How CDNs Generate Certificates
> Obviously, to do stuff like this, you need to generate certificates. The reasonable way to do that in 2020 is with LetsEncrypt. We do that for our users automatically, but “it just works” makes for a pretty boring writeup, so let’s see how complicated and meandering I can make this.
> It’s time to talk about certificate infrastructure.
Is WebP really better than JPEG?
> I think Google’s result of 25-34% smaller files is mostly caused by the fact that they compared their WebP encoder to the JPEG reference implementation, Independent JPEG Group’s cjpeg, not Mozilla’s improved MozJPEG encoder. I decided to run some tests to see how cjpeg, MozJPEG and WebP compare. I also tested the new AVIF format, based on the open AV1 video codec. AVIF support is already in Firefox behind a flag and should be coming soon to Chrome if this ticket is to be believed.
Improving Chromium's browser compatibility in 2020
> It is clear that it is still painful to develop a website or web app that works reliably across browsers.
Fixing the Breakage from the AddTrust External CA Root Expiration
> A lot of stuff on the Internet is currently broken on account of a Sectigo root certificate expiring at 10:48:38 UTC today. Generally speaking, this is affecting older, non-browser clients (notably OpenSSL 1.0.x) which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate. See also this Twitter thread by Ryan Sleevi.
Zero-day in Sign in with Apple
> In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.
CVE-2020-8816 – Pi-hole Remote Code Execution
> Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.
Neat trick to get around input restrictions:
> Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.
Why is This Website Port Scanning me?
> Recently, I was tipped off about certain sites performing localhost port scans against visitors, presumably as part of a user fingerprinting and tracking or bot detection. This didn’t sit well with me, so I went about investigating the practice, and it seems many sites are port scanning visitors for dubious reasons.
Experiences with email-based login
> The way it originally worked is that you would sign up with your email, and to login a “magic link” with a secret token would be emailed to you, which will set the cookie and log you in. I did it like this after a suggestions/discussion at Lobste.rs last year, and I thought it would be easier to implement (it’s not) and easier for users (it’s not).
Google Erases Thousands of Links, Tricked by Phony Complaints
> Dubious copyright claims citing 1998 law led the search giant to make unfavorable articles vanish
> Google removed search links to the Vietnamese-language article after someone identifying as Long Hoang filed a complaint claiming the piece violated the copyright on an identical blog post about the tourists dated October 20, 2019, more than four months before the unnamed Britons visited. The blog consists of only eight posts, all cited in copyright complaints filed with Google.
Augmented Reality Is Now Mainstream on Instagram
> I am alone in my apartment, as always, and I’ve just replaced my left eyeball with an orange springing out of its peel. A mile away, a friend, also home alone, is taking her seat—every seat, actually—at the table in The Last Supper, yelling as the camera pans down the row of disciples and her face replaces that of one man after another. Another friend is watching a mouse dressed as the Pope dance across her kitchen floor. A third is smiling while a strange man wraps his arms around his throat.
An Interactive Cross-Site Request Forgery (CSRF) Demo
> A hands-on beginner’s guide to what CSRF attacks are and how to prevent them.
The Original Cookie specification from 1997 was GDPR compliant
> We were never supposed to be able to do what most publishers and tech companies do today. In fact, what if I were to tell you that the original specification for how cookies should be implemented in browsers pretty much defined what GDPR is today?
Imagine back to a time when people thought user agents would be agents for the user.
A Warm Welcome to ASN.1 and DER
> This document provides a gentle introduction to the data structures and formats that define the certificates used in HTTPS. It should be accessible to anyone with a little bit of computer science experience and a bit of familiarity with certificates.
Porting to TypeScript Solved Our API Woes
> With the Ruby backend, we sometimes forgot that a particular API property held an array of strings, not a single string. Sometimes we changed a piece of the API that was referenced in multiple places but forgot to update one of those places. These are normal dynamic language problems in any system whose tests don’t have 100% test coverage. (And it will still happen even with 100% coverage; it’s just less likely.)
> The story of how I gained unauthorized Camera access on iOS and macOS
> We are beginning to form the attack plan - if we can somehow trick Safari into thinking our evil website is in the “secure context” of a trusted website, we can leverage Safari’s camera permission to access the webcam via the mediaDevices API.
Touch And Go
> Pondering the disastrous fate of the HP TouchPad, an early tablet based on WebOS that’s best known for being the subject of a well-remembered fire sale.
Big Tech Is Testing You
> Large-scale social experiments are now ubiquitous, and conducted without public scrutiny. Has this new era of experimentation remembered the lessons of the old?
> Physics, chemistry, and medicine have had their revolution. But now, driven by experimentation, a further transformation is in the air. That’s the argument of “The Power of Experiments” (M.I.T.), by Michael Luca and Max H. Bazerman, both professors at the Harvard Business School. When it comes to driving our decisions in a world of data, they say, “the age of experiments is only beginning.”
Monitoring And Debunking COVID-19 Panic: The “Haarlem Aldi” Hoax
> Knowing how relatively calm the situation has been here in the Netherlands (especially in Haarlem, where there is one reported case), we at Bellingcat felt that the video was likely fake — and set out to prove it.
My infrastructure as of 2019
> The goal for my infrastructure is to run the services I need. While a lot of people in the homelab community experiment and play with software for its own sake, I actively use the stuff I host. When I stop, I kill the service (though I’m not as proficient at this as Google). These are my production systems, and when one of them is down, I do miss it.
Hashtag of note
> You will probably notice immediately that it contains a full-width dash, in other words a Unicode (probably Chinese-origin?) character. For some reason, this is all over Twitter in posts from Anglophone people I am almost completely sure have no input method installed that can actually produce it.
> It’s not a real dash at all but a “Katakana-Hiragana prolonged sound mark“: