Burp Suite, Firefox, SSL, HSTS, and sec_error_unknown_issuer

If you are using Burp Suite Pro intercepting proxy you will know you have the following chain.

|Browser| <=>|burp|<=>|Target Website|

In an SSL environment burp will send its own self signed cert to your browser while behaving as the client to the target. 

But if the target website uses HSTS (HTTP Strict Transport Security) and you use Firefox as a client then you will have problems. What you will see is a sec_error_unknown_issuer error and no ability to add an exception.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. 

Ok, So we know the site is normal - in our case its an internal staging environment. We could use another browser but there is a way to work around this.

Originally I tried downloading the burp self-signed certificate and importing it into the Windoze certificate manager by double clicking the .crt file. However this did not result in any change, I still had the sec_error_unknown_issuer problem.

The solution here is to manually import the Burp certificate into Firefox by:

1. Firefox->Hamburger Menu at Top Right->Options->Advanced->Certificates->View Certificates
2. This will display a Certificate Manager dialog. Select Import and then select the Burp Certificate.

The Attitude Failure of an R&D Shop

So sometimes you overhear things. Sometimes you don't have to try to overhear things. And even sometimes these things are presented to you on a silver platter with a marching band.

This is one of those times as shared by a friend who works somewhere.

So an R&D group is managed from out of town. So there are regular visitors from out of town to see what is happening in that outpost of R&D. These visitors attend meetings and (fanfare) ask questions.

When one of those visitors leave the room a local senior/lead developer states (or rather it falls out of their mouth) for the benefit of the remainder of the local people in the room:

I don't like these visitors showing up, attending meetings, and asking questions when they don't know what's going on.

So there are few points I would like to address regarding this kinds of statement:

1. You do not own the product that you are working on. They do. Get use to questions from them. Or leave.
2. These people sign your paycheque. Get use to answering questions from them. Or leave.
3. You work for R&D. It's not the other way around. Get use to it. Or leave.
4. Perhaps, since they lead R&D,they need to  ask questions so they know what is going on. Get use to it. Or leave.
5. The reason they are asking questions is because you are not communicating with them. So perhaps you need to communicate so they do know "what is going on"? Suck it up buttercup.
6. Perhaps you are so confused and scattered that you yourself do not know what is going on.

Fundamentally this shows an R&D team with a very poor attitude. The question is not who I would fire first but when I would stop.

When You Realize that your development Geniuses are really Asses

So you have a development team. Yes. They are smart. But perhaps not as smart as you think. Regardless they swagger and talk. Controlling your projects and plotting down a path of doom.

But what are the signs that they have gone too far.

Could it be when:

1. They complain of out of town managers (you know, the  ones from head office) arriving and appearing at meetings and asking questions when they don't know anything about how your destroying the projects?
2. They claim they can rely only on unit tests?
3. Perhaps its when they think they can stovepipe code straight to production without a system level test in a staging environment?

If its any of these it probably already too late for you. Controlling their incompetent urges now that the arrogance is out of the bag will just mean they will leave to go destroy another project.

Or perhaps that would not be so bad after all.

Has Your Company made this Traditional Mistake Managing a Team

What traditional mistake is this? Search through your history,  you know its there....just lurking below the surface. Ah. There it is.

The Myth of the Genius Software Developer.

Sometimes it goes beyond myth, to adulation, subservience, and worship. Managers, the incompetent ones, prostrate themselves to the genius software developer thus leading them and their project down the path of doom.

Managers become lackeys.  Sorting the technical laundry too scared that all those eggs that they put in that one basket will fall. Scared that they would loose their genius.

Losers.

All of them.