CF, SSH, TLS, 6 Hats, Artic Connect, FIDO2, VPN0, ECC, SCRAM
Cloudflare Keyless Everywhere - Isolating private keys better from evil Internet. Improvements over Keyless SSL. Article also got nice story about development and production issues while deploying the solution. Troubleshooting fun! In the afterthought the changes they did seem of course so obvious. Everyday system engineering. kw: memcached, Go, BoringSSL, TLS, ECC, Cryptography, Encryption, Security, Internet, Rust
Illustrated TLS 1.3 connection - every byte explained and reproduced. This is great! TLS @ Wikipedia
Six Thinking Hats. Initial Ideas, Choosing between alternatives, Identifying Solutions, Quick Feedback, Strategic Planning, Process Improvement, Solving Problems, Performance Review
While verifying my domain on Keybase (DNS + HTTPS). I noticed that Keybase (@ Keybase.io) often asks users to paste complex commands into shell. Am I only one who's kind of worried about this approach? Yet, it probably isn't any worse than having the keybase software installed. Sure, competent users would spot that pretty quickly if something is off and as Keybase I naturally wouldn't take such a risk. But in general it's bad to tell users just to paste and execute something.
Cinia's Arctic Connect fiber optic cable. It remains to be seen when and if this cable gets deployed. I think the idea is already decades old. Latest news is that they're getting more partners to fund the project.
Hail Microsoft Outlook FIDO2 Passwordless WebAuthn login is broken: "Message: AADSTS135021: Invalid UserHandle prefix." | "X-Auth-Error System.ArgumentNullException" - Keep up the good work guys. And then it also prevents logging out. F...reaking awesome user experience guys. As extra bonus: Firefox doesn't allow deleting site specific data / cookies anymore (except using SQLite3). Standard user is totally and permanently stuck with this situation. Unable to login / logout. - Or does this just mean you've hell banned me from your services? - Why tell users about ban, just let's give them random hard to debug error messages and ROFL. When they post something like this. We've just got confirmation that it worked. Here's the confirmation that now I'm officially annoyed. Have a party guys, if that's what you're looking for. I've also confirmed that Outlook login is also broken with another default configuration Windows 10 computer using Edge browser. So it's not just me messing up with too many security settings in Firefox.
Outlook error message confirmed what I expected: "X-FEServer HE1PR0501CA0015" "X-BEServer AM7PR08MB5318". Front end in Helsinki and back end in Amsterdam.
I also found found another FIDO2 / Windows Hello / Microsoft accounts related problem. If I'm using Windows computer with Microsoft Account, I can't use passwordless login to login to any other account than the account I'm logged into Windows with. Kind of annoying. When I start FIDO2 passwordless login with USB Authenticator, it asks to authenticate the logged in Windows user. And doesn't allow totally valid authentication for other user. And I'm NOT logged into Outlook. So, basically if you're having multiple parallel accounts or guest needs to login to webmail, it's impossible. Sometimes SSO got also great drawbacks. I personally seriously dislike this kind of approach. If you use Local / Domain account then this kind of restrictions do not apply. It's always interesting to find this kind of UX traps.
Really nice article about Elliptic Curve Crytpography (ECC). Loved it.
Salted Challenge Response Authentication Mechanism (SCRAM). Mutual authentication is always a good thing. It's so common that this essential step is skipped with older authentication systems. Which authenticate the client, but not the server (nor it's certificate!). Ref: RFC 7677. Very nice indeed and even quite simple to implement, even if there wouldn't suitable preexisting library. Will be used if and when and if required. I personally like this a lot more than the "blind trust" in TLS Certs which are "trusted". Yet, FIDO2 provides similar kind of security, by authenticating the server as well.