HTTP/2 CONTINUATION Flood: Technical Details
https://nowotarski.info/http2-continuation-flood-technical-details/ [nowotarski.info]
2024-04-04 23:35
tags:
networking
security
standard
web
Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.
source: HN
Preventing Cross-Service UDP Loops in QUIC
https://bughunters.google.com/blog/5960150648750080/preventing-cross-service-udp-loops-in-quic [bughunters.google.com]
2024-03-26 19:09
tags:
networking
security
standard
turtles
Infinite loops between servers are something that must be carefully avoided to prevent performance degradation or network overload.
In light of the heightened awareness of this attack vector, now is a good time to discuss looping behavior which impacted our implementation of QUIC and review the postmortem action items that followed each event. Our experience diagnosing and mitigating attacks, as well as deploying fixes, may assist others attempting to address similar threats.
UML: My Part in its Downfall
https://tratt.net/laurie/blog/2022/uml_my_part_in_its_downfall.html [tratt.net]
2024-03-15 23:15
tags:
development
standard
swtools
With the benefit of hindsight, I think UML had quite possibly reached not only its actual, but also its potential, peak in 2000: as a medium for software sketching, people only ever needed the basics from it. However, the standardisation community developed an ambitious vision for UML that far exceeded sketching. Whether or not that vision could ever be realised can be seen as a matter of genuine debate: what seems unarguable to me is that such a vision was deeply unsuited to any standardisation process.
A Blog Post With Every HTML Element
https://www.patrickweaver.net/blog/a-blog-post-with-every-html-element/ [www.patrickweaver.net]
2023-08-04 00:16
tags:
docs
essay
html
standard
text
ux
web
I could, element by element, continue to add support (mostly by making CSS updates for each element to fit in with the rest of my style choices) as I came across specific needs for them, but not one to shy away from an exhaustive exploration, I decided to write this post and attempt to use every element.
A goal of the post, was to avoid delaying other future posts with CSS updates on a previously unused element, but in reality it took a year and a half to make all the updates for just this post! I am using the MDN Web Docs list of HTML elements as a reference which has more than 100 tags divided into a few categories, which I will also use in this post.
source: L
NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices
https://www.nist.gov/news-events/news/2023/02/nist-selects-lightweight-cryptography-algorithms-protect-small-devices [www.nist.gov]
2023-02-08 23:56
tags:
crypto
ioshit
standard
The winner, a group of cryptographic algorithms called Ascon, will be published as NIST’s lightweight cryptography standard later in 2023. The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators. They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles. Devices like these need “lightweight cryptography” — protection that uses the limited amount of electronic resources they possess.
source: HN
A Tale Of A Trailing Dot
https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/ [daniel.haxx.se]
2022-05-14 00:41
tags:
networking
security
standard
text
turtles
web
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot.
source: L
U+237c ⍼ Right Angle With Downwards Zigzag Arrow
https://ionathan.ch/2022/04/09/angzarr.html [ionathan.ch]
2022-04-13 20:03
tags:
retro
standard
text
Known as right angle with downwards zigzag arrow, angle with down zig-zag arrow, \rangledownzigzagarrow, and ⍼, no one knows what ⍼ is meant to represent or where it originated from. Section 22.7 Technical Symbols from the Unicode Standard on the Miscellaneous Technical block doesn’t say anything about it.
source: L
An Exploration of JSON Interoperability Vulnerabilities
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities [labs.bishopfox.com]
2021-02-26 22:29
tags:
format
javascript
security
standard
text
turtles
The same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks. If you prefer a hands-on approach, try the labs and when they scare you, come back and read on.
https://github.com/BishopFox/json-interop-vuln-labs/
source: HN
A handy diff argument handling feature that's actually very old
https://utcc.utoronto.ca/~cks/space/blog/unix/DiffOldArgumentsFeature [utcc.utoronto.ca]
2020-10-07 21:42
tags:
retro
standard
swtools
unix
If only one of file1 and file2 is a directory, diff shall be applied to the non-directory file and the file contained in the directory file with a filename that is the same as the last component of the non-directory file.
How CDNs Generate Certificates
https://fly.io/blog/how-cdns-generate-certificates/ [fly.io]
2020-07-01 01:06
tags:
admin
networking
security
standard
web
Obviously, to do stuff like this, you need to generate certificates. The reasonable way to do that in 2020 is with LetsEncrypt. We do that for our users automatically, but “it just works” makes for a pretty boring writeup, so let’s see how complicated and meandering I can make this.
It’s time to talk about certificate infrastructure.
source: L
Path Building vs Path Verifying: Implementation Showdown
https://medium.com/@sleevi_/path-building-vs-path-verifying-implementation-showdown-39a9272b2820 [medium.com]
2020-06-24 19:04
tags:
library
networking
security
standard
turtles
In my previous post, I talked about what the issue with Sectigo’s expired root was, from the perspective of the PKI graph, and talked a bit about what makes a good certificate verifier implementation. Unfortunately, despite browsers and commercial OSes mostly handling this issue, the sheer variety of open-source implementations means that there’s a number of not-so-good verifiers out there.
In this post, I’ll dig in a little deeper, looking at specific implementations, and talking about how their strategies either lead to this issue, or avoided this issue but will lead to other issues.
It’s pretty much all terrible, except the parts that are extremely terrible.
