HackerTrans
TopNewTrendsCommentsPastAskShowJobs

agwa

no profile record

Submissions

FastCGI: 30 years old and still the better protocol for reverse proxies

agwa.name
424 points·by agwa·2 tháng trước·101 comments

Why IP Address Certificates Are Dangerous and Usually Unnecessary

agwa.name
3 points·by agwa·5 tháng trước·0 comments

Google suspended my company's Google cloud account for the third time

agwa.name
416 points·by agwa·8 tháng trước·192 comments

A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises

words.filippo.io
13 points·by agwa·9 tháng trước·2 comments

comments

agwa
·24 ngày trước·discuss
What's particularly crazy about this interchange is that there is going to be a second, elevated peanut roundabout that's rotated 90 degrees, for buses to use: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg...
agwa
·25 ngày trước·discuss
You would think so, but even an authentication company screwed it up:

https://cybercx.co.nz/blog/json-web-token-validation-bypass-...
agwa
·25 ngày trước·discuss
The cost is the vigilance required to use them safely. It's not just compute/storage costs.
agwa
·25 ngày trước·discuss
Fair enough, but those optimizations are basically free. People think stateless tokens are free but they really are not.
agwa
·25 ngày trước·discuss
As someone who operates a PostgreSQL database containing 27 billion SSL certificates, each 1-2kb each, with a bunch of secondary indexes that get inserted in random order, I find it pretty incredible that people see the need to optimize their session database. At what scale does the size of the session database actually matter?

Those stateless tokens may be "unforgeable", but they are replayable, and if you're not mindful of that you can have security vulnerabilities.
agwa
·tháng trước·discuss
Aw, thanks :-)
agwa
·tháng trước·discuss
The blog post provides a certificate chain that validates in OpenSSL but not in Go.

The reason it doesn't validate in Go is that the Subject field in the CA certificate uses a different string encoding than the Issuer field in the leaf certificate, so the fields are not byte-for-byte equal.

Go requires the Issuer and Subject to be byte-for-byte equal. This was permitted by older specs, but RFC 5280 changed the rules to require the use of RFC 4518 (LDAP stringprep) for comparing strings. This turned a simple memcmp into a complicated algorithm that requires implementing Unicode normalization, for virtually zero benefit. That's the last thing you want in your security-critical certificate verifier, so Go quite sensibly chose to follow the older specs in this regard. The CA/Browser Forum's Baseline Requirements also mandate byte-for-byte equality, so Go's behavior won't cause publicly-trusted certificates to be incorrectly rejected.

Note that LDAP stringprep is so complicated that OpenSSL doesn't even try to implement it properly and uses an approximation instead. So you would also be able to "fool" OpenSSL into rejecting certificate chains that RFC 5280 says are valid.

The blog post says that this is an "ongoing debate" in the Go project but I don't think that's accurate. I'd be shocked if they ever changed this behavior, given that crypto/x509 targets publicly-trusted certificates and the current behavior is so much simpler.
agwa
·tháng trước·discuss
The following go flags let you build statically-linked cgo binaries, provided that all the C libraries that you're using support static linking and don't call the NSS functions in glibc:

-tags netgo,osusergo -linkmode external -extldflags -static

I regularly compile (cross-compile, even) static Go binaries that use the cgo sqlite package. But it's certainly a lot simpler if you can avoid cgo.
agwa
·tháng trước·discuss
I think that on Unixes without overcommit, people allocate massive amounts of swap so that fork never fails.
agwa
·tháng trước·discuss
Yeah, I agree. No criticism of Go's behavior is intended; just pointing out that the RFC is technically dead.
agwa
·tháng trước·discuss
That RFC is obsoleted by https://datatracker.ietf.org/doc/html/rfc9844 which removes all guidance around URIs:

> This document completely obsoletes [RFC6874], which implementors of web browsers have determined is impracticable to support [LINK-LOCAL-URI], and replaces it with a generic UI requirement. Note that obsoleting [RFC6874] reverts the change that it made to the URI syntax defined by [RFC3986], so [RFC3986] is no longer updated by [RFC6874]. As far as is known, this change will have no significant impact on non-browser deployments of URIs.
agwa
·tháng trước·discuss
The downside is that to get the size optimization, TLS servers will get moderately more complicated (they'll need to have multiple MTC certificates configured and select the right one depending on the client's state), and TLS clients will get considerably more complicated (they'll need to continuously download landmarks for each CA out-of-band from a trusted source).

I expect many non-browser TLS clients won't support the small landmark-relative certificates, because there isn't a clear party to operate the landmark distribution service (Chrome has Google, and Firefox has Mozilla, but who does curl have?). I'm also worried that support will be lacking in open source TLS servers, though that's a more tractable problem. Consequentially, I expect the large standalone certificates to be quite common outside of connections between browsers and CDNs.
agwa
·tháng trước·discuss
You'll be able to immediately use use a "standalone certificate" while waiting for the batch to be created. The tradeoff is that the standalone certificate will have multiple huge ML-DSA signatures.
agwa
·tháng trước·discuss
Right, I read all that and I didn't see anything to indicate that AI is being used to write code - just one person's unsubstantiated claim.
agwa
·tháng trước·discuss
Where do you see that about Postfix? I followed the links and the only thing I see is that AI is being used to find bugs, not write code.
agwa
·2 tháng trước·discuss
Those changes were passed during the first Trump administration by a Republican congress, though they didn't go into effect until Biden was in office.

https://kpmg.com/kpmg-us/content/dam/kpmg/pdf/2023/tcja-chan...
agwa
·2 tháng trước·discuss
If you want your dev environment to be as similar to prod as possible, and you use a proxy in prod, then you should use a proxy in dev also. I was presenting a solution to someone who doesn't want to do that.
agwa
·2 tháng trước·discuss
Do be aware that CGI, unlike FastCGI, has a pretty big footgun due to the use of environment variables to convey HTTP headers: https://httpoxy.org/

Go's CGI server implementation doesn't set $HTTP_PROXY so you're safe from that, but I still don't love how CGI uses environment variables.
agwa
·2 tháng trước·discuss
Please see the section about untrusted headers - this is not fixed by HTTP/2.

You're right that being able to point your browser right at the app is very convenient. With Go, you can have a command line flag that switches between http.Serve (for development) and fcgi.Serve (for production).
agwa
·2 tháng trước·discuss
Putting security-critical logic in proxies is a violation of the End-to-End Principle, not an example of it. That doesn't mean it's a bad thing; as ragall notes, the End-to-End Principle doesn't make sense here.

You're correct that if the proxy removes all unknown headers, you're safe (with HTTP/2). But that sounds extremely inconvenient - before your application can use a new header, you have to talk to the team who runs the proxy. And popular reverse proxy software doesn't do that by default so it remains a huge footgun for the unwary. All completely avoided with FastCGI.