Igeometry Podcast

In this video we will explore one of the most popular side attacks CRIME Compression Ratio Info-leak Made Easy) and the different ways to mitigate this.   Intro 0:00  * HTTP/1.1 SPDY header compression 4:00* TLS compression  * Response body attackers can’t inject 13:00  * Mitigations  14:10      * HPACK/QPACK      * TLS Padding --- Support this podcast: https://anchor.fm/hnasr/support

On March 15, 2021, users couldn’t sign in to Microsoft services the majority of the impact was with teams but other services were affected. A similar outage happened back in Sep 2020 (I covered it here https://www.youtube.com/watch?v=0ozri9APCv0&t=68s) Microsoft 365 Service health status https://twitter.com/MSFT365Status/status/1371546946263916545 --- Support this podcast: https://anchor.fm/hnasr/support

In today's show, I'll answer the question do backend connections max out? There are many aspects to this question and I want to try to tackle all of them.   I'll also mention the efforts that the  @Cloudflare  and team are doing to improve the CONNECT with MASQUE protocol  Tune in to the Backend engineering Show with Hussein Nasser on your fav podcast player. --- Support this podcast: https://anchor.fm/hnasr/support

OVHcloud is Europe's largest cloud provider, with facilities across the region. They were hit with a big fire that completely destroyed an entire datacenter. What happened? 0:00 What is the effect? 3:00 What OVH is going to do? 6:00 Resources https://www.ovh.ie/news/press/cpl1786.fire-our-strasbourg-site http://travaux.ovh.net/?do=details&id=49484 https://twitter.com/olesovhcom/status/1369504527544705025 --- Support this podcast: https://anchor.fm/hnasr/support

Firefox is implementing a feature that might end website tracking, let's get into how it works.   https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/  https://hacks.mozilla.org/2021/02/introducing-state-partitioning/ --- Support this podcast: https://anchor.fm/hnasr/support

On the evening of March 8, GitHub invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions.   Let us discuss   https://github.blog/2021-03-08-github-security-update-a-bug-related-to-handling-of-authenticated-sessions/ --- Support this podcast: https://anchor.fm/hnasr/support

For the longest time, all browsers will always use HTTP in schemeless URLs (when HTTP or HTTPS is not specified). Chrome is flipping this with version 90   Chapters *  HTTPS by Default 0:00 * What happens Today 1:00 * What will happen in Chrome 90 4:00 * HSTS? 6:20 * is HTTPS everywhere dead? 7:10 * How to Enable 8:20  Video https://youtu.be/XrlfX0duLKQ https://latesthackingnews.com/2021/03/01/google-will-launch-https-first-approach-with-urls-from-chrome-90 --- Support this podcast: https://anchor.fm/hnasr/support

MinIO, an S3 Compliant object-store suffered from a Server Side Request Forgery Vulnerability in early Feb 2021 which has been fixed quickly and addressed. In this video we go through the bug and what can we learn from it --- Support this podcast: https://anchor.fm/hnasr/support

In this video, I discuss why QUIC will make a great communication protocol for databases and how it solves a critical problem with stateless web applications. Web applications use database connection pooling to establish database connections on the backend. But that creates other sorts of problems. --- Support this podcast: https://anchor.fm/hnasr/support

Nodejs Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues. 0:00 Intro 1:50 HTTP/2 Unknown Protocol 4:24 Localhost6 DNS Rebinding 6:55 Integer overflow OpenSSL Resources https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ --- Support this podcast: https://anchor.fm/hnasr/support

This is unacceptable and the entitlement towards open-source maintains needs to STOP!   Danial’s blog https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/  Support curl by becoming a backer  https://opencollective.com/curl#backer --- Send in a voice message: https://anchor.fm/hnasr/message

Let us go through an absolutely fantastic article and journey of how a single change in HAProxy config drove this SRE into a frenzy to find out what went wrong. A fantastic read.  https://about.gitlab.com/blog/2021/01/14/this-sre-attempted-to-roll-out-an-haproxy-change/?utm_medium=social&utm_source=linkedin&utm_campaign=blog --- Support this podcast: https://anchor.fm/hnasr/support

