news aggregator

Optimizing for Bandwidth on Apache and Nginx

Google Webmaster Central Blog - Thu, 2014-09-04 11:27

Webmaster level: advanced

Everyone wants to use less bandwidth: hosts want lower bills, mobile users want to stay under their limits, and no one wants to wait for unnecessary bytes. The web is full of opportunities to save bandwidth: pages served without gzip, stylesheets and JavaScript served unminified, and unoptimized images, just to name a few.

So why isn't the web already optimized for bandwidth? If these savings are good for everyone then why haven't they been fixed yet? Mostly it's just been too much hassle. Web designers are encouraged to "save for web" when exporting their artwork, but they don't always remember.  JavaScript programmers don't like working with minified code because it makes debugging harder. You can set up a custom pipeline that makes sure each of these optimizations is applied to your site every time as part of your development or deployment process, but that's a lot of work.

An easy solution for web users is to use an optimizing proxy, like Chrome's. When users opt into this service their HTTP traffic goes via Google's proxy, which optimizes their page loads and cuts bandwidth usage by 50%.  While this is great for these users, it's limited to people using Chrome who turn the feature on and it can't optimize HTTPS traffic.

With Optimize for Bandwidth, the PageSpeed team is bringing this same technology to webmasters so that everyone can benefit: users of other browsers, secure sites, desktop users, and site owners who want to bring down their outbound traffic bills. Just install the PageSpeed module on your Apache or Nginx server [1], turn on Optimize for Bandwidth in your configuration, and PageSpeed will do the rest.

If you later decide you're interested in PageSpeed's more advanced optimizations, from cache extension and inlining to the more aggressive image lazyloading and defer JavaScript, it's just a matter of enabling them in your PageSpeed configuration.

Learn more about installing PageSpeed or enabling Optimize for Bandwidth.


Posted by Jeff Kaufman, Make the Web Fast


[1] If you're using a different web server, consider running PageSpeed on an Apache or Nginx proxy.  And it's all open source, with porting efforts underway for IIS, ATS, and others.
Categories: sysadmin

[Honeypot Alert] Active Probes for WordPress revslider_show_image Plugin Local File Inclusion Flaw

Web Security Blog - Wed, 2014-09-03 16:22

A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:

Apparently this vulnerability has been discussed on some underground forums for a couple months but it wasn't until these more main stream websites published data that we saw attackers start scanning for vulnerable sites.  Our web honeypots picked up increased scanning activity today.  Here is an example full audit log dump of the HTTP request from our ModSecurity WAF:

In this attack example, the attacker is trying to access the WordPress config file in the hopes of obtaining sensitive data such as database credentials.

Recommendations Update your WordPress Slider Revolution Plugin

Sucuri Security is seeing similar activity and it also reporting that the developer of this Plugin chose to silently patch this vulnerability.  This did a disservice to the Plugin userbase to be aware of the problem and to prompt updating.  A couple notes:

  • Updating this plugin may need to be done manually if your WP manager does not provide an interface for it.
  • Beware that "disabling' the Plugin may end up being superceded by the Theme and be re-enabled.  You may need to remove it altogether if you can not update it. 
Use WAF Protections

WAFs can be used to help prevent exploitation until you can get your systems updated.  Trustwave's WebDefend WAF would block this attack either through a generic "Directory Traversal Attack" signature or through an anomaly of the learned resource profile.  For ModSecurity WAF, we have added a new signature to our commercial rules feed:

Categories: web server

PHP 5.6.0 released

php.net - Thu, 2014-08-28 00:00
The PHP Development Team announces the immediate availability of PHP 5.6.0. This new version comes with new features, some backward incompatible changes and many improvements. The main features of PHP 5.6.0 include:Constant scalar expressions.Variadic functions and argument unpacking using the ... operator.Exponentiation using the ** operator.Function and constant importing with the use keyword.phpdbg as an interactive integrated debugger SAPI.php://input is now reusable, and $HTTP_RAW_POST_DATA is deprecated.GMP objects now support operator overloading.File uploads larger than 2 gigabytes in size are now accepted.For a full list of new features, you may read the new features chapter of the migration guide.PHP 5.6.0 also introduces changes that affect compatibility:Array keys won't be overwritten when defining an array as a property of a class via an array literal.json_decode() is more strict in JSON syntax parsing.Stream wrappers now verify peer certificates and host names by default when using SSL/TLS.GMP resources are now objects.Mcrypt functions now require valid keys and IVs. For users upgrading from PHP 5.5, a full migration guide is available, detailing the changes between 5.5 and 5.6.0. For source downloads of PHP 5.6.0, please visit our downloads page. Windows binaries can be found on windows.php.net/download/. The full list of changes is available in the ChangeLog.
Categories: news, PHP

Pages