Skip to main content

PhantomJS / POODLE

On Tuesday October 14th, 2014, Google announced the POODLE vulnerability for SSLv3. Engineering teams scrambled to remove support for SSLv3 on their websites, including our own system operations team.

My team's data engineering system scrapes information from retail banking sites, which we have learned were heavily impacted by the SSL fix on Tuesday. It makes sense that banks would want to keep up-to-date with the latest security issues.

When we scraped pages on Wednesday morning, a large portion of the sites we collect from came up blank in the PhantomJS browser, but without any obvious errors in our log files or in our log analysis dashboard (Kibana).

We were puzzled at this behavior, and when we went to look at the URL's that failed to produce images, it was clear that they were all SSL-enabled and responding with a recent TLS protocol. It turns out that PhantomJS by default only uses the SSLv3 protocol, and so it does not support any of the TLS protocols without additional configuration.

The solution to our problem was to set the command line flag for preferred SSL protocol to any so PhantomJS is free to pick whatever protocol is supported by the site being scraped. While it is unintuitive for PhantomJS to select the least secure protocol as the default, at least we can override it easily.

Comments

Popular posts from this blog

ReactJS, NPM and Maven

I'm just starting to get into working with ReactJS, Facebook's open source rendering framework. My project uses SpringBoot for annotation-driven dependency injection and MVC. I thought it would be great if I could use a bit of ReactJS to enhance the application. If you're looking for a basic conceptual intro, I recommend ReactJS for Stupid People and of course the official documentation  is quite good. In full disclosure, I still have no idea how to do "flux" yet. As an experienced Java backend developer, I'm pretty decent at hacking Maven builds - which is precisely what this blog post is going to be about. First, a word about how React likes to be built. Like many front-end tools, there is a toolkit for the node package manager (NPM). From the command prompt, one might run npm install -g react-tools  which installs the jsx command. The  jsx  command provides the ability to transform JSX syntax into ordinary JavaScript, which is precisely what I want...

Solved: Unable to Locate Spring Namespace Handler

I attempted to run a Spring WebMVC application, and when starting up the application complained that it didn't know how to handle the MVC namespace in my XML configuration. The project runs JDK 7 and Spring 4.0.6 using Maven as the build system. The following is my XML configuration file: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"        xmlns:mvc="http://www.springframework.org/schema/mvc"        xsi:schemaLocation="         http://www.springframework.org/schema/beans         http://www.springframework.org/schema/beans/spring-beans.xsd         http://www.springframework.org/schema/mvc         http://www.springframework.org/schema/mvc/spring-mvc.xsd">          <mvc:annotation-driven/> ...

AWS S3 versus CloudFront Performance

Yesterday I took Amazon CloudFront for a spin. Creating the CloudFront distribution was pretty simple - the wizard process flowed nicely. I found myself relying on the help text in places, but the most surprising thing was how long it took for the distribution to become enabled. I didn't time it exactly, but I probably spent 45 minutes waiting for my new CloudFront distribution to change from "In Progress" to "Enabled" status. The performance is a bit confusing. Compared to the S3 bucket, I didn't see any improvement in performance in a few tries - in fact, the CloudFront CDN performance was worse than the S3 bucket on its own for my 217 KB image file. I decided to take a larger sample, loading the same image 30 times in Chrome and noting the timing data from the "network" tab in the developer tools. I'm located in Brooklyn, have CloudFront configured for the US/Europe with download mode configured. My S3 bucket is in the US Standard zone, w...