From time to time I like to loiter on people’s GitHub Repos look through issues submitted and see if there are interesting hidden gems and bugs that would make a good lesson or learning experience and boy did I find one for you. This bug is caused in stripe-node code in AWS Lambda serverless environment where requests are failing intermittently. We discuss how AWS serverless container re-use can cause this and how stripe solved it.   Resources https://github.com/stripe/stripe-node/issues/1040 Intermittent Error: write EPIPE when running stripe client in AWS Lambda · Issue #1040 · stripe/stripe-node · GitHub https://aws.amazon.com/blogs/compute/container-reuse-in-lambda/ --- Support this podcast: https://anchor.fm/hnasr/support

XMPP or the Extensible Messaging and Presence Protocol  originally named Jabber[1]) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. it is used by almost all large messaging systems such as whatsapp, facebook, google talk and others. In this video we will go through XMPP architecture, explain how it works and then finallly show how to spin up an XMPP chat server and connect to it from node js. --- Support this podcast: https://anchor.fm/hnasr/support

In this video I go over the critical timeouts on a Proxy system such as reverse proxy or load balancer and how can you configure each one to protect against attacks or outages. Nginx and HAProxy just a few proxies that you can configure to be load balancers.     --- Support this podcast: https://anchor.fm/hnasr/support

Guys this is absolutely genius and nuts! I have never seen anything like this before. This guy got access to paypal json and saw some private packages.. created public ones with a similar name and then made them do bad things, then thing because firewalls will shut those down.. he used DNS DNS requests are practically safe so firewalls allow them 11:05 chrome root https://youtu.be/qpC1YH0FhuY https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 --- Support this podcast: https://anchor.fm/hnasr/support

Reads and Writes don’t have to live in the same database, data model or even the same service. Let us discuss CQRS no separation one service that does read/write partial separation You can keep one service but backend have multiple connections with different users same database full separation Read services / write services two databases OLAP / OLTP Pros scalability security Cons complex and very hard to follow, what we see with microservices.. resources https://martinfowler.com/bliki/CQRS.html http://codebetter.com/gregyoung/2010/02/16/cqrs-task-based-uis-event-sourcing-agh/ --- Support this podcast: https://anchor.fm/hnasr/support

In this video, I will discuss the new TLS extension Encrypted Client Hello which is a new mechanism to encrypt the entire client hello, very interesting and elegantly design but I have my few reservations and criticisms. Let us discuss. Intro 0:00 Classic TLS with SNI 7:00 ESNI 9:30 ECH 12:30 Limitations and Problems 21:00 Let's say the backend server hosts example.com with the cert of example.com and let us call this the “real” SNI. To support ECH, the same server should also host a client facing cert, lets call it server-ech.com with corresponding server-ech.com cert. So your server IP address is hosting two domains. example.com and ( server-ech.com just to support ech) So when you perform an oDoH/DoH query looking for example.com you will get back the IP address of example.com, (which is the same ip address as server-ech.com), you will also get the ephemeral public key of example.com from the HTTPSSVC DNS record. This will be used to encrypt the inner client hello, and finally, you will get a record of the

MySQL is clustered by default on the primary key which means inserts have to be ordered, let us discuss why UUID (random in nature) has bad performance in MySQL and whether postgres wins here. We will also explain why Sequential Writes are Faster than Random in MYSQL and     https://www.percona.com/blog/2019/11/22/uuids-are-popular-but-bad-for-performance-lets-discuss/ --- Support this podcast: https://anchor.fm/hnasr/support

This is a very interesting article that I encourage you to read it as it has lots of useful lessons in postgres. Using partial indexes, full vacuum, dropping unused indexes and much more helped this company save 70G worth of disk space.    https://hakibenita.com/postgresql-unused-index-size --- Support this podcast: https://anchor.fm/hnasr/support