Various secure coding things. 🔼

This is likely to be just a list of links to secure coding stuff.


https://forums.theregister.com/forum/all/2021/01/29/severelibgcryptbug/

Interesting point about not having input buffers before function pointers in structs.


reported=2021-01-30 04:46:50

reporter=onefang

priority=urgent

category=General

severity=major

resolution=open


2021-04-26 17:24:56 onefang: Opt out of Googles FLOC thing.

Apparently I can tell the browser "don't do that".  Wether or not Google will comply, but at least I can try.  https://spreadprivacy.com/