Readit News logoReadit News
johnp_ commented on Handling cookies is a minefield   grayduck.mn/2024/11/21/ha... · Posted by u/todsacerdoti
deathanatos · a year ago
That is a bit of a minefield, I agree…

The way around this, as a developer, is URL-safe-base64 encode the value. Then you have a bytes primitive & you can use whatever inner representation your heart desires. But the article does also note that you're not 100% in control, either. (Nor should you be, it is a user agent, after all.)

I do wish more UAs opted for "obey the standard" over "bytes and an prayer on the wire". Those 400 responses in the screenshots … they're a conforming response. This would have been better if headers had been either UTF-8 from the start (but there are causality problems with that) or ASCII and then permitted to be UTF-8 later (but that could still cause issues since you're making values that were illegal, legal).

johnp_ · a year ago
> URL-safe-base64

And make sure to specify what exactly you mean by that. base64url-encoding is incompatible with base64+urlencoding in ~3% of cases, which is easily missed during development, but will surely happen in production.

johnp_ commented on QUIC is not quick enough over fast internet   dl.acm.org/doi/10.1145/35... · Posted by u/Shank
Veserv · 2 years ago
The system call to send multiple UDP packets in a single call has existed since Linux 3.0 over a decade ago[1]: sendmmsg().

[1] https://man7.org/linux/man-pages/man2/sendmmsg.2.html

johnp_ · 2 years ago
Looks like Mozilla is currently working on implementing `sendmmsg` and `recvmmsg` use in neqo (Mozilla's QUIC implementation) [1].

[1] https://github.com/mozilla/neqo/issues/1693

johnp_ commented on How to waste bandwidth, battery power, and annoy sysadmins   rachelbythebay.com/w/2024... · Posted by u/zoidb
johnp_ · 2 years ago
Here's the code, for those interested in finding the bug: https://github.com/mozilla-mobile/firefox-ios/tree/main/Brow...
johnp_ commented on New seafloor map only 25% done, with 6 years to go   eos.org/articles/new-seaf... · Posted by u/Brajeshwar
TypicalHog · 2 years ago
Don't know the resolution they're working with, but they should defo prioritize the MH370 potential crash area.
johnp_ · 2 years ago
It says in the article

> Seabed 2030 is a long-term mapping project attempting to fully chart the seafloor and reveal all features 100 meters or larger by 2030.

There is an area of interest, "Area 3: Indian Ocean: Ninetyeast Ridge" around 30S 87E, which specifically mentions MH370:

https://seabed2030.org/wp-content/uploads/2023/06/AtlanticIn...

Though that is quite a bit (~830 km / ~1250 km from the center of the square around 30S 87E) off to the (north)west of the most recent search proposal from mh370search.com:

https://www.mh370search.com/2024/03/16/mh370-a-new-hope/

edit: Got the distance wrong. Corrected.

johnp_ commented on TCP connection timeout mystery   devnonsense.com/posts/tcp... · Posted by u/dmarto
gregw2 · 2 years ago
Ran into this myself about 10 days ago.

If a TLS handshake is aborted partway through, Wireshark will label it “TLSv1”. It actually retroactively labels the 1.0 TLS packets as 1.3 after a successful TLS 1.3 handshake finishes.

This makes sense because a TLSv1.3 handshake actually starts as 1.0 and then upgrades to 1.3 only with IIRC the Server Hello response to the ClientHello.

The following links document this behavior, in case you or your organization’s security team is nervous TLSv1 is actually being used:

https://superuser.com/a/1618420

https://ask.wireshark.org/question/24276/how-does-wireshark-...

https://gitlab.com/wireshark/wireshark/-/issues/16114

johnp_ · 2 years ago
Oh, indeed, that's quite surprising. A TLSv1.3 Client Hello always contains the supported_versions extension, which should allow wireshark to label it correctly, regardless of whether or not the handshake actually finishes. Though, tbf, it does say TLSv1 and not TLSv1.0. I wonder how it would look had TLSv1.3 been named TLSv2.0 after all...

edit: Ah, that GitLab link lead me to https://gitlab.com/wireshark/wireshark/-/issues/19515 which is a recent discussion around this topic and https://gitlab.com/wireshark/wireshark/-/merge_requests/1377... already dealt with it :)

johnp_ commented on TCP connection timeout mystery   devnonsense.com/posts/tcp... · Posted by u/dmarto
gjf · 2 years ago
First off, the HTTP HTTP 301s to the HTTPS site, so HTTPS is still the likely trigger.

Second, I see that whatever client he's using is specifying a very old TLS 1.0. If its not MTU (which others have mentioned), then my guess would be a firewall with a policy specifying a minimum TLS version, and dropping this connection on the floor.

johnp_ · 2 years ago
Certainly weird that wireshark shows TLSv1 while curl shows TLSv1.3. That shouldn't happen unless something interfered with the Client Hello. (or the wireshark version is outdated)

Deleted Comment

johnp_ commented on Zenbleed   lock.cmpxchg8b.com/zenble... · Posted by u/loeg
blinkingled · 3 years ago
On my Zen2 / Renoir based system the PoC exploit continues to work albeit slowly even after updating the microcode (linked from TFA) that has the fix for this issue. The wrmsr stops it fully in its track.

Edit: just realized it must have been that the initramfs image is not updated with the manually updated firmware in /lib/firmware.

Edit2: Updated the initramfs and even if the benchmark.sh fails, ./zenbleed -v2 still picks out and prints strings which doesn't happen with the wrmsr solution.

johnp_ · 3 years ago
linux-firmware does not carry any microcode update for Renoir (yet). Or what do you mean by "TFA"?

The fixed Renoir microcode should have revision >= 0x0860010b as per the kernel: https://github.com/torvalds/linux/commit/522b1d69219d8f08317...

Deleted Comment

Deleted Comment

j

u/johnp_

KarmaCake day217April 19, 2016View Original