Author Archives: Vidyut

Google Mic Drop

Google’s prank on Gmail users that wasn’t a prank, but juvenile nuisance at best

Google decided to prank Gmail users this year by offering a button that would attach a “mic drop” gif to the email and move the conversation to the archives. Going by the general understanding that the prank is on me, and looking forward to seeing what Google have come up with, I clicked the button.

Except, there was no prank. The button did exactly what it said, and I watched horrified, as the mic down gif was sent along with a simple note thanking a condolence message I had received on the demise of my father two days ago.

To put it extremely mildly, this wasn’t funny in the least.

I fail to understand Google’s idea of a prank with this, that does absolutely nothing unexpected to the person supposedly being pranked, while doing some fairly irreversible actions to people they correspond with instead.

We ignore most emails we get, replying largely to those that hold some value for us. How many of us engage in conversation where we’d want to have the last word and shut people out, that a button on the editor had any reasonable expectation of not being grossly inappropriate? Also, WHERE IS THE PRANK? The button did exactly what it said. Sent a rude image and removed the conversation from the inbox altogether!

I understand that mine is a rather extreme example and most people haven’t lost a near and dear one that they aren’t replying to, but seriously, outside my spam folder, I was not able to find a single email in the last full week that this “prank” would be appropriate for. Even the emails other than condolences had value. Friends connecting, work, clients, readers, relatives, conversation regarding my son’s recent surgery…. That prank, even if we were to consider it one, was absolutely out of context for anyone not in the habit of replying to spam.

This is pretty awful,Google, not appreciated at all. I also consider it a pretty serious issue of sending emails without consent. A consent for a prank is most certainly not consent for a single curious click leading to an action of this gravity.

The only consolation is that I was able to retrieve the conversation from the archives and return it to my inbox and that Google being so famous, I’m sure it has pissed off a lot of people, and my apparent rudeness would be correctly understood as curiosity for something on my screen that turned out to be a malicious prank that sent an email of this nature without any confirmation whatsoever and not a crass message I deliberately sent them.

Epic fail.


http/2 adoption in India is currently very poor

Nginx with http/2 and usability problems

So Nginx released the mainline version 1.9.5 and then 1.9.6 with an experimental http/2 module. For those using spdy, the upgrade in itself should be simple, by simply replacing “spdy” with “http2” in the listen directive in the server configuration. The server will not start till this change is made.

Sadly, what should have been an occasion of great excitement and eager adoption after almost a year of anticipation has turned horribly wrong. Nginx 1.9.5 onwards, http/2 replaces spdy, which means, your server will serve http/2 only and not spdy. Non http/2 enabled users will get plain ssl. Considering that Opera Mini, Blackberry browser, Android browser and Internet Explorer (other than IE11 on Windows 10) don’t implement http/2 and increasing traffic is now mobile, I fail to see how serving the slowest version of your site to mobile browsers and a majority of users was a useful move for a webserver aiming to transform performance. Even Safari browser has http/2 support only in its latest version. That’s quite a chunk of the internet incapable of using the site at the speeds http/2 should be adopted for. Keeping spdy as a fallback would have allowed existing user experience to continue for many visitors. And that too for an experimental module. Server push – that would have added a serious speed boost for many is not implemented yet.

What is more, benchmarks currently show Nginx with spdy3.1 to be faster than Nginx with http/2. Talk of an upgrade that is a serious usability downgrade.

Not only does this effectively prevent me from touching http/2 on Nginx, it actually has me actively hunting for a frontend that will offer http/2 and spdy before offering plain ssl. Most likely nghttpx.

Oh the irony of needing a frontend proxy for a Nginx server because the server has upgraded to http/2. But sadly, given that only little over a third (38.2%) of the traffic in India is http/2 enabled, it is difficult to see how spdy support can be stopped by a webmaster with sites for Indians in the near future. I anticipate needing to support spdy for another year at least. Yes, I know Google will stop supporting spdy from Feb 2016, but those who don’t upgrade and other browsers and apps that aren’t http/2 capable will still need a way to be faster than raw ssl.

Talk of anticipation followed by a damn squib. I even found myself wondering whether Apache2 is worth checking out once more…. but more likely, I’m going to figure out nghttpx unless there is some indication that future upgrades will support spdy as well as http2 for a while.

your ip has been flagged for security reasons – Jetpack

So I was troubleshooting the configuration on my server and removed all non-essential code. This meant that the proxy was not forwarding the IP address of visitors to the backend.

Imagine my surprise to try to login to post to the blog when I found access to admin blocked with “your ip has been flagged for security reasons find out more“. It had popped up in the login popup wordpress shows when your login has expired and clicking “find out more” does nothing beyond showing a rotating gif indicating loading.

