クライアント証明書はIP制限の代替足りえるのか

Covid19でWFHが広く行われるようになって、1年たとうとしてしているがWFHでWeb上の管理画面を使用する機会を得た人も多かったことでしょう。
ただし、いままではWeb上の管理画面にはIP制限がかかっていることが多かったはずです。(何か資料で示せればいいのですが。)
WFHがはじまって、VPN終端に負荷がかかり、従来のプライベートネットワークによりセキュリティポリシーを見直し、ゼロトラストセキュリティという言葉も一般に広がりはじめました。
日本では、平井卓也デジタル改革担当大臣が行政の目指すセキュリティポリシーの指針として発言したことも広がるきっかけになりました。

さて、WFHで様々なIPから管理画面にアクセスしたいとした時に、今までのIP制限では都合が悪いのでクライアント証明書制限を検討しています。

しかし、私はクライアント証明書制限が本当にIP制限の代替なのか疑問に思っています。前提として、ID/パスワードでの認証がある管理画面にさらにIP制限をかけているケースで話しています。

  1. IP制限≒地理制限
    • IPは動的にしろ静的にしろISPによって決まります。さらにISPは国、地域ごとに割り振るIPレンジが決まっています。
    • 固定IPで払い出されてるIPを盗むには、
      • 物理的にLAN内に接続を試みる。(建物に侵入
      • VPNからLAN内に侵入する (VPN終端の脆弱性を狙う、VPNの認証情報を何らかの形で手に入れる
      • IP制限自体の脆弱性をつく(タイニー/オーバー フラグメント攻撃 未対応なサーバーはないと思うけど
  2. クライアント証明書はどうやって配りますか?
    • メールですか? 社内Wikiですか? (これってZipパスワード問題と同じですよね
    • ネットワークを介さない方法で配らないと意味なくないですか?(FIDO
    • OK. 証明書と署名を認証局サーバーでやるからダメなんだ、各PCで鍵を作成して、公開鍵だけを認証局に渡し署名する。
      • それ社員の全PCにやるサポートめっちゃ大変なやつやん

ちゃんとやれば(クライアント証明書は配らず、公開鍵を集める方式)IP制限足りえるけど、生成した鍵を配布するようなやり方でIP制限と同等のセキュリティ強度になるとは思えない。

配り方に気を付ければいいかもしれないけど。メールやWikiで配るのは絶対ダメで認証局まで取りに来てもらう。取りに来るときのセキュリティ強度がしっかりしてればOKなはず。

クライアント証明書の前に2要素認証なんじゃないかな。教えて詳しい人!

母国語で書くことにする - I have decided to write posts in my native language

今まで頑張って英語で書いてきたけど、英語で書くのが億劫になって、全然ブログがかけてなかった。

I have tryed to write posts in English but I cannot write it at all recently because writing in English become a pain.

英語学習もかねて、英語で書きたい気持ちもまだあるんだけど、ここブログとしての体裁を優先して母国語(日本語)で書くことにする。

I still have want to writing in English for learning English. However I am going write it in native language(Jpanese) to update blog high freq.

書き終わった後に、英語訳を加筆するというスタイルを目指す。

I aim a style that add transaltions after write in native language.

つまり、今までは英語でブログを書くという1つのタスクだったのを、ブログを書く、英語に訳す、の2つのタスクに分解するということだ。

In other words, until now it was a task to a post in English, I divide to following two tasks; writing a post, translating a post.

英語に訳すのは、ブログを書いた後すぐに行うこともあるし、数日空けることもあると思う。

Sometimes I have a time between writing a post and translating a post.

How to settings GA4 ecommerce by GTM

GTM Variables

  • Ecommerce Items = ecommerce.items
  • Ecommerce Purchase TransactionId = ecommerce.purchase.transaction_id
  • Ecommerce Purchase Affiliation = ecommerce.purchase.affiliation
  • Ecommerce Purchase Value = ecommerce.purchase.value
  • Ecommerce Purchase Tax = ecommerce.purchase.tax
  • Ecommerce Purchase Shipping = ecommerce.purchase.shipping
  • Ecommerce Purchase Currency = ecommerce.purchase.currency
  • Ecommerce Purchase Coupon= ecommerce.purchase.coupon

GTM Triggers

  • CustomEvent viewitemlist
  • CustomEvent view_item
  • CustomEvent select_item
  • CustomEvent addtocart
  • CustomEvent removefromcart
  • CustomEvent begin_checkout
  • CustomEvent purchase

GTM Tags

  • GA4 settings: trigger = All Pages
  • GA4 event: event name = viewitemlist, trigger = viewitemlist
    • event parameters
      • items = {{Ecommerce Items}}
  • GA4 event: event name = viewitem, trigger = viewitem
    • event parameters
      • items = {{Ecommerce Items}}
  • GA4 event: event name = selectitem, trigger = selectitem
    • event parameters
      • items = {{Ecommerce Items}}
  • GA4 event: event name = addtocart, trigger = addtocart
    • event parameters
      • items = {{Ecommerce Items}}
  • GA4 event: event name = removefromcart, trigger = removefromcart
    • event parameters
      • items = {{Ecommerce Items}}
  • GA4 event: event name = begincheckout, trigger = begincheckout
    • event parameters
      • items = {{Ecommerce Items}}
  • GA4 event: event name = purchase, trigger = purchase
    • event parameters
      • items = {{Ecommerce Purchase Items}}
      • transaction_id = {{Ecommerce Purchase Items}}
      • affiliation = {{Ecommerce Purchase Aaffiliation }}
      • value = {{Ecommerce Purchase Value}}
      • tax = {{Ecommerce Purchase Tax}}
      • shipping = {{Ecommerce Purchase Shipping}}
      • currency = {{Ecommerce Purchase Currency}}
      • coupon= {{Ecommerce Purchase Coupon}}

Links

The following document has a few misstakes. ex purchase parameters and any triggers.

