Why does YouTube insist on weak RC4?
April 14, 2014
A few weeks ago, Google did some changes to YouTube. Now, when you attempt to watch a video on YouTube, the video will be streamed using the RC4 cipher. If you disable RC4 in your browser, no video will be loaded. You cannot watch it. It is also documented in a Google groups thread. The first time I heard about it was when Faldrian shared his experience with googlevideo.com (German), while YouTube still worked without RC4. A bit later Google extented it on YouTube.
What's bad about RC4
RC4 is a widely used stream cipher. For instance it is used to safely transport Video or Audio by symmetric encryption. The advantages of RC4 are that is simple and fast. But it also has its drawbacks.
It is said the the RC4 cipher is cryptographically broken (=insecure) for years. Jacob Appelbaum states the NSA can break it in real time. If this is true, it is as good as no encryption. Although no proof exists in public, it seems to be very likely. If you want to be on the safe side, you disable RC4 in your browser. But you cannot disable it for certain web sites only (or only whitelist sites) – it affects all sites.
There may be good reasons for Google doing so, after all they usually reason things out before taking actions. It might have been that Google did not send their videos over an encrypted HTTP connection before (pure speculation), but now they do. Well meant is not necessarily well done. If it drives people to keep using RC4, worse security is the result. My guess is they switched all traffic to TLS encrypted connections, after certain Snowden leaks, and RC4 was the fastest and easiest to implement for video streaming.
An interesting side note is that Google filed a draft for an alternative stream cipher for TLS. The candidate is ChaCha20 by Bernstein. So maybe RC4 is just a temporary move?
I keep RC4 disabled, YouTube is not that important to me. Except for YouTube, I believe I came across only one other site that relied solely on RC4, and it was far less important, even I do not remember which one it was.
Only I wish that more people or blogs would move away from YouTube. The other major reason for this is also to go away from (centralized) services provided by companies that are too big to be good.
Bookmarklet: Search for video on other sites
Since people will not stop to link to YouTube in the near future, I need to find the video on other sites if I want to watch them. I wrote a little bookmarklet (What is a bookmarklet?) that I can click when I end up on a YouTube video. It will take the video title and start a Google video search excluding youtube.com.
Now, not every video will be available somewhere else. Bad luck. On the other hand, many videos on YouTube that are blocked in Germany can be freely seen on other sites. Interested in the bookmarklet? Drag the following "link" into your bookmarks list. Below is a quick video howto if you are new to bookmarklets and also the source code.
Why actually a Google search? – Mainly for ironic reasons. Most likely you can use any search engine that offers a video search if you adjust the URL and parameters. My search engine of choice is startpage.com, by the way, and I do block Google cookies.
ownCloud Client 1.6: The Tour
April 9, 2014
Now that ownCloud 1.6.0 beta1 is out, it’s time to explain the story behind it:
This release was developed under the promise that it would improve performance 1), and we have made tremendous improvements: Using a new Qt-based propagator implementation, we can now perform multiple simultaneous up- and downloads. We still provide the old propagator for certain situation where it’s more suitable, such as for situations where bandwidth limitation is needed.
Furthermore, the sync journal access code has been significantly optimized. It paid tribute to most of the high CPU load during the mandatory interval checks. CPU usage should be much lower now, and the client should be usable with more files at the same time.
Windows users should also find update times improved as the time spent in file stat operations has been reduced. Mac OS X users will enjoy the benefits of a much improved file watcher. To be able to use the more efficient API, 1.6 drops support for Mac OS Snow Leopard (10.6) and now requires Mac OS 10.7 or better.
At the same time, production releases are now using Qt 5 rather than Qt 4 on Windows and Mac OS X2). This fixes a lot of visual bugs in Mac OS X, especially for Mavericks users, and allows us to profit from improvements in the SSL handling, especially on the Mac.
We also implemented an item that was on many peoples wish list: a concise sync log. Next to the database, the sync folder now holds a hidden file called
.owncloudsync.log. It will store all sync processes in a minimal CSV file. Contrary to previous logging facilities, it always logs and only collects information relevant to the actual sync algorithm decisions.