Login blocked - Jetpack trolls bloggers

Luckily, I was logged into another blog on the same server which had Jetpack installed as well. Clicking another link on it gave me the same warning on the page instead of a popup and i was able to follow through to the Jetpack site for the explanation.

Login Blocked by Jetpack - The notice

Apparently to fix this, you have to add


to wp-config.php in the root of your wordpress blog. In my case, this was LOCALHOST!

Here’s my irritation with Jetpack.

  1. I have access to the server. What if any other user on the blog had tried to make a post?
  2. I don’t recall activating security. I have another plugin I use for security. I was not even aware that Jetpack offers security. How appropriate is it to activate something that can block access for potential users onto someone’s blog without consent?
  3. What sort of non-consensual inflicted code blocks access to localhost? Surely the forward facing IP and localhost at least ought to be whitelisted by default? Not according to Jetpack, it seems.

This is yet another straw piled onto my back about the ever bloating Jetpack plugin. One of these days, I’m going to take some time to configure alternatives and ditch them.

How to fix mixed content warning if page loads insecure content in spite of #WordPressHTTPS? #W3TC

So I had been confounded. I used to have a sweet green securely loaded blog for ages and I didn’t know what I had changed to make it start throwing up mixed content warnings. I didn’t recall changing ANYTHING on the blog at all. Yet, when pages were accessed over https, they loaded assets over http – in spite of WordPress HTTPS being active.

The problem turned out to be W3TC Disk Enhanced page caching. It does not seem to distinguish between http and https versions of the page, resulting in the https version of the page serving the http page – of course, with assets loaded over http.

I used to redirect the non ssl version of the blog to the ssl version, but for some reason, I decided to only use an HSTS header. Since the blog automatically loaded over https, I did not anticipate problems. However, the site being available over http apparently caused enough traffic (that ignored HSTS or was not capable?) to create cached pages that became a nuisance.

Mixed content warnings on assets loaded by wordpress

Two ways to fix this. I chose the easy one first. Redirected my non-ssl site to ssl. Done.

All content loaded securely by WordPress

If this results in any noticeable drop of traffic or complaints from anyone who needs to use it without ssl for any believable reason, I will choose method two: relying on HSTS alone again and using either the disk basic or opcode cache for page caching instead of “page enhanced” – this ought to work.

You can check your website on to identify the exact assets loaded that are giving mixed content errors.

Salora Arya – an excellent phone for an unbeatable price

The Salora Arya is an incredible phone for an unbeatable price. It appears that they have saved the money from advertising to keep the price low, because I had never heard of the phone till I started comparing tech specs when I needed to buy one in a hurry.

It arrived in a neat box with efficient packaging that will take up minimal space to store (and thus I don’t have to throw it away – this wins points).

I will write a longer review later, but at a price of Rs.4,999/- here are the highlights.

  • Quad-core processor – it is FAST.
  • 5 MP main camera (8MP with software)
  • 2MP front camera (5MP with software – I really liked the photos from this)
  • Plenty of space to load apps (5GB or so free)
  • Touch screen that works like a dream (This matters to me – it is a long story for another time)

It does not LOOK cheap.

User reviews indicate that it may have a less than satisfactory battery backup, but I have not encountered that yet and not traveling much, I am rarely in a position to not be able to charge my phone, so even if true, this isn’t a deal breaker for me, at least.

If you are looking for a great phone at low cost, this is it: Arya A1 Plus (Black-Silver)

The links in this post are affiliate links. However, I am not in the business of recommending products I don’t believe in. This is what I purchased. It is the lowest price available.

Disable SSLv3 on Nginx to prevent #POODLE vulnerability

In the wake of POODLE vulnerability discovered in SSLv3, surprising number of people are not sure how to disable SSLv3. So here is how to do it.

In your Nginx SSL configuration, find the line that shows the protocols. It will be something like this:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Remove the SSLv3 from it and make it

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

That is all.

This is not relevant if you aren’t using SSL, of course.

Google’s guessing games #privacy #humor

Imagine my surprise today when a google search result showed my location below the search results (nil).

Virar West, Virar, Maharashtra – From your Internet address – Use precise location
 – Learn more

I live in Virar East, so the guess was off by a few kilometers. Curious to see how accurate it gets, I allowed it to use “precise location”.


Friends Colony, Hallow Pul, Kurla West, Mumbai, Maharashtra – Reported by this computer – Update location
 – Learn more

That would be a few dozen kilometers away with an entire Lok Sabha Constituency lying in between mine and the stated target area’s :p

Moral of the story? If you live in an area barely covered by Google Maps, you’d probably do better activating snooping stuff to obfuscate your location :p

Note: this was funny and an obvious backfiring of “precision” if it added an error that put the location in another district altogether. Your mileage may vary. This is not a serious privacy tip :p


Reset the net – Don’t ask for privacy, Take it back

A long overdue backlash against state spying (and NSA in particular) has some of the biggest websites on the internet joining forces with internet rights activists to unleash an unambiguous message. Don’t ask for privacy, take it back.


