TLS1.3, AES512, Expect-CT, Headers, WhatsApp, eIDAS, Mmap, Mindfullness

  • TLS 1.3 is coming. That's awesome. Interesting stuff is in section 1.3. Major Differences from TLS 1.2. Authenticated Encryption with Associated Data (AEAD), 0-RTT, Forward Secrecy (FS), All messages are Encrypted, Extract-and-Expand Key Derivation Function (HKDF), ed22519 and ed448, DSA removed, PSK based session resumption only. It's interesting to see when the first implementation hit main stream. Yes, I'm aware about 0-RTT related replay attack risks. All actions which are required to be unique should always contain unique identifier anyway. This is nothing new, this is already required just because client and server connection can get severed at any time for multiple reasons. If the client retries the action, it might run multiple times on the server, if there's no unique identifier included. So this is nothing new in that sense. Unfortunately many implementations are broken, I've written a few. But the reason why the implementation is broken, is due the specification which doesn't allow usage of unique "transaction" identifiers. Too bad. I've often also requested this feature to be added, but in most of cases nobody cares enough. Even if it's about money, so that's pretty grim. But goes according the generic lines of security approach take by most of projects and organizations. In some cases SSL 3.0 still needs to be supported with RC4 or 3DES for really old systems, which is quite horrible truth. It would be important to get rid of such an old systems. I also enabled TLS 1.3 on Firefox, just to see if it causes any problems. As well as disabled all non cipher suites which do not support Forward Secrecy.
  • One database provider is advertising AES 512 bit encryption. I had to ask them, could they please provide more details. I'm just curious. Quote: "AES encryption from 128 bit to 512 bit meets market demand for cybersecurity support"
  • Studied new HTTP header Expect-CT. Which is designed to help with Certificate Transparency.
  • Also reminded my self about securityheaders.io web page security headers scanner service.
  • Just laughed about WhatsApp web and bad code. It seems that their image handling code totally sucks with large images. I've now got 8K screen, and if I try to paste a screenshot into WhatsApp web, it just hangs. Great work!
  • Finland is progressing with official national implementation of eIDAS. European Electronic Identification and Trust Services.
  • Mmap and Memory Mapped Files. Yet I haven't ever had projects which would have actually required (or greatly benefited) from using mmap. Played with it fo a while, and sure it works well. If and when required. Why now? Well, one process one server is memory mapping so much files that the system gets seriously memory deprived. I'm usually doing pretty small amounts and sequential is, that's why I don't need memory map. But if I would be doing lots of high performance random I/O then I would use mmap. Also reminded my self about StringIO or BytesIO and TemporaryFile. In most of cases the data sets I'm working with are quite sequential. So I can read data, process it and discard most of it, and put small amounts of data in dictionary or list waiting for final write out. In most of cases, the memory consumption is so low, that it doesn't make sense to write temporary file. I just one day thought that I'm using basic lists really lot. After all those perform well with Python and are ok to use. And I can finalize the list of strings with final join before writing data out, or using writelines, if writing at once. Only in projects where there's lot of output data, I'll try to write out in sanely sized chunks and not spool it all in ram. This "problem" can be greatly heightened by inefficient formats like XML.
  • Reminded my self about mindfulness. Yet sometimes mind-dullness sounds much better. If you don't think or care at all, you've got nothing to worry about. Ignorance is a bliss? Blissful ignorance effect.

2019-08-04