So in my last post I mentioned random numbers, and talked about needing to trade off between security, speed, and the randomness of the source of random numbers. I stand by the considerations that need to be made, but it was brought to my attention that I was looking at math/rand in go where they also have crypto/rand which makes using /dev/urandom much simpler. The trade offs are the same in practice, but the work was much easier to implement that way, so thank you Liam
I'd try crypto/rand. There seems to be a debate about having to create the seed for math/rand but apparently that's not something they are planning on fixing as it's not meant for true randomness.— liam sorsby (@liamsorsby) September 2, 2019
I have nothing to show on the location app I’ve been building, but I’ve hit a hurdle that I felt warrants some discussion. I want to use two random strings that are unrelated to each other in order to make the app more secure. An ID for each location shared, and a key to prevent someone simply trying to enumerate all the ID’s. Because the key is a security device it is important that it is not derived from the ID, or from the same deterministic source as the ID. With this in mind I have been reading about the random number generator available in Go.
So I have been making improvements to the location app I blogged about recently. The first cut of the app wasn’t really all that much of an achievement as I could have done the same with a file and a webserver, without needing an app written in go. Now in my last blog post I stated that I would build an API, and I have done so. I have also moved the default page, and created a new one. If you choose to look at the code you will notice a function for checking an id and key (which are both currently hard coded to “test”) this is to allow multiple locations to be shared (via a randomly generated ID) and also make it harder to enumerate the location ID’s that the system knows about by pairing that with a randomly generated key. The creation of these ID’s and keys is going to be what I work on next, as well as some optimisations to the code.
I have a basic app, as per my last blog post. Now I need to host it somewhere. I have changed the app to only listen on local host, I have iptables on my servers to hopefully prevent me exposing ports I don’t want to expose, but better to not push my luck. I’m using a server running apache and using systemd as the init system. So for SSL termination we’ll use apache as the revers proxy. For this we need a vhost with mod_proxy enabled and the following config in a vhost
ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/
We then need to create a user to run the app, we want an unprivileged user
sudo adduser --system\ --shell /bin/false\ --gecos 'Location Finder App'\ --group\ --disabled-password\ --home /opt/location location
With that we need to create a systemd system file (I’ve added an example systemd file to the app repo) and to move a built copy of the binary onto the system, along with the HTML template file. And that is what I have done.
So in my previous blog post I said I was going to try and build a web app to find someone’s location using their smartphone’s location services. The first step in this is choosing a language and/or framework to build it in. I’ve decided to use Go, which a former collegue of mine tells me makes me a hipster.
So I have been hearing lately about What3Words and how the emergency services in the UK are using it to locate people. This, and other information I have read about recently has got me thinking. What3Words is a proprietary service, that the emergency services will be paying to use. Now a number of mountain rescue teams in the UK use a service developed by one of their volunteers called SARLOC which appears to have a similar set of requirements, but from what I have read appears much more useful for the mountain rescue teams that use it. Now what I have been thinking, these services both rely on the person that needs to be located to have a smartphone, with location services, and an internet connection. They both require the person to receive a link, and allow the opened web page to see their location. So with these assumptions, how hard is it to build a service that allows an operator to send a personalised link to someone, have that use the smartphone’s location services to get a current location for the user, and share that automatically with the operator?