2018 September Assorted Links

Little late... I've been dragging my feet as on writing as I've become irritated (maybe for the final time) in the direction Ghost is headed. I've been mucking about with Hugo and am trying to decide on exactly how I want things to look before transitioning.

Culture

Technology

  • There seems to be rising skepticism towards using Google Chrome due to release 69 effectively bundling the concept of logging into a google service and using the browser. There is a well written article here about the phenomena. This apparently also impacts Chromium. For those who are willing to try it, Firefox has been making some big leaps lately.
  • Monitor has been announced by firefox, similar to (or maybe drawing from) haveibeenpwned, it seems like a nice service to have looking out for you. The best part is the landing page that offers six pretty fundamental forms of advice for hygenic computing (the sixth is a self referencing plug, however its a good idea to have some sort of alerting mechanism for your online identities).
  • TLS1.3 is in the wild now with many distros moving the OpenSSL packages to 1.1.1. If you're coming to this site with a modern browser you likely will be using TLS1.3, however I've left TLS1.2 enabled for the time being due to the Mozilla project not having updated it's recommendations (Might be being tracked through this ticket). Dropping TLS1.2 in favor of the simpler TLS1.3 is a goal, and it's likely that browsers are already prepared for this, but I'm betting that there are going to be some wonky problems with mobile libraries on phones that applications rely on (e.g. this riot-android issue).
  • As a side note I've seen that Observatory is ranking Subresource Integrity now with a -50 rating... which is pretty aggressive compared to all of their other rankins (This site is now a D as it's transntioned to TLS1.3. It appears that I'd have to transntion from Ghost to something else if this was of a concern of mine.
  • SNI is likely not long for this world, cloudflare has recently announced ESNI as a solution for people want traversal through their ecosystem. It's something that will be causing a lot of headaches for network operators who wanted to see where people were headed with their encrypted traffic, but it's for the best as it's one of the last major gaps in online privacy (DNS being another one). Likely this is going to add some complexity for my own web facing deployments, either pushing me towards snarfing up more addresses at a cost, or instead doing SAN certificates. I'll be looking to dig into this when browser support for ESNI hits in Firefox.
  • Mullvad who I've recommended in this article has been publicising an audit of their client application, which is primarily focused on protocls that are not as interesting as wireguard... but it is nice to see they are prioritizing external oversight on their implementations.
  • Was a post this week on a comprimising vector for iDRAC called iDRACULA. There was a good post on what BMC is in practice. One thing I'd never been aware of was the OpenBMC project. For someone who just needs SSH and SOL it looks like it would be an awesome alternative to trusting OEMs.
  • This is funny
  • A good map of Linux performance tools
  • An interesting post on using haproxy to handle both SSL/TLS and SSH on the same port. Would be a nice form of obscurity. This post might be a simpler form of implementing the same thing if you don't have the need for VPN as well. This post seems even better.
  • Encoding media is incredibly interesting (watch those videos, seriously watch them right now). AV1 is a super interesting next generation approach. Recently spotted the Dav1d project with "The goal of this project is to provide a decoder for most platforms, and achieve the highest speed possible to overcome the lack of AV1 hardware decoder".
  • The first UEFI rootkits are seen in the wild, Hn discussion about it here.
  • A well written article on the upcoming security approaches for Zephyr and Fuschsia.
  • purism announced a partnership with nitrokey called librem key, Hn discussed here which led me to this talk on heads.

Analysis