Internet website and application owners are encouraged to adopt strong encryption based security measures to prevent spying and spread awareness to more people. Here is are resources for various security measures against spying. It doesn’t get easier than this. Do it. The 5th of June will see splash screens raising awareness on sites participating in the campaign.

While the protest is against NSA and US policies, the internet is a world without boundaries, and I do believe that Indians cannot afford to remain disinterested. As power concentrates in fewer and fewer hands, greater resources are spent protecting it from all threats, real and imagined with scant regard for individual and privacy rights.

So I have decided to support the campaign even if it doesn’t protest Indian government (yet). As some of you may have noticed, all my blogs are now ssl enabled. This will continue. I will be using more security features, and perhaps share how you can get them too (since my ideas are n00b and wallet friendly, I imagine they may help some).

Edward Snowden, whose leaks on government spying became a massive last straw for many, has endorsed the campaign in a must read letter.

“One year ago, we learned that the internet is under surveillance, and our activities are being monitored to create permanent records of our private lives — no matter how innocent or ordinary those lives might be.

Today, we can begin the work of effectively shutting down the collection of our online communications, even if the US Congress fails to do the same. That’s why I’m asking you to join me on June 5th for Reset the Net, when people and companies all over the world will come together to implement the technological solutions that can put an end to the mass surveillance programs of any government. This is the beginning of a moment where we the people begin to protect our universal human rights with the laws of nature rather than the laws of nations.

We have the technology, and adopting encryption is the first effective step that everyone can take to end mass surveillance. That’s why I am excited for Reset the Net — it will mark the moment when we turn political expression into practical action, and protect ourselves on a large scale.

Join us on June 5th, and don’t ask for your privacy. Take it back.”

-Edward Snowden

In other news, Google has released the code for its upcoming “End to End” Chrome plugin offering end to end encryption to prevent email spying. It is also intended to be an easy way to get secure communication for people at risk and thus will carry a burden of having to aim for usability as well as flawless security. The Chrome plugin is currently in the alpha state and Google has released it with an Apache 2.0 licence inviting hackers to find security flaws under its bug bounty programme.

Together with statistics released about the use of encryption in sent and received email via Gmail, Google’s message for today is powerful and straight.

Use encryption to communicate by email.

Other organizations supporting Reset the Net include Reddit, WordPress

WordPress All In One SEO Pack plugin users should upgrade NOW #vulnerability

The Scuri blog has posted that the All in One SEO plugin had two vulnerabilities they had pointed out earlier, and the just released update fixes both. AISEO users are advised to upgrade as soon as possible.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

Read more: Vulnerability found in the All In One SEO Pack WordPress plugin

Also, commenter Orun Bhuiyan brings up an important security point when he points out that the AISEO plugin echoes a generator tag with the version number, thus exposing both plugin and version number and making it easy for malicious entities to target vulnerabilities when such situations arise. This has been pointed out on several forums including several plugins containing settings to mute generator tags, but it continues to be a problematic default that is a major security risk leaving wide swathes of content vulnerable before updates can be applied.

Varnish config for wordpress with ngx_pagespeed and wp-touch

This is the Varnish config I am using currently. It is working with wp-touch, pagespeed and wordpress and (bonus) deals with the pagespeed not allowing pages to cache. No time for pretty comments and explanations, here’s the code. I will answer questions, or come back and explain the code in comments – but it is pretty self explanatory.

backend default {
.host = "";
.port = "80";
.first_byte_timeout = 300s;

sub generate_user_agent_based_key {
set req.http.default_ps_capability_list_for_large_screens = "LargeScreen.SkipUADependentOptimizations:";
set req.http.default_ps_capability_list_for_small_screens = "TinyScreen.SkipUADependentOptimizations:";

set req.http.PS-CapabilityList = req.http.default_ps_capability_list_for_large_screens;

