problem) seemed to be happy with that and i could not give a shit that the file was huge so i left it.

I am kind of amused how a 318 byte icon file turned into a 2mb file and microcrap seem happy with that.(microsoft files where intentionally left that way)

Oh well at least i had an entertaining hour, if anybody from microsoft wants to see me throw poo at them i am very willing to do it if want to visit the zoo.

As to where that leaves html as a markup you please telll me below.

Gandi [dns registrar] pisses me off by migrating and forgetting two year old changes.

Sisyphus is still a role model

Two years ago i had to alter some whois records which is not particularly hard and i did a lot of them checking them as well since it is a time consuming activity i did not want to redo.  – I was happy and ..

Gandi not the indian decided to roll back some of my changes and make me migrate to some horrible web interface just to do anything including  re-changing whois contacts with the information from two years ago to what it should have been but the new thing thought was best when i went back recently.

I wont be buying domains from gandi anytime soon.  While it might be pretty having to re change something just because of an upgrade is annoying.

I think i know how this revoke happened and logically while it may have been the migration logic to role back the changes i did nothing wrong since i did make them but from the wrong contact which apparently was bad.  Go figure.

modsecurity on debian

Modsecuritty left me confused – i thought i had the basic rules but had the extended crs rules as well and so it did not need configuring.  Debian (my blog) wiki keeps mum on the subject as well.

I know its working although its reporting via ruby,  upgrades via python make it a multidisciplinary tool.

From what i read outside of Debian it seems to work with our stuff so it remains on.  Mystery software that sounds like a future problem for me.to disable.

Its log messages are also hard to grep and awk.

I guess i shall be writing about mod-security rules at some point in the future…

ecommerce idiots who rely on google way too much

Relying on google  is a bad move.I saw this while doing stiff and was surprised since i could not continue doing things.

Idiots – even the zoo has its own recaptcha software (my blog) and if i can do it  Lazy people. – it seems it shutdown sooner rather than when announced.

So i did not buy from them – ergo google breaks the internet/ or perhaps they did not want money – not my problem as i found it elsewhere and they liked money.

I bet the google domain report (or buy adverts from google or else) will ignore that there software stopped them from making a sale.


i still do not grok hpkp and overriding it like a pro

I have mentioned it before (my blog) and since chrome (the web browser not a metal alloy) eventually gave up on this cryptographic hash to verify sites** i decided to have one last go.

I read online that

openssl ecparam -genkey -name secp384r1 > ec.key openssl ec -in ec.key -pubout | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | base64

Got a backup key or something

That looks like this – note not run on a real certificate

read EC key
writing EC key
read EC key
writing EC key

# cat server.key
4Ej/s4iCfUWgBwYFK4EEACKhZBananas – in  – the – Falklands -M4szuJE0DDh/pLBmob

So it appears to add sections EC PARAMETERS & EC PRIVATE KEY to a file

The magic of openssl is beyond most so i went looking for a hpkp generator which appeared to work although despite not doing ec private keys also got me a backup pin hash.

I still had no idea how i could generate a backup cert from those keys – still think money would need to change hands  with the ssl mafia.

Since i had a commented un-working hpkp block with /” syntax a rather nasty line of config speak compared with most already i copied it and used the hashes from that generator and tested it twice both sites agreed hpkp was there and valid.

But i was unable to reproduce how the backup key was made.   It felt easier than before with less effort but i still felt i have no feel for hpkp

I did not add it to the other zoo domains for reasons of being an unknown quantity i would guess if you asked your tls provider does it generate backup keys – your be told to buy the most expensive ssl they have and be done with you.. It appears that encryption files get some extra section but how it works beyond that is beyond me and the ssl supplier

I prefer tlsa hashes (my blog) rather than magicall stuff that very few seem to get.

If your more illuminated than you where well done, but it still makes it useless.

I also had replace tls and i decided to break hpkp

I discovered that i had no access from firefox or chrome

In firefox to disable hpkp find SiteSecurityServiceState.txt in the profile directory and

vi ~/.mozilla/firefox/<something>.default/SiteSecurityServiceState.txt

search for the domain name and delete them.  Restart and you will gain an uncle Bob.

Chrome is also intentionally screwed up but since i do not use chrome its not an issue, Reseting chrome clears the issue – however if i can find and edit / delete to defaults my hpkp settings i am sure malware / ransomware bot could as well.  I conclude that hpkp is useless

Tomorrow cute kitten pictures*

*i joke ** still requires tls certs from a ‘trusted’ ssl source of which most require money.

weird google pagespeed issues with async and defer and http2

The zoo has a single webpage which some of it works and some of it does not dependent upon the browser.

pagespeed (my blog) a googlle thing likes things adjusted with async and defer html 5 keywords (my blog) add http/2 secure and unsecured methods* and you have a party.of which i was designated to solve

So one day i decide to fix this one page weirdo – removing those two words from jQuery and boom the page does what it used to do every time in most browsers.

Sisyphus is still a role model

Should you trust pagespeed – no, but i it seems the move to http2 is one that needs some thinking on with simple html.

I was kind of amazed i was that simple and that http2 conflicts with pagespeed but not too surprised after all what google wants and we want are two different things.

Our csp (my blog)  is causing an issue with some on page javascript which is probably redendant due to http headers but that is not a issue.

*not http/1

the return of the webform bot

The zoo has a web form bot lookup from years and years ago to be honest i not sure it was working since it does not see any action until it caught some web bots trying to send us messages of no value which a script reports to me daily.

Not sure if they got past our captcha either.

It has been a while but i am glad i did not dump that feature.even with the settings we had.

fun with Content Security Policies

Is something your website can do and has included in the spectrum is hpkp (my blog) which is generally considered a nightmare and broken but other content security things are needed by some web things to work..

As kind of tls related i decided to make the zoo compatible with the more common csp’s unused here in the zoo. There are easy headers like hsts, x-frame*, set-cookie, xss and hard ones csp is hard.  I was missing a couple and thought why not.

However csp seems to allow stuff but is quite tricky to figure out the format which goes

<set header> default-src ‘self’ data: hostname; script-src * data: hostname style-src data: hostname

Chrome browser is helpful here for diagnosing stuff, although i never bothered to look at firefox’s tools.

I had to use a wildcard with our policy on the hostnane but things eventually worked.

hkpk remains something i wont touch with a bargepole for if Symantec can issue bad ev [the green ones] unauthorised then the danger becomes clear to all.

apache2-doc debian weirdness fixed

If like the zoo you upgraded from debian 8 to debian 9 (my blog) then apache2-doc fails to do something on the lines of

ERROR: Conf apache2-doc does not exist!
dpkg: error processing package apache2 (–configure):

But apache still runs.  – An purge and install eg:

apt purge apache2-doc;apt install apache2-doc

Fixes it so shit software like systemd will not complain about it.  Honestly no idea why you have to do this when the version of the package was current but that’s how things go with systemd

http/2 in the wild

I have a new plugin that tells me when http/2 is in use and many well known sites still do not support http/2.  It kind of surprised me but it should not after all those grey icons for dnssec (my blog) mostly stay grey – forget it not even red (error) or green (ok).

I have yet to bother with hpkp (my blog)  and seriously doubt there is a plug-in for that, after all very few sites even have that.