Ric Johnson opendomain

RSA APIs in .NET - a crypto-trek rant

The stardate is 2017-06. In your .NET Enterprise mission to seek out biweekly paychecks you find yourself in need of RSA encryption. You check MSDN and do:

var rsa = RSA.Create();

Problem: the default RSA key size is 1024 (insecure).

You know about it because you've learned long ago that the only way to use .NET crypto APIs correctly is by reading implementation internals - you've seen 1024 hardcoded in the ctor. Defaults are forever, since "the needs of many outweigh the needs of the few" and all that. Fine, you'll set the key size explicitly. You double check MSDN again just to make sure that rsa.KeySize should do the job:

AssymmetricAlgorithm.KeySize: Gets or sets the size, in bits, of the key modulus used by the asymmetric algorithm.

FWIW: I (@rondy) am not the creator of the content shared here, which is an excerpt from Edmond Lau's book. I simply copied and pasted it from another location and saved it as a personal note, before it gained popularity on news.ycombinator.com. Unfortunately, I cannot recall the exact origin of the original source, nor was I able to find the author's name, so I am can't provide the appropriate credits.

Effective Engineer - Notes

By Edmond Lau
Highly Recommended 👍
http://www.theeffectiveengineer.com/

What's an Effective Engineer?

prologue

Why another tutorial? Because there are other tutorials which write a server - client or maybe a client client where they have only two clients, maybe by hardcoding ips.

<rant>
  What annoys me more is, that there are 100's of same tutroials on the internet, 
 that just works for a given scenario, but guess what, I don't fucking care what works

Stuff I wish I'd known sooner about service workers

I recently had several days of extremely frustrating experiences with service workers. Here are a few things I've since learned which would have made my life much easier but which isn't particularly obvious from most of the blog posts and videos I've seen.

I'll add to this list over time – suggested additions welcome in the comments or via twitter.com/rich_harris.

Use Canary for development instead of Chrome stable

~~Chrome 51 has some pretty wild behaviour related to console.log in service workers. Canary doesn't, and it has a load of really good service worker related stuff in devtools.~~

Calling `alert` from WebAssembly (WASM)

This very simple and minimal tutorial documents in a few easy steps how to play with WebAssembly (WASM) and get first results within minutes.

While the code below is mostly useless, it will show, how to call the alert function from within a WASM file and thus demonstrate how to import and export DOM objects.

Of course, this exercise has no real use. It is just meant to show, that getting started with WASM isn't hard. And there is no need for a complex build-chain, tons of tools or a dedicated VMs. Just use a browser, one online tool and that's it.

And Now?

Vespucci

Vespucci is a proposed protocol that uses the Bitcoin blockchain for decentralized application discovery.

Although there have been other proposals on this topic, Vespucci is to my knowledge the first one that does not require the entire blockchain to be downloaded. This results in a massive performance improvement.

The Problem

In order for an application to join a P2P network, the application must somehow find the IP address of one or more peers to connect to. This is called bootstrapping, and it can be difficult. BitTorrent and Bitcoin clients typically include hard-coded addresses of bootstrapping nodes, long-lived server nodes. This works well for established P2P networks with multiple bootstrap nodes like Bitcoin and BitTorrent. It doesn't work well for new and/or small P2P networks, because a small network might only have a single bootstrap node, creating a single point of failure.

This blog post series has moved here.

You might also be interested in the 2016 version.

	#include "mbedtls/md.h"
	#include "mbedtls/base64.h"

	#include <UrlEncode.h>

	String createNonce() {
	String n;

	n.reserve(32);

	#! /bin/bash
	set -euo pipefail

	# This script will remove automatic association for all networks not listed in the whitelist
	# passed as the first argument. Passwords will NOT be removed from the Keychain.
	#
	# Alternatively, you can untick "Remember networks" in Network Preferences > Wi-Fi > Advanced,
	# but then you won't be able to auto-join networks even temporarily, and you might already
	# have a long list to go through.
	#

	From the root directory of your Chrome extension:

	grep -r " chrome\." . \| sed s/.chrome\./\"/g \| sed s/\(./#Browser_compatibility/ \| sed s/[.]/\\//g \| sed s/./https:\\/\\/developer\.mozilla\.org\\/Add-ons\\/WebExtensions\\/API\\// \| sort \| uniq

	Hopefully you'll get something like this:

	https://developer.mozilla.org/Add-ons/WebExtensions/API/i18n/getMessage#Browser_compatibility
	https://developer.mozilla.org/Add-ons/WebExtensions/API/runtime/sendMessage#Browser_compatibility
	https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local/get#Browser_compatibility
	https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local/set#Browser_compatibility