RC4 encryption algorithm is widely used with HTTPS protocol. Though it is vulnerable to attacks that can break the encryption in reasonable time like RC4 NOMORE site explains.

What countermeasures should be taken? Quoted from the RC NOMORE site:

The only good countermeasure is to stop using RC4. Nevertheless, we did observe that generating the required amount of traffic can be a bottleneck when executing the attack. Hence attacks can be made more expensive, though not prevented, by making it more difficult to generate traffic. One option is to prohibit browsers from making parallel connections when using RC4 (normally multiple connections are made to load websites faster). This reduces the speed at which clients can make requests, meaning they generate traffic more slowly. However, we stress that this would only increase the execution time of attacks, and not prevent them.

Continue reading

Coveralls is web service created by LEMUR Heavy that helps tracking code coverage over time. Coveralls is free to use for open source projects and it requires that the projects are hosted at GitHub. The service was originally created for Ruby projects, but the provided API allows anybody to create code coverage report clients. Numerous integrations have been created for different languages such as Python, PHP, Node.js and Scala by the open source community, but there was no support for Java projects. I find this odd, because in the enterprise Java world such metrics are everyday life. There are plenty of different coverage tools and metrics platforms available like Cobertura, JaCoCo, SonarQube (previously known as Sonar) and so on. Continue reading

Recently an encoding issue of HTTP form POST requests with Tomcat was found in a project I work. The form submit was triggered with Javascript and the normal submit behavior was disabled. The form page was rendered with Content-Type: text/html; charset=UTF-8 header, the HTML head section had <meta charset="utf-8"> hint and the form was defined as normal <form> without any additional attributes. This should have resulted the form to posted with application/x-www-form-urlencoded content type using UTF-8 encoding. But no, this did not work with Tomcat, for unknown reason, though everything worked fine with Jetty application server. Continue reading