The Original Cookie specification from 1997 was GDPR compliant
https://baekdal.com/thoughts/the-original-cookie-specification-from-1997-was-gdpr-compliant/ [baekdal.com]
2020-05-09 03:51
tags:
browser
development
html
standard
web
We were never supposed to be able to do what most publishers and tech companies do today. In fact, what if I were to tell you that the original specification for how cookies should be implemented in browsers pretty much defined what GDPR is today?
Imagine back to a time when people thought user agents would be agents for the user.
source: L
Move, simply
https://herbsutter.com/2020/02/17/move-simply/ [herbsutter.com]
2020-02-18 05:32
tags:
cxx
programming
standard
C++ “move” semantics are simple, but they are still widely misunderstood. This post is an attempt to shed light on that situation.
I like that the appendix is 3 times the article’s length.
source: HN
Trap representations and padding bits
https://trust-in-soft.com/trap-representations-and-padding-bits/ [trust-in-soft.com]
2019-11-03 23:36
tags:
c
programming
standard
The C programming language does not hide from you how the values you manipulate are represented. One consequence is that when padding happens, its presence may have observable effects in carelessly crafted programs. Padding is well-known to appear between members of a struct, and also possibly after the last member of a struct. The remaining space in a union when the active member is not the widest one is also considered padding. A C programmer that only cares for usual x86 platforms might be excused for thinking that, for them, this is it. As for trap representations, these may be believed to be reserved for weird hardware that use one’s complement or explicit parity bits.
The example at the end regarding _Bool is nice.
String Length
https://hsivonen.fi/string-length/ [hsivonen.fi]
2019-09-08 17:22
tags:
article
language
programming
standard
text
It’s Not Wrong that “🤦🏼♂️”.length == 7 But It’s Better that “🤦🏼♂️”.len() == 17 and Rather Useless that len(“🤦🏼♂️“) == 5
The string that contains one graphical unit consists of 5 Unicode scalar values. First, there’s a base character that means a person face palming. By default, the person would have a cartoonish yellow color. The next character is an emoji skintone modifier the changes the color of the person’s skin (and, in practice, also the color of the person’s hair). By default, the gender of the person is undefined, and e.g. Apple defaults to what they consider a male appearance and e.g. Google defaults to what they consider a female appearance. The next two scalar values pick a male-typical appearance specifically regardless of font and vendor. Instead of being an emoji-specific modifier like the skin tone, the gender specification uses an emoji-predating gender symbol (MALE SIGN) explicitly ligated using the ZERO WIDTH JOINER with the (skin-toned) face-palming person. (Whether it is a good or a bad idea that the skin tone and gender specifications use different mechanisms is out of the scope of this post.) Finally, VARIATION SELECTOR-16 makes it explicit that we want a multicolor emoji rendering instead of a monochrome dingbat rendering.
And then we move on from there, in quite some depth.
source: L
Public Suffix List Problems
https://github.com/sleevi/psl-problems/blob/master/README.md [github.com]
2019-09-06 20:32
tags:
browser
cloud
networking
security
standard
web
This is a collection of thoughts from a maintainer of the Public Suffix List (PSL) about the importance of avoiding new Web Platform features, security, or privacy boundaries assuming the PSL is a good starting point.
Equally terrifying, however, is how many providers only discovered the existence of the PSL once LE was using it to rate limit - meaning that their users were able to influence cookies and other storage without restriction, until an incidental change (wanting to get more certs) caused the server operator to realize.
source: HN
Some obscure C features
https://multun.net/obscure-c-features.html [multun.net]
2019-08-22 22:47
tags:
c
programming
standard
The current most used version of the language, c99, gained some new features over the years, many of which are completely unknown to most C programmers (Older specifications obviously also have some dark corners).
Would not recommend.
source: HN
KNOB Attack
https://knobattack.com/ [knobattack.com]
2019-08-16 05:00
tags:
crypto
exploit
security
standard
tech
wifi
Paper: https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli
We present an attack on the encryption key negotiation protocol of Bluetooth BR/EDR. The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. We call our attack Key Negotiation Of Bluetooth (KNOB) attack.
source: green
HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md [github.com]
2019-08-13 20:26
tags:
networking
security
standard
turtles
web
Netflix has discovered several resource exhaustion vectors affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch DoS attacks against servers that support HTTP/2 communication.
Son of Slowloris returns!
While this added complexity enables some exciting new features, it also raises implementation questions.
Here comes trouble...
The Security Considerations section of RFC 7540 (see Section 10.5) addresses some of this in a general way. However, unlike the expected “normal” behavior—which is well-documented and which implementations seem to follow very closely—the algorithms and mechanisms for detecting and mitigating “abnormal” behavior are significantly more vague and left as an exercise for the implementer. From a review of various software packages, it appears that this has led to a variety of implementations with a variety of good ideas, but also some weaknesses.
source: HN
ASCII table and history
https://bestasciitable.com/ [bestasciitable.com]
2019-08-12 00:11
tags:
retro
standard
text
tty
To understand why Control+i inserts a Tab in your terminal you need to understand ASCII, and to understand ASCII you need know a bit about its history and the world it was developed in. Please bear with me (or just go the table).
Most teleprinters communicated using the ITA2 protocol. For the most part this would just encode the alphabet, but there are a few control codes: WRU (“Who R U”) would cause the receiving teleprinter to send back its identification, BEL would ring a bell, and it had the familiar CR (Carriage Return) and LF (Line Feed).
source: Dfly