Information Leaks via Safari's Intelligent Tracking Prevention
> Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data. As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search). This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.
Real-Time Ray-Tracing in WebGPU
> Note that RTX is not available officially for WebGPU (yet?) and is only available for the Node bindings for WebGPU. Recently I began adapting an unofficial Ray-Tracing extension for Dawn, which is the WebGPU implementation for Chromium. The Ray-Tracing extension is only implemented into the Vulkan backend so far, but a D3D12 implementation is on the Roadmap. You can find my Dawn Fork with Ray-Tracing capabilities here.
> Now let me introduce you to the ideas and concepts of the Ray-Tracing extension.
Add a little Canada to your website
> hockey player checks out lumberjack while woman in Canadian tuxedo looks on in disbelief
Hacking GitHub with Unicode's dotless 'i'.
> GitHub’s forgot password feature could be compromised because the system lowercased the provided email address and compared it to the email address stored in the user database. If there was a match, GitHub would send the reset password link to the email address provided by the attacker- which was technically speaking, not the same email address.
This is beautiful.
Coping with flexbox
> I wanted to form a better mental model of all the basic functionality that flexbox provides for all those common-denominator daily-purpose needs. This is a post about that I’ve been intending to write for while now. It’s hard to beat the succinctness and completeness that CSSTricks manages around this, so I won’t try. Flexbox is powerful, so trying to “simplify” it means we’d have to have assumptions
Three ways to reduce the costs of your HTTP(S) API on AWS
> Since we would send this five billion times per day, every byte we could shave off would save five gigabytes of outgoing data, for a saving of 25 cents per day per byte removed.
It all adds up.
It was 20 years ago today
> It’s amzing to think I’ve been doing this whole blog thing for a whole twenty years.
> But despite all the code changes, the actual storage format has not changed one bit in all twenty years.
Defense in depth against SSRF vulnerabilities with the EC2 Instance Metadata Service
> Today, AWS is making v2 of the EC2 Instance Metadata Service (IMDSv2) available. The existing instance metadata service (IMDSv1) is fully secure, and AWS will continue to support it. But IMDSv2 adds new “belt and suspenders” protections for four types of vulnerabilities that could be used to try to access the IMDS. These new protections go well beyond other types of mitigations, while working seamlessly with existing mitigations such as restricting IAM roles and using local firewall rules to restrict access to the IMDS. AWS is also making new versions of the AWS SDKs and CLIs available that support IMDSv2.
Eh, seems this could have been better from the start, but oh well.
The Google Squeeze
> OTAs have always been a special case when it comes to Aggregation Theory; like Aggregators, they serve customers on a zero marginal cost basis, and they have power over supply (hotels, primarily) by virtue of delivering them demand. The hangup for me is how they acquire that demand: first and foremost from Google.
> This arrangement between OTAs and Google has long been beneficial to both sides. Google drives traffic to the OTAs, which can monetize that traffic via commissions extracted from suppliers.2 Google, meanwhile, not only receives relevant results it could serve to customers, but also makes billions of dollars from OTAs buying search ads.
Bypassing GitHub's OAuth flow
> What happens if we send an authenticated HEAD request to https://github.com/login/oauth/authorize? We’ve concluded that the router will treat it like a GET request, so it will get sent to the controller. But once it’s there, the controller will realize that it’s not a GET request, and so the request will be handled by the controller as if it was an authenticated POST request. As a result, GitHub will find the OAuth app specified in the request, and grant it access to the authenticated user’s data.
Help me, framework!
Wonders of the Internet
> There wasn’t any indication of what it had been part of, or what it was for, but it did have the marking PART 2198768 on the back, so I handed that to The Goog.
> And the result was instantaneous and unequivocal: it belongs to my refrigerator. Specifically, it goes in the back of the freezer compartment to keep food from falling down into the back and blocking the drainage path.
At the Times, a Hesitance to Hyperlink
> There’s a joke in the journalism industry: It’s not news until the New York Times says it is. This is because the Times often reports stories that other outlets already have without any acknowledgment that they’re doing so.
Relearn CSS layout
> If you find yourself wrestling with CSS layout, it’s likely you’re making decisions for browsers they should be making themselves. Through a series of simple, composable layouts, Every Layout will teach you how to better harness the built-in algorithms that power browsers and CSS.
Some free, some pay.
A free guide to HTML5 <head> elements
HTML: the good parts
Migrating From Cloudflare
> Okay so here’s the thing: Cloudflare isn’t just the CDN provider for the instance, it is also the domain’s nameserver. That means that it holds all the DNS records that point mastodon.technology to the various IP addresses used for HTTP requests, email, and even public DKIM keys for mail server verification. These DNS settings are really, really important. If they get messed up, everything about the instance can break.
> So I split up the migration from Cloudflare to BunnyCDN into two phases: first migrate the CDN provider, and then migrate the DNS provider. Getting this right is really important, and I mostly did okay, but hopefully you can learn from my experiences.
Looking back at the Snowden revelations
> It’s no coincidence that this is a cryptography blog, which means that I’m not concerned with the same things as the general public. That is, I’m not terribly interested in debating the value of whistleblower laws (for some of that, see this excellent Twitter thread by Jake Williams). Instead, when it comes to Snowden’s leaks, I think the question we should be asking ourselves is very different. Namely:
> What did the Snowden leaks tell us about modern surveillance capabilities? And what did we learn about our ability to defend against them?
And it was Uphill Both Ways
> In fact, shortly after I made my own personal home page, full of <marquee> tags, creative abuse of the <font> tag, and a color scheme which was hot pink and neon green, I showed it to a friend, who condescendingly said, “What, you didn’t even use frames?” He made me mad enough that I almost deleted my Geocities account.
Nice look back at how we used to do things.
> In this era, we’d call stuff like this “DHTML” (the D is for “dynamic”), and we traversed the DOM as a chain of properties, doing things like document.forms.inputs to access fields on the form.
HTTP Mock – Intercept, debug and mock HTTP
> HTTP Mock is the latest tool in HTTP Toolkit, a suite of beautiful & open-source tools for debugging, testing and building with HTTP(S), on Windows, Linux & Mac.
This does look useful.
Interesting implementation note: https://news.ycombinator.com/item?id=21072087
> The trick is that it starts the application to be intercepted for you, so it can control it a little. It then does some magic to get that specific instance of the application to trust the certificate. There’s a lot going on there, but as an example: Chrome has a --ignore-certificate-errors-spki-list to inject the hashes of extra CAs that can be trusted in this specific Chrome instance. When HTTP Toolkit starts a Chrome process, it adds that command line option, with the hash of your locally generated CA.
Ik spreek geen Nederlands
> As you can see, the text was (for reasons unknown to me) helpfully translated into the language of the country we happen to be in. Unfortunately I don’t speak either Dutch or Portuguese so I can only interpret this behaviour as a punishment encountered by people rude enough to dare travel abroad without learning the language spoken in the country they happen to be in, thereby breaking the worldview held by the particular programmer who happened to be responsible for creating the translation module for this amazing example of good web development practices.