Punycodes Explained

January 18, 2023 by Matthew Carlson 18 Comments

When you’re restricted to ASCII, how can you represent more complex things like emojis or non-Latin characters? One answer is Punycode, which is a way to represent Unicode characters in ASCII. However, while you could technically encode the raw bits of Unicode into characters, like Base64, there’s a snag. The Domain Name System (DNS) generally requires that hostnames are case-insensitive, so whether you type in HACKADAY.com, HackADay.com, or just hackaday.com, it all goes to the same place.

[A. Costello] at the University of California, Berkley proposed the idea of Punycode in RFC 3492 in March 2003. It outlines a simple algorithm where all regular ASCII characters are pulled out and stuck on one side with a separator in between, in this case, a hyphen. Then the Unicode characters are encoded and stuck on the end of the string.

First, the numeric codepoint and position in the string are multiplied together. Then the number is encoded as a Base-36 (a-z and 0-9) variable-length integer. For example, a greeting and the Greek for thanks, “Hey, ευχαριστώ” becomes “Hey, -mxahn5algcq2″. Similarly, the beautiful city of München becomes mnchen-3ya. Continue reading “Punycodes Explained” →

Turning GitHub Into A URL Shortening Service

November 18, 2020 by Sven Gregori 11 Comments

URL shortening services like TinyURL or Bitly have long become an essential part of the modern web, and are popular enough that even Google killed off their own already. Creating your own shortener is also a fun exercise, and in its core doesn’t require much more than a nifty domain name, some form of database to map the URLs, and a bit of web technology to glue it all together. [Nelsontky] figured you don’t even have to build most of it yourself, but you could just (ab)use GitHub for it.

Using GitHub Pages to host the URL shortening website itself, [nelsontky] actually repurposes GitHub’s issue tracking system to map the shortened identifier to the original URL. Each redirection is simply a new issue, with the issue number serving as the shortening identifier, and the issue’s title text storing the original URL. To map the request, a bit of JavaScript extracts the issue number from the request, looks it up via GitHub API, and if a valid one was found (and API rate limits weren’t exceeded), redirects the caller accordingly. What’s especially clever about this is that GitHub Pages usually just serves static files stored in a repository, so the entire redirection logic is actually placed in the 404 error handling page, allowing requests to any arbitrary paths.

While this may not be as neat as placing your entire website content straight into the URL itself, it could be nicely combined with this rotary phone to simply dial the issue number and access your bookmarks — perfect in case you always wanted your own website phone book. And if you don’t like the thought of interacting with the GitHub UI every time you want to add a new URL, give the command line tools a try.

A New Way To Remote Terminal

August 9, 2019 by Bryan Cockfield 14 Comments

Thanks to the wonders of the internet, collaborating with others across great distances has become pretty simple. It’s easy now to share computer desktops over a network connection, and even take control of another person’s computer if the need arises. But these graphical tools are often overkill, especially if all we really need is to share a terminal session with someone else over a network.

A new project from [Elis] allows just that: to share an active terminal session over a web browser for anyone else to view. The browser accesses a “secret” URL which grants access to the terminal via a tunnel which is able to live stream the entire session. The server end takes care of all of the work of generating this URL, and it is encrypted with TLS and HTTPS. It also allows for remote control as well as viewing, so it is exceptionally well-featured for being simple and easy to run.

To run this software only a binary is needed, but [Elis] has also made the source code available. Currently he finds it a much more convenient way of administering his Raspberry Pi, but we can see a lot of use for this beyond the occasional headless server. Certainly this makes remote administration easy, but could be used collaboratively among a large group of people as well.

Control Your Web Browser Like It’s 1969

July 23, 2019 by Dan Maloney 14 Comments

Imagine for a moment that you’ve been tasked with developing a device for interfacing with a global network of interconnected devices. Would you purposely design a spring-loaded dial that can do nothing but switch a single set of contacts on and off from 1 to 10 times? What kind of crazy world would we have to live in where something like that was the pinnacle of technology?

Obviously, such a world once existed, and now that we’ve rolled the calendar ahead a half-century or so, both our networks and our interfaces have gotten more complex, if arguably better. But [Jan Derogee] thinks a step backward is on order, and so he built this rotary phone web browser. The idea is simple: pick up the handset and dial the IP address of the server you want to connect to. DNS? Bah, who needs it?

Of course there is the teensy issue that most websites can’t be directly accessed via IP address anymore, but fear not – [Jan] has an incredibly obfuscated solution to that. It relies on the fact that many numbers sound like common phrases when sounded out in Chinese, so there end up being a lot of websites that have number-based URLs. He provides an example using the number 517, which sounds a bit like “I want to eat,” to access the Chinese website of McDonald’s. How the number seven sounding like both “eat” and “wife” is resolved is left as an exercise to the reader.

And here we thought [Jan]’s rotary number pad was of questionable value. Still, we appreciate this build, and putting old phones back into service in any capacity is always appreciated.

Continue reading “Control Your Web Browser Like It’s 1969” →

Tiny Websites Have No Server

July 7, 2018 by Al Williams 49 Comments

A big trend in web services right now is the so-called serverless computing, such as Amazon’s Lambda service. The idea is you don’t have a dedicated server waiting for requests for a specific purpose. Instead, you have one server (such as Amazon’s) listening for lots of requests and on demand, you spin up an environment to process that request. Conceptually, it lets you run a bit of Javascript or some other language “in the cloud” with no dedicated server. https://itty.bitty.site takes this one step farther. The site creates self-contained websites where the content is encoded in the URL itself.

Probably the best example is to simply go to the site and click on “About itty bitty.” That page is itself encoded in its own URL. If you then click on the App link, you’ll see a calculator, showing that this isn’t just for snippets of text. While this does depend on the itty.bitty.site web host to provide the decoding framework, the decoding is done totally in your browser and the code is open source. What that means is you could host it on your own server, if you wanted to.

At first, this seems like a novelty until you start thinking about it. A small computer with an Internet connection could easily formulate these URLs to create web pages. A bigger computer could even host the itty.bitty server. Then there’s the privacy issue. At first, we were thinking that a page like this would be hard to censor since there is no centralized server with the content. But you still need the decoding framework. However, that wouldn’t stop a sophisticated user from “redirecting” to another — maybe private — decoding website and reading the page regardless of anyone’s disapproval of the content.

Continue reading “Tiny Websites Have No Server” →

Sslstrip, Hijacking SSL In Network

February 23, 2009 by Eliot 21 Comments

Last week at Black Hat DC, [Moxie Marlinspike] presented a novel way to hijack SSL. You can read about it in this Forbes article, but we highly recommend you watch the video. sslstrip can rewrite all https links as http, but it goes far beyond that. Using unicode characters that look similar to / and ? it can construct URLs with a valid certificate and then redirect the user to the original site after stealing their credentials. The attack can be very difficult for even above average users to notice. This attack requires access to the client’s network, but [Moxie] successfully ran it on a Tor exit node.