Errors, WebAuthn, Protocols, Zenbleed, Transactions

1. About error handling, it's so often that errors are reported even if there is no error. This is ridiculously common theme throughout the ages. As example, one friend complained that he's getting 416 errors while resuming transfers. - Doh? You already got the whole file, there's nothing to resume. So you can't resume downloading from the last byte of the file. - Just same kind of issues happen over and over again, with badly implemented protocols and logic. - So many integration, banking protocols, and other s**t fail with similar pattern. - One integration I'm right now preparing for the production also would have failed similarly, unless I would have pressed the people design the API and status handling, about not designing s**t and causing totally predictable problems.

2. Too long discussion about Forward Secrecy (FS), many people doesn't seem to understand that re-keying constantly isn't really that useful. It's totally natural trade-off not to re-key after every message or so.

3. Security Keys (FIDO2, WebAuthn, CTAP2) - Still broken with Google & Firefox, so annoying. I'm wondering how many years it takes, before they manage to fix this one. Most interestingly it works perfectly with Outlook (Microsoft) and WebAuthn.io and basically all other sites than Google. They've intentionally started to sabotage features, forcing people to use their own Passkeys? Or maybe it just doesn't work, because I'm not using Google Chrome. Classic. We support open standards, but you'll need to. U know.

4. SimpleX Chat v.5.2 released (@ simplex.chat) - Absolutely excellent post! Covered all the issues and and topics I've been questioning and wondering about. Also it didn't contain any lies, which usually upset me.

5. Too long discussion about email security, encryption, audits, weaknesses of difference services, protocols, clients. Oh well, yeah. It's a mess. Yet it shouldn't surprise anyone.

6. SimpleX v5.3 released, with desktop client(s), nice! Also when rooms v2 come out, if design isn't changed, it also interestingly solves the redundancy problem, because then you have parallel channels to be used in case one goes down, ie. the multi host model.

7. A long discussion about very bad protocol and application design. As example how setting too short timeouts can make services unusable in large parts of the world. Assuming that networking is always fast and low latency, just doesn't always work out.

8. Based on some analysis my friend made, it seems that email sent from Thunderbird with OpenPGP encryption, are mangled by Outlook mail servers. Quite annoying, clear attempt to sabotage usability of encrypted emails which Microsoft can't read. What's technically happening? The Microsoft Outlook is modifying the message content, breaking encrypted messages.

9. Military Grade Encryption they say. TETRA burst vulnerability, which allows trivial decryption of encrypted traffic in minutes. In encrypted police and military radio category devices. Schneier wrote: "Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping."

10. AMD Zenbleed (@ TomsHardware) - I guess this is the reason, why some instances completely forbid using public cloud, because you don't know what's gonna leak and when. Information of this flaw was also released to the public, way before patches were available in the microcode. - Duh!

11. Excellent talk from Andy Jones about Maersk cyber attack (@ YouTube) - A highly recommended talk. Layered security, principle of least privilege and network segmentation.

12. Lots of frustrating work debugging transactional (atomicity) issues with some database transactions (T-SQL) in old code base. Sometimes transactions get partially committed and sometimes content is lost, and results are wrong, etc. It seems that whomever wrote this code, didn't know how to do it correctly.

13. Something not so different? Nobody cares about your blog (@ alexmolas.com) - Very nice post indeed, thanks.

2024-06-09