jm + https   35

Unbundling Pokémon Go
tl;dr: on Android, it's a Unity app, talking HTTPS to the backend, using protobuf over HTTP. Interesting notes about the use of certificate pinning and how they should be doing that
https  http  protobuf  pokemon-go  pokemon  apps  android  reversing 
july 2016 by jm
3 Reasons AWS Lambda Is Not Ready for Prime Time
This totally matches my own preconceptions ;)
When we at Datawire tried to actually use Lambda for a real-world HTTP-based microservice [...], we found some uncool things that make Lambda not yet ready for the world we live in:

Lambda is a building block, not a tool;
Lambda is not well documented;
Lambda is terrible at error handling

Lung skips these uncool things, which makes sense because they’d make the tutorial collapse under its own weight, but you can’t skip them if you want to work in the real world. (Note that if you’re using Lambda for event handling within the AWS world, your life will be easier. But the really interesting case in the microservice world is Lambda and HTTP.)
aws  lambda  microservices  datawire  http  api-gateway  apis  https  python  ops 
may 2016 by jm
Google Cloud Platform HTTP/HTTPS Load Balancing
GCE's LB product is pretty nice -- HTTP/2 support, and a built-in URL mapping feature (presumably based on how Google approach that problem internally, I understand they take that approach). I'm hoping AWS are taking notes for the next generation of ELB, if that ever happens
elb  gce  google  load-balancing  http  https  spdy  http2  urls  request-routing  ops  architecture  cloud 
october 2015 by jm
fabio
fast, modern, zero-conf load balancing HTTP(S) router managed by consul; serves 15k reqs/sec, in Go, from eBay
load-balancing  consul  http  https  routing  ebay  go  open-source  fabio 
october 2015 by jm
rwasa
our full-featured, high performance, scalable web server designed to compete with the likes of nginx. It has been built from the ground-up with no external library dependencies entirely in x86_64 assembly language, and is the result of many years' experience with high volume web environments. In addition to all of the common things you'd expect a modern web server to do, we also include assembly language function hooks ready-made to facilitate Rapid Web Application Server (in Assembler) development.
assembly  http  performance  https  ssl  x86_64  web  ops  rwasa  tls 
august 2015 by jm
Patrick Shuff - Building A Billion User Load Balancer - SCALE 13x - YouTube
'Want to learn how Facebook scales their load balancing infrastructure to support more than 1.3 billion users? We will be revealing the technologies and methods we use to route and balance Facebook's traffic. The Traffic team at Facebook has built several systems for managing and balancing our site traffic, including both a DNS load balancer and a software load balancer capable of handling several protocols. This talk will focus on these technologies and how they have helped improve user performance, manage capacity, and increase reliability.'

Can't find the standalone slides, unfortunately.
facebook  video  talks  lbs  load-balancing  http  https  scalability  scale  linux 
june 2015 by jm
How Plex is doing HTTPS for all its users
large-scale automated TLS certificate deployment. very impressive and not easy to reproduce, good work Plex!

(via Nelson)
via:nelson  https  ssl  tls  certificates  pki  digicert  security  plex 
june 2015 by jm
ssls.com
"Cheap SSL certs from $4.99/yr" -- apparently recommended for cheap, low-end SSL certs
ssl  certs  security  https  ops 
february 2015 by jm
Introducing Proxygen, Facebook's C++ HTTP framework
Facebook's take on libevent, I guess:
We are excited to announce the release of Proxygen, a collection of C++ HTTP libraries, including an easy-to-use HTTP server. In addition to HTTP/1.1, Proxygen (rhymes with "oxygen") supports SPDY/3 and SPDY/3.1. We are also iterating and developing support for HTTP/2.

Proxygen is not designed to replace Apache or nginx — those projects focus on building extremely flexible HTTP servers written in C that offer good performance but almost overwhelming amounts of configurability. Instead, we focused on building a high performance C++ HTTP framework with sensible defaults that includes both server and client code and that's easy to integrate into existing applications. We want to help more people build and deploy high performance C++ HTTP services, and we believe that Proxygen is a great framework to do so.
c++  facebook  http  servers  libevent  https  spdy  proxygen  libraries 
november 2014 by jm
ImperialViolet - No, don't enable revocation checking
...because it doesn't stop attacks. Turning it on does nothing but slow things down. You can tell when something is security theater because you need some absurdly specific situation in order for it to be useful.
cryptography  crypto  heartbleed  ssl  security  tls  https  internet  revocation  crls 
april 2014 by jm
Why no SSL ? — Varnish version 4.0.0 documentation
Poul-Henning Kemp details why Varnish doesn't do SSL -- basically due to the quality and complexity of open-source SSL implementations:
There is no other way we can guarantee that secret krypto-bits do not leak anywhere they should not, than by fencing in the code that deals with them in a child process, so the bulk of varnish never gets anywhere near the certificates, not even during a core-dump.


