Igeometry Podcast

We have been told to take care of our private key that we use on backend servers without clear instructions as to what could happen when that key is leaked. In today’s backend engineering show I discuss exactly what could go wrong when your backend server private key is leaked. Let us discuss Intro 0:00 What is a Certificate? 1:10 Where is the Private Key used? 4:10 TLS 1.2 with RSA 4:20 Why RSA no longer used 9:00 TLS 1.3 & TLS 1.2 Digital Signature 12:00 How often should you recycle Private Keys 19:00 Resources https://blog.cloudflare.com/advanced-certificate-manager/ https://heartbleed.com/ https://cabforum.org/ https://en.wikipedia.org/wiki/DigiNotar https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q009960_.html --- Support this podcast: https://anchor.fm/hnasr/support

6 months ago, Jake Miller released a blog article and python tool describing H2C smuggling, or http2 over cleartext smuggling. By using an obscure feature of http2, an attacker could bypass authorization controls on reverse proxies.   Sean managed to leverage Jack’s original research to bypass reverse proxy rules, lets discuss  My original Video on Jack’s h2c smuggling https://youtu.be/B2VEQ3jFq6Q This article  https://blog.assetnote.io/2021/03/18/h2c-smuggling/ --- Support this podcast: https://anchor.fm/hnasr/support

On Thursday, OpenSSL maintainers released a fix for two high severity vulnerabilities, let us discuss the impact. OpenSSL two major vulnerabilities 0:00 why OpenSSL 1:00 Bug 1 - Renegotiating TLS 1.2 (CVE-2021-3449) 3:50 Bug 2 - Cert verification bypass (CVE-2021-3450) 8:42 Update to OpenSSL 1.1.1k 12:30 Resources https://www.openssl.org/news/vulnerabilities.html https://arstechnica.com/gadgets/2021/03/openssl-fixes-high-severity-flaw-that-allows-hackers-to-crash-servers/ --- Support this podcast: https://anchor.fm/hnasr/support

Node JS Is single-threaded asynchronous non-blocking javascript runtime, but it's not always single-threaded there are occasions where nodejs uses multi-threading, so the questions we will try to answer in this video, when is nodejs single-threaded and when does it use multi-threading and how will that affect my app? Event Loop single thread, that really just loops for callbacks 0:00 Threading in Node jS (libuv) 4:00 used for IO/intensive DNS queries file system reads CPU intensive crypto compression process.env.UV_THREADPOOL_SIZE=1 Examples 8:00 Cluster Nodejs 16:00 Example 1 HTTP server return 1 HTTP server while 1 HTTP server with file system read async HTTP server with file system read sync HTTP server with fetch call to server (dns) Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

Slack started migrating from HAProxy to Envoy for their backend architecture, in this video, I’ll discuss their recent article when they moved the WebSockets portions, why they moved from HAProxy to Envoy and their production plans. Resources Article https://slack.engineering/migrating-millions-of-concurrent-websockets-to-envoy/ RFC8441 https://tools.ietf.org/html/rfc8441 3:15 Websockets Crash Course https://youtu.be/XgFzHXOk8IQ 9:50 HAProxy Runtime API https://youtu.be/JjXUH0VORnE 20:00 Slack Jan 4th outage https://www.youtube.com/watch?v=dhZ5--R42AM 23:00 RFC8441 Bootstrapping Websockets HTTP/2 https://youtu.be/wLdxC9gesBs --- Support this podcast: https://anchor.fm/hnasr/support

In this video, I'll discuss RFC8441 bootstrapping WebSockets with HTTP/2 which I believe a critical protocol to allow WebSockets tunneling to scale on the backend. We will also discuss the current state of the art of Proxy and Backend Supports for this tech. Let us have a discussion. 0:00 Intro 3:00 WebSockets over HTTP/2 7:40 Proxy Supports 13:15 Browsers Supports 14:00 Summary RFC 8441 Resources RFC8441 https://tools.ietf.org/html/rfc8441#section-4 nginx support https://trac.nginx.org/nginx/ticket/1992 haproxy support https://github.com/haproxy/haproxy/issues/162 Chrome support https://www.chromestatus.com/feature/6251293127475200 Firefox support https://bugzilla.mozilla.org/show_bug.cgi?id=1434137 envoy support https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/upgrades Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

In this video we will explore one of the most popular side attacks CRIME Compression Ratio Info-leak Made Easy) and the different ways to mitigate this.   Intro 0:00  * HTTP/1.1 SPDY header compression 4:00* TLS compression  * Response body attackers can’t inject 13:00  * Mitigations  14:10      * HPACK/QPACK      * TLS Padding --- Support this podcast: https://anchor.fm/hnasr/support

