HTTP3, cURL, RCE, Duplicati

  • HTTP/3 blog post @ Cloudflare - Nice, Cloudflare, Mozilla Firefox and Google Chrome support is coming. After that I guess most popular web-servers will be adding it also quite quickly like Apache & Nginx. Also cURL @ Wikipedia supports HTTP/3 @ Wikipedia. I keep thinking if building it over UDP is necessary (OSI layer 4), why not make it on top of network level (OSI layer 3) protocol? I personally see QUIC more like Layer 4 protocol than layer 5 protocol. Are ports required for this transport (?). There's also UDP-Lite which allows partial checksums. Are packet level checksums required with modern networking? Well, I guess they've tough it out. That's just what I've thought, when I haven't read the detailed discussions about this decision. At least HTTP/3 contains lot of features which seem to belong to layer 4 and 5. It's quite protocol mashup anyway. We've seen so many issues with TCP @ Wikipedia and TLS @ Wikipedia, I wonder what kind of new security / Denial of Service problems QUIC @ Wikipedia will introduce. Nice features: Connection migration, Zero Round Trip Time Resumption (0-RTT) and Early Data. - I wrote the text above day before, Cloudflare actually allowed me to enable the HTTP/3 for my domains. That was quick and a very nice timing. And now it's there when making requests using older protocols: "alt-svc: h3-23=":443"; ma=86400" - Thank you Cloudflare. A comparison between SCTP and QUIC - where they're thinking about the network protocol layer. Spin Bit made me smile, goods stuff, except the packet re-ordering issue. I personally would have liked bit more about absolute priority than proportional priority. Where more important packets are sent first, instead of mixing those proportionally with less important packets. Also see: HTTP/3 explained @ Haxx.se kw: HTTPv3, HTTP/3, HTTP3, HTTP v3, QUIC, SPDY, UDP, TCP, TLS 1.3, TLSv1.3, h3, QPACK
  • Yet another integration where they recommend using cURL as the primary way of making API calls. That's kind interesting to see. But it just tells that there are very different developers out there. But sure, in some cases it's just easier to call external program to make HTTPS API call, that start actually dealing with it, if you're clueless how to make it. - Just as I've blogged so many times. Sometimes doing something "right" isn't just worth of it. Making it so that it works, even if it's horrible kludge is good enough. - Also one thing which tells them about "old fashioned thinking" is that they're always talking about JSON files. What is a file? Well, it's bunch of octets. You could as well call it blob, bytes, or string (I know), set of integers etc ... One big pro of cURL approach is that upgrading the client when required is quite simple and easy task. As example, if you need support for new TLS version or HTTP/3 support or something like that.
  • This also made me wondering, that how many Remote Code Execution (RCE) there are out there. I'm 100% sure, that there are implementations which just blindly call cURL using the JSON data in quotes on the command-line. Which also makes think about the fact, that all of the implementations probably do not properly escape the JSON data. I'm also quite sure that there are lazy admins out there, whom run the integration with administrator privileges. Which means that placing right string in the JSON data, allows you to do RCE. Sounds good. Haha. Again reminds me about XKCD little bobby tables. Except you can also try CMD / BASH etc commands, not SQL only. Or the Shellshock.
  • Duplicati finally the restore and repair functions start looking better. I made some tests and the restore worked. With earlier versions the backup restore would have most probably failed completely in this situation. Still a few things to fix, but finally things are getting lot better. Because the data corruption was one of the absolutely worst issues. The corruption was only revealed when restoring data, even testing backups didn't reveal the problem. It still seems that the recovery, repair, verify, can't bring the system to consistent state. Ouch. I personally find this to be a design failure. But more about that in the longer post in Duplicati Forum, including all the dirty details.

2020-09-27