Because this tour was not as colorful as the previous one, let’s close this blog post with a feature contributed by Denis Dzyubenko: The settings dialog on Mac OS X now has a native look & feel:
1) Now that while the client is multi-threaded, you may find that the transfer time still doesn’t improve as much as you would expect. This is due locking issues on the server which prevent efficient parallel transfers. This has been improved in 1.7, and could potentilly improved even further by implementing support for
X-Accel-Redirect in SabreDAV, the DAV framework used by ownCloud server.
2) We can’t do the switch even on modern Linux distributions mostly due of the poor support for modern and divergent Systray/Notification area support in Qt5: Even in Qt 4 we could only use it because Canonical had patched their Qt to make
QSystemTrayIcon work with Unity, which they have not ported to Qt 5 yet. Gnome 3 also hides away traditional Systray icons way to well, not to speak of Plasma. Any leads would be helpful.
PS: Martin’s blog on the subject indicates that Qt 5.3 might solve the problem.
March 31, 2014
ownCloud Inc. blog by Frank, I'll be joining ownCloud Inc. as community manager tomorrow. Like in my previous gig at SUSE, I consider the 'manager' part of the title to be about helping out the community wherever I can. To put it less graphically than Frank did: you get another person to talk to when you think we can improve things.
I'm excited to get started and find out what should be done. Of course I have thoughts and ideas on that but I am not the type to have a strong opinion before I know what is going on and have heard a bunch of opinions about it. And although I've been around ownCloud a fair bit, having written and talked about it, used it and knowing many of you, I intend to take my time to get to know you all better. Of course, marketing is my thing, so I'm sure to be around in that area, helping spread the word on what ownCloud is doing and why it matters.
Opinions, ideas and introductions are very welcome! I'm around on most social media but most actively on G+ and of course you can email me, ping me IRC and so on.
I really look forward to getting my head in the clouds with you all!
ownCloud @ Chemnitzer Linuxtage 2014
March 19, 2014
Last weekend Daniel, Arthur, Morris and me were in Chemnitz where the Chemnitzer Linuxtage 2014 took place. We drove a booth during the two days, the CLT host around 60 boothes of companies and FOSS projects. I like to go to the CLT because it is perfectly organized with great enthusiasm of everybody involved from the organisation team. Food, schedules, the venue, everything is perfect.
Even on saturday morning, short after opening of the event, somebody from the orga team was showing up on the booth with chocolate for the volunteers, saying hello and asking if everything is in place for a successful weekend. A small detail, which shows how much effort is put into organization of the event.
As a result, visitors come to visit the event. It’s mostly a community centric event: Exhibitors are mostly representing FOSS projects such as openstreetmap.org, distributions like Fedora or openSUSE or companies from the free software market.
Speaking about ownCloud, I want to say that it’s amazing to represent our project. People know it, people like it, people use it. In private, but also in professional space people work with ownCloud already or are planing to start with ownCloud. ownCloud already is the accepted solution for the problems that became so practical with the NSA scandal last year.
My talk with title A private Cloud with ownCloud on Saturday morning was very well received and went smooth. The room was too small, lots of people had to stand or sit on the stairs. It was a very positive atmosphere.
Something that changed compared to last year and the year before: Most discussions were around how ownCloud can be installed, integrated and used and not any more about which features are still missing or maybe also bugs.
So it were two very exhausting days, but big fun! Thanks to Daniel, Arthur and Morris for the work and fun we had on the booth, and thanks to the CLT team for CLT.
SO_oC — Summer Of ownCloud!
March 9, 2014
This is a heads up that ownCloud is participating in two internship programs this summer!
Thanks to openSUSE for hosting us again!
Student application starts tomorrow. It’s important that you come up with a draft of your proposal as soon as possible, so that you can get feedback from your mentor.
Thanks to the OPW organizers for accepting our application ;-)
Check out the ownCloud OPW portal for more information.
Remember that you have time until March 19 to get in touch with us and make a small contribution.
Here is the list of Projects Ideas we propose. Check out this list and contact the mentors of the projects you are interested in. Notice two things:
- in order to participate in OPW, you don’t need to be a student;
- GSoC projects are restricted to coding. If you are applying for GSoC, look only for projects in that category;
- both the programs have hard deadlines, mind the dates!
If you have any question, don’t hesitate to swing by our IRC channel! (#owncloud on Freenode — I am ‘cosenal’)
Here it’s still -11°C, as I write, but I’ll say it anyway, as an omen: Happy Summer Of ownCloud!