On March 15, 2021, users couldn’t sign in to Microsoft services the majority of the impact was with teams but other services were affected. A similar outage happened back in Sep 2020 (I covered it here https://www.youtube.com/watch?v=0ozri9APCv0&t=68s) Microsoft 365 Service health status https://twitter.com/MSFT365Status/status/1371546946263916545 --- Support this podcast: https://anchor.fm/hnasr/support

In today's show, I'll answer the question do backend connections max out? There are many aspects to this question and I want to try to tackle all of them.   I'll also mention the efforts that the  @Cloudflare  and team are doing to improve the CONNECT with MASQUE protocol  Tune in to the Backend engineering Show with Hussein Nasser on your fav podcast player. --- Support this podcast: https://anchor.fm/hnasr/support

OVHcloud is Europe's largest cloud provider, with facilities across the region. They were hit with a big fire that completely destroyed an entire datacenter. What happened? 0:00 What is the effect? 3:00 What OVH is going to do? 6:00 Resources https://www.ovh.ie/news/press/cpl1786.fire-our-strasbourg-site http://travaux.ovh.net/?do=details&id=49484 https://twitter.com/olesovhcom/status/1369504527544705025 --- Support this podcast: https://anchor.fm/hnasr/support

Firefox is implementing a feature that might end website tracking, let's get into how it works.   https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/  https://hacks.mozilla.org/2021/02/introducing-state-partitioning/ --- Support this podcast: https://anchor.fm/hnasr/support

On the evening of March 8, GitHub invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions.   Let us discuss   https://github.blog/2021-03-08-github-security-update-a-bug-related-to-handling-of-authenticated-sessions/ --- Support this podcast: https://anchor.fm/hnasr/support

For the longest time, all browsers will always use HTTP in schemeless URLs (when HTTP or HTTPS is not specified). Chrome is flipping this with version 90   Chapters *  HTTPS by Default 0:00 * What happens Today 1:00 * What will happen in Chrome 90 4:00 * HSTS? 6:20 * is HTTPS everywhere dead? 7:10 * How to Enable 8:20  Video https://youtu.be/XrlfX0duLKQ https://latesthackingnews.com/2021/03/01/google-will-launch-https-first-approach-with-urls-from-chrome-90 --- Support this podcast: https://anchor.fm/hnasr/support

MinIO, an S3 Compliant object-store suffered from a Server Side Request Forgery Vulnerability in early Feb 2021 which has been fixed quickly and addressed. In this video we go through the bug and what can we learn from it --- Support this podcast: https://anchor.fm/hnasr/support

In this video, I discuss why QUIC will make a great communication protocol for databases and how it solves a critical problem with stateless web applications. Web applications use database connection pooling to establish database connections on the backend. But that creates other sorts of problems. --- Support this podcast: https://anchor.fm/hnasr/support

Nodejs Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues. 0:00 Intro 1:50 HTTP/2 Unknown Protocol 4:24 Localhost6 DNS Rebinding 6:55 Integer overflow OpenSSL Resources https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ --- Support this podcast: https://anchor.fm/hnasr/support

This is unacceptable and the entitlement towards open-source maintains needs to STOP!   Danial’s blog https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/  Support curl by becoming a backer  https://opencollective.com/curl#backer --- Send in a voice message: https://anchor.fm/hnasr/message

Let us go through an absolutely fantastic article and journey of how a single change in HAProxy config drove this SRE into a frenzy to find out what went wrong. A fantastic read.  https://about.gitlab.com/blog/2021/01/14/this-sre-attempted-to-roll-out-an-haproxy-change/?utm_medium=social&utm_source=linkedin&utm_campaign=blog --- Support this podcast: https://anchor.fm/hnasr/support

From time to time I like to loiter on people’s GitHub Repos look through issues submitted and see if there are interesting hidden gems and bugs that would make a good lesson or learning experience and boy did I find one for you. This bug is caused in stripe-node code in AWS Lambda serverless environment where requests are failing intermittently. We discuss how AWS serverless container re-use can cause this and how stripe solved it.   Resources https://github.com/stripe/stripe-node/issues/1040 Intermittent Error: write EPIPE when running stripe client in AWS Lambda · Issue #1040 · stripe/stripe-node · GitHub https://aws.amazon.com/blogs/compute/container-reuse-in-lambda/ --- Support this podcast: https://anchor.fm/hnasr/support

XMPP or the Extensible Messaging and Presence Protocol  originally named Jabber[1]) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. it is used by almost all large messaging systems such as whatsapp, facebook, google talk and others. In this video we will go through XMPP architecture, explain how it works and then finallly show how to spin up an XMPP chat server and connect to it from node js. --- Support this podcast: https://anchor.fm/hnasr/support