Remote desktop does not work

I always use remote desktop to shutdown main pc in bed.

A few days ago, I update windows patch. After the patch, I cannot connect main pc via remote desktop.

I check event viewer and find the error log.

The device Microsoft Remote Display Adapter (location (unknown)) is offline due to a user-mode driver crash.

Apparently there is an error around the display.

In my case, it is the cause that radeon driver is old.
I updated the driver and I regained remote desktop.

StreamWriter.WriteLine write LF line break code on Linux

I face to misterius issue.

OData batch response of multipart/mixed can not be parsed on Linux. It's good on Windows.
https://github.com/iwate/ODataBatchResponseSample/actions/runs/171318359

I check OData source code. And I've found what I think is the cause.

OData batch response write the content using by RawValueWriter. And RawValueWriter use StreamWriter.

https://github.com/OData/odata.net/blob/182964dd4de0d9271d7e749ff3afde898430326c/src/Microsoft.OData.Core/RawValueWriter.cs#L177

StreamWrite use Environment.NewLineConst.
https://source.dot.net/#System.Private.CoreLib/TextWriter.cs,f3a16a4f25483a3f,references

Environment.NewLineConst is LF on Unix
https://source.dot.net/#System.Private.CoreLib/Environment.UnixOrBrowser.cs,5fbfd9f39ec095a7

You know HTTP multipart content is need CRLF. If you create http writer, you should not use what is dependent on the environment like as StreamWriter.


This issue was fixed in https://github.com/OData/odata.net/issues/1842

Ascertia's code sign certigicate is cheep but...

Ascertia (https://account.ascertia.com/OnlineCA/default) sell certificate and user can test free certificate(30days).

It seems Messiah for me. but I realized import notes.

Note Ascertia Root Certificate Authority is not embedded within Windows or the common browsers but can be downloaded from here and easily added.

Ascertia Root Certificate Authority is not embedded within Windows!
Ascertia Root Certificate Authority is not embedded within Windows!
Ascertia Root Certificate Authority is not embedded within Windows!

oh no...

Microsoft Authenticode

I realized something shocking today.
I thought I'd turn off the WindowsInstaller warning for the Electron App I'm working on, but it looks like I need a Code Sign certificate for Microsoft Authenticode.

I tried to prepare it somehow, but there are few places that will sell it to individuals first. And so expensive 😭

I Contract PO Box

I've contracted post office box https://epost-tokyo.com/ today.

I am preparing my side business recently and I need new address for Notation based on the Specified Commercial Transaction Act.(in Japanese 特定商取引法に基づく表記)

The cost is 19,000 JPY within tax. It is 1,600 JPY / mo. Ummmm, That's nothing to sneeze at for me.

And, I've got new phone number of VoIP because same reason as address. The cost is 330 JPY per month.

Totally, new cost for my side business is 1,900 JPY per month.

The unit price of my side business is 1.49 USD and I have to sell 13 licenses for turn a profit.

Fetch And Store Public Certificate

I needed to check my signature in the app I was creating, but was wondering where to store the public key.

One of the ideas was to embed it in the binary, but I would like to be able to get the latest one because the update becomes difficult.
So I came up with a way to store it in the X509Store.

The implementation is as follows.

using System.Net.Http;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

namespace ConsoleApp3
{
    class Program
    {
        static void Main(string[] args)
        {
            var cert = new Program().GetPublicCertAsync("blog.iwate.me").Result;
            var rsa = cert.GetRSAPublicKey();
        }
        public async Task<X509Certificate2> GetPublicCertAsync(string domain)
        {
            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

            store.Open(OpenFlags.ReadWrite);

            var collection = store.Certificates.Find(X509FindType.FindBySubjectName, domain, true);

            if (collection.Count > 0)
                return collection[0];

            X509Certificate2 certificate = null;
            await new HttpClient(new HttpClientHandler
            {
                UseDefaultCredentials = true,
                ServerCertificateCustomValidationCallback = (sender, cert, chain, error) =>
                {
                    if (error != SslPolicyErrors.None || !cert.Verify())
                        return false;

                    store.Add(cert);
                    certificate = cert;
                    return true;
                }
            }).SendAsync(new HttpRequestMessage(HttpMethod.Head, $"https://{domain}/"));

            return certificate;
        }
    }
}

Azure WebApps with File Shares

I need static web site hositng.
But Azure storage static website hositng feaure is not appropriate.
Because it cannot use any autentication.

Therefore, I use WebApps.
However, I do not want to use SFTP. or git deploy.

I remembered Azure function use storage file shares.
It is enabled by webapps config.

I add following two configs and restart webapp and it is so good.

WEBSITECONTENTAZUREFILECONNECTIONSTRING <connection string>
WEBSITE
CONTENTSHARE <file share name>

Azure Pricing

I'm making hoby services and considering Azure for hostring service.
However I don’t have much money.
I want to manage as cheap as possible.

Therefore, I research pricings and consider most cheap arcitecure.

WebApps(Windows)
Shared: ¥1,250.928/month (limit 240 CPU min / day) 😢
Basic1: ¥7,235.760/month 🤑

WebApps(Linux)
Basic1: ¥1,553.44/month 😗

StorageWebHostWithFunction
Storage: ~¥100/month 😊
CDN : ~¥1,200/month 🙄
Function: ~¥0/month (within free plan) 😊

Container Instance
Instance: ~¥4000/month 🤑
Registry: ¥540/month 🤔

I think WebApps for Linux or Static WebSite with Function are better.

Hello, World!

This is my first blog.