# Lazyload
if (req.http.User-Agent ~ “(?i)Chrome/|Firefox/|MSIE |Safari”) {
set req.http.PS-CapabilityList = “ll,ii,dj:”;
# lazyload_images (ll), inline_images (ii), defer_javascript (dj), webp (jw) and lossless_webp (ws).
if (req.http.User-Agent ~
“(?i)Chrome/[2][3-9]+\.|Chrome/[[3-9][0-9]+\.|Chrome/[0-9]{3,}\.”) {
set req.http.PS-CapabilityList = “ll,ii,dj,jw,ws:”;
# odd ones
if (req.http.User-Agent ~ “(?i)Firefox/[1-2]\.|MSIE [5-8]\.|bot|Yahoo!|Ruby|RPT-HTTPClient|(Google \(\+https\:\/\/developers\.google\.com\/\+\/web\/snippet\/\))|Android|iPad|TouchPad|Silk-Accelerated|Kindle Fire”) {
set req.http.PS-CapabilityList = req.http.default_ps_capability_list_for_large_screens;
# mobile
if (req.http.User-Agent ~ “(?i)Mozilla.*Android.*Mobile*|iPhone|BlackBerry|Opera Mobi|Opera Mini|SymbianOS|UP.Browser|J-PHONE|Profile/MIDP|portalmmm|DoCoMo|Obigo|Galaxy Nexus|GT-I9300|GT-N7100|HTC One|Nexus [4|7|S]|Xoom|XT907”) {
set req.http.PS-CapabilityList = req.http.default_ps_capability_list_for_small_screens;
# Remove placeholder header values.
remove req.http.default_ps_capability_list_for_large_screens;
remove req.http.default_ps_capability_list_for_large_screens;

sub vcl_hash {
# Block 3: Use the PS-CapabilityList value for computing the hash.
# Block 3a: Define ACL for purge requests
acl purge {
# Purge requests are only allowed from localhost.
#Add your server IP to this list
# Block 3b: Issue purge when there is a cache hit for the purge request.
sub vcl_hit {
if (req.request == “PURGE”) {
error 200 “Purged.”;

# Block 3c: Issue a no-op purge when there is a cache miss for the purge
# request.
sub vcl_miss {
if (req.request == “PURGE”) {
error 200 “Purged.”;

sub vcl_recv {
call generate_user_agent_based_key;

set req.http.X-Forwarded-For = client.ip;
set req.http.Host = regsub(req.http.Host, “:[0-9]+”, “”);

# Block 3d: Verify the ACL for an incoming purge request and handle it.
if (req.request == “PURGE”) {
if (!client.ip ~ purge) {
error 405 “Not allowed.”;
return (lookup);
# Blocks which decide whether cache should be bypassed or not go here.

# Did not cache the admin and login pages
if (req.url ~ “/wp-(login|admin)”) {
return (pass);
// server1 must handle file uploads
if (req.url ~ “media-upload.php” || req.url ~ “file.php” || req.url ~ “async-upload.php”) {

// do not cache xmlrpc.php
if (req.url ~ “xmlrpc.php”) {

// strip cookies from xmlrpc
if (req.request == “GET” && req.url ~ “xmlrpc.php”){
remove req.http.cookie;return(pass);

# Remove the “has_js” cookie
set req.http.Cookie = regsuball(req.http.Cookie, “has_js=[^;]+(; )?”, “”);

# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, “__utm.=[^;]+(; )?”, “”);

# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, “__qc.=[^;]+(; )?”, “”);

# Remove the wp-settings-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, “wp-settings-1=[^;]+(; )?”, “”);

# Remove the wp-settings-time-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, “wp-settings-time-1=[^;]+(; )?”, “”);

# Remove the wp test cookie
set req.http.Cookie = regsuball(req.http.Cookie, “wordpress_test_cookie=[^;]+(; )?”, “”);

# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ “^ *$”) {
unset req.http.cookie;

if (req.http.Accept-Encoding) {
# Do no compress compressed files…
if (req.url ~ “\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$”) {
remove req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ “gzip”) {
set req.http.Accept-Encoding = “gzip”;
} elsif (req.http.Accept-Encoding ~ “deflate”) {
set req.http.Accept-Encoding = “deflate”;
} else {
remove req.http.Accept-Encoding;

# Cache the following files extensions
if (req.url ~ “\.(css|js|png|gif|jp(e)?g)”) {
unset req.http.cookie;

# Check the cookies for wordpress-specific items
if (req.http.Cookie ~ “wordpress_” || req.http.Cookie ~ “comment_”) {
return (pass);
if (!req.http.cookie) {
unset req.http.cookie;

# — End of WordPress specific configuration

# Did not cache HTTP authentication and HTTP Cookie
if (req.http.Authorization || req.http.Cookie) {
# Not cacheable by default
return (pass);

# Cache all others requests
return (lookup);


# Block 5b: Only cache responses to clients that support gzip. Most clients
# do, and the cache holds much more if it stores gzipped responses.
if (req.http.Accept-Encoding !~ “gzip”) {
return (pass);

# Block 6: Mark HTML uncacheable by caches beyond our control.
sub vcl_fetch {
# For static content related to the theme, strip all backend cookies
if (req.url ~ “\.(css|js|png|gif|jp(e?)g)”) {
unset beresp.http.cookie;

# A TTL of 30 minutes
set beresp.ttl = 1800s;

return (deliver);
# Block 7: Add a header for identifying cache hits/misses.
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = “HIT”;
} else {
set resp.http.X-Cache = “MISS”;