The Embedded Web Blog

April Products Updates

launch

We're releasing updates for all products to work with the new Pak pak.json configuration files.

This means that Appweb, GoAhead and ESP get new releases was well as MakeMe, Expansive and Ejscript.

Pak Gets Its Own Config File

pak-balance

We've made a small, but really significant change to Pak.

Pak now has its own package description file — pak.json.

Instead of using the package.json, we're switching for pak to use its own configuration file pak.json.

Ready why ...

Don't Internet enable your device

iot

Device builders, please, stop and think for a moment,

before you add Internet connectivity to yet another device.

Are you are fully prepared to wear the cost of securing that device on the Internet for its entire lifetime.

If you are not, you are avoiding the true cost of that device and you are blindly contributing to the massive security problem that we have already.

Do you really need an Internet door lock?

doorlock

Please, just stop for a moment and think before you buy that next cool Internet connected gadget.

Do you really, truly need it to connect to the Internet, because that connection does not come for free?

I’m not talking about the increase in price of the gadget, the cost of bandwidth, or the cost to you when you cannot get back into your house. Rather I’m talking about the cost of securing the device over the entire lifespan of the device, year after year after year.

GoAhead 4

spot-light

I'm happy to announce that GoAhead 4 is now available for immediate Download.

GoAhead 4 is an evolutionary upgrade for all GoAhead 3.X. It preserves application compatibility while strengthening API contracts.

All users are encouraged to always update to the latest release and to upgrade now to GoAhead 4.

GoAhead Security Update

tick-web-logo-small

A remote code execution vulnerability has been reported in GoAhead versions 2.x and 3.x in the CGI handler on Linux. This impacts those sites that use dynamically linked CGI programs with GoAhead on Linux.

Source Distributions

source

To help simplify and accelerate releases, we're going to focus on source code distributions only for all products.

Since the Embedthis product suite are designed for embedded use, this should impose little burden and will help focus our testing and accelerate our release pipeline.

Updates all Round

new-pak-icon-128

We're releasing updates for all products with minor fixes to the underlying MPR and HTTP libraries. This means that Appweb, GoAhead and ESP get new releases.

For Appweb, we're incrementing the major release to Appweb 7. Appweb 6 becomes the Long Term Release (LTS) version and will be supported until the end of 2018. There are no breaking or major changes in Appweb 7.

June Releases

new-pak-icon-128

We're releasing updates for Appweb, GoAhead and Makeme that fix a few dozen paper-cut type issues.

Content Security Policy - The Reality

csp

The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks on web sites which accounts for the majority of all security vulnerabilities.

But CSP is off to a slow start and is not implemented on the vast majority of web sites. Perhaps the difficulty implementing CSP is to blame?

This post examines a case study deploying CSP and has some recommendations for the social media companies to make it easier to implement CSP.

Content Security Policy Survey

csp

The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks which accounts for 84% of all security vulnerabilities in web sites. So you would think that such a magic bullet would be widely deployed and promoted.

Think again: CSP is implemented on less than 0.5% of web sites. Further, of those implementing sites, less than 3% are using CSP in the recommended manner that effectively mitigates Cross Site Scripting attacks. In fact, out of 21,823 sites surveyed, less than 0.02% of sites are effectively using CSP.

These are the results of a CSP survey to determine the level of CSP adoption in public web sites.

mbed TLS Integrated

mbedtls

Embedthis products including the Appweb and GoAhead web servers have supported a variety of SSL stacks for secure connectivity including: OpenSSL, mbed TLS, MatrixSSL and NanoSSL. However, this has often required separately downloading and building the SSL software. For some SSL stacks, this can be a long and non-trivial exercise to build the SSL stack for your selected operating system.

SSL is increasingly becoming mandatory and not just an option. Securely authenticating users and controlling access to a management interface requires SSL. Further, the emerging HTTP/2 protocol will use SSL by default. Consequently, we have been searching for a simpler way to offer secure SSL connectivity out-of-the-box.

© Embedthis Software. All rights reserved. Privacy Policy and Terms of Use.   Generated on Apr 19, 2018.