Now looking pretty smart, post-Heartbleed.
ssl  tls  varnish  open-source  poul-henning-kemp  https  http  proxies  security  coding 
april 2014 by jm
Does the heartbleed vulnerability affect clients as severely?
'Yes, clients are vulnerable to attack. A malicious server can use the Heartbleed vulnerability to compromise an affected client.'

Ouch.
openssl  ssl  security  heartbleed  exploits  tls  https 
april 2014 by jm
Mark McLoughlin on Heartbleed
An excellent list of aspects of the Heartbleed OpenSSL bug which need to be thought about/talked about/considered
heartbleed  openssl  bugs  exploits  security  ssl  tls  web  https 
april 2014 by jm
Daring Fireball: Rethinking What We Mean by 'Mobile Web'
We shouldn’t think of “the web” as only what renders in web browsers. We should think of the web as anything transmitted using HTTP and HTTPS. Apps and websites are peers, not competitors. They’re all just clients to the same services.

+1. Finally, a Daring Fireball post I agree with.
daring-fireball  apps  web  http  https  mobile  apple  android  browsers 
april 2014 by jm
High Performance Browser Networking
slides from Ilya Grigorik's tutorial on the topic at O'Reilly's Velocity conference. lots of good data and tips for internet protocol optimization
slides  presentations  ilya-grigorik  performance  http  https  tcp  tutorials  networking  internet 
november 2013 by jm
Ivan Ristić: Defending against the BREACH attack
One interesting response to this HTTPS compression-based MITM attack:
The award for least-intrusive and entirely painless mitigation proposal goes to Paul Querna who, on the httpd-dev mailing list, proposed to use the HTTP chunked encoding to randomize response length. Chunked encoding is a HTTP feature that is typically used when the size of the response body is not known in advance; only the size of the next chunk is known. Because chunks carry some additional information, they affect the size of the response, but not the content. By forcing more chunks than necessary, for example, you can increase the length of the response. To the attacker, who can see only the size of the response body, but not anything else, the chunks are invisible. (Assuming they're not sent in individual TCP packets or TLS records, of course.) This mitigation technique is very easy to implement at the web server level, which makes it the least expensive option. There is only a question about its effectiveness. No one has done the maths yet, but most seem to agree that response length randomization slows down the attacker, but does not prevent the attack entirely. But, if the attack can be slowed down significantly, perhaps it will be as good as prevented.
mitm  attacks  hacking  security  compression  http  https  protocols  tls  ssl  tcp  chunked-encoding  apache 
august 2013 by jm
How to secure your webapp
Locking down a webapp with current strict HTTPS policies.
It’s impossible to get to 100% security but there are steps you can take to secure your webapp for your users, to help mitigate against different types of attacks both against you, your webapp and your customers themselves. These are all things we’ve implemented with Server Density v2 to help harden the product as much as possible. These tips are in addition to security best practices such as protecting against SQL injection, filtering, session handling, and XSRF protection. Check out the OWASP cheat sheets and top 10 lists to ensure you’re covered for the basics before implementing the suggestions below.
https  ssl  security  web  webdev  tls 
july 2013 by jm
Improved HTTPS Performance with Early SSL Termination
This is a neat hack. Since SSL/TLS connection establishment requires lots of consecutive round trips before the connection is ready, by performing that closer to the user and reusing an existing region-to-region connection behind the scenes, the overall latency is greatly improved. Works for HTTP as well
http  https  ssl  architecture  aws  ec2  performance  latency  internet  round-trip  nginx  tls 
july 2013 by jm
Lessons in website security anti-patterns by Tesco
Troy Hunt, an Aussie software architect working on a .Net security product called ASafaWeb, does a great job extensively deconstructing Tesco's appalling website security on their shopping site. In the process, he gets this wonderful tweet from their customer-care account:

"@troyhunt Let me assure you that all customer passwords are stored securely & in line with industry standards across online retailers."

As he says, this is a clear demonstration that Tesco is in the first stage of the four stages of competence -- "unconscious incompetence": "The individual does not understand or know how to do something and does not necessarily recognise the deficit." ( http://en.wikipedia.org/wiki/Four_stages_of_competence )
tesco  security  passwords  web  http  https  ssl  funny  dot-net  shopping  uk  customer-care 
july 2012 by jm
High performance network programming on the JVM, OSCON 2012
by Erik Onnen of Urban Airship. very good presentation on the current state of the art in large-scale low-latency service operation using the JVM on Linux. Lots of good details on async vs sync, HTTPS/TLS/TCP tuning, etc.
http  https  scaling  jvm  async  sync  oscon  presentations  tcp 
july 2012 by jm
Convergence
'Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication.
Convergence allows you to choose who you want to trust, rather than having someone else's decision forced on you. You can revise your trust decisions at any time, so that you're not locked in to trusting anyone for longer than you want.'
ssl  tls  trust  security  https  web  via:filippo  firefox  plugins  pki 
september 2011 by jm
Chrome to get HTTPS public key pinning
'Starting with Chrome 13, we'll have HTTPS pins for most Google properties. This means that certificate chains for, say, https://www.google.com, must include a whitelisted public key. It's a fatal error otherwise.' good anti-MITM protection
https  ssl  http  web  security  mitm  sniffing  chrome 
may 2011 by jm
Pound
'a reverse proxy, load balancer and HTTPS front-end for Web server(s). Pound was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively. Pound is distributed under the GPL'
https  ssl  http  proxy  web  pound  reverse-proxy 
april 2011 by jm
ImperialViolet - Revocation doesn't work
OCSP doesn't work -- the browser vendors have failed to implement it safely
security  ssl  https  tls  ocsp  revocation  crl  via:fanf  from delicious
march 2011 by jm
Tunisian government harvesting usernames and passwords
injects JS onto Google, Facebook, Yahoo! non-encrypted login pages to submit the typed username and password against nonexistent http URLs, e.g. 'http://www.google.com/wo0dh3ad', presumably so that DPI logging can collect them. apparently the HTTPS login pages are blocked to force use of HTTP
tunisia  via:pjakma  security  snooping  surveillance  https  javascript  from delicious
january 2011 by jm
Life without a CA | The Tor Blog
do you trust the default set of root CAs in modern web browsers? sounds like we probably shouldn't
ca  certificates  https  encryption  firefox  ssl  trust  privacy  web  root-cas  from delicious
august 2010 by jm
Overclocking SSL
techie details from Adam Langley on how Google's been improving TLS/SSL, with lots of good tips. they switched in January to HTTPS for all Gmail users by default, without any additional machines or hardware
certificates  encryption  google  https  latency  speed  ssl  tcp  tls  web  performance  from delicious
july 2010 by jm
DDOS mystery involving Linux and mod_ssl
connections to brutus.apache.org, "GET / HTTP/1.1", massive HTTPS DDOS. no idea what's going on
apache  asf  ddos  https  httpd  mod_ssl  from delicious
october 2009 by jm
Public SSL Server Database
'an online service that enables you to look up the configuration of any public SSL web server. The configuration of known public SSL web servers will be periodically inspected and the results recorded. This service relies on the SSL Server Rating guide for the assessment'
ssl  grades  security  tls  https  servers  sysadmin  ssl-labs 
july 2009 by jm

related tags

android  apache  api  api-gateway  apis  apple  apps  architecture  asf  assembly  async  attacks  aws  browsers  bugs  c++  ca  certificates  certs  chrome  chunked-encoding  cloud  coding  compression  consul  crl  crls  crypto  cryptography  customer-care  daring-fireball  datawire  ddos  digicert  dot-net  ebay  ec2  elb  encryption  expiry  exploits  fabio  facebook  firefox  funny  gce  go  google  grades  hacking  haproxy  heartbleed  http  http2  httpd  https  ilya-grigorik  instagram  internet  javascript  jvm  lambda  latency  lbs  libevent  libraries  lifecycle  linux  load-balancing  microservices  mitm  mobile  mod_ssl  networking  nginx  ocsp  open-source  openssl  ops  oscon  outages  packets  passwords  perfect-forward-secrecy  performance  pki  plex  plugins  pokemon  pokemon-go  poul-henning-kemp  pound  presentations  privacy  protobuf  protocols  proxies  proxy  proxygen  proxying  python  renewal  request-routing  reverse-proxy  reversing  revocation  root-cas  round-trip  routing  rwasa  scalability  scale  scaling  security  servers  shopping  slides  sniffing  snooping  spdy  speed  ssl  ssl-labs  surveillance  sync  sysadmin  talks  tcp  tesco  tls  trust  tunisia  tutorials  uk  urls  varnish  via:fanf  via:filippo  via:nelson  via:pjakma  video  web  webdev  webhooks  x86_64 

Copy this bookmark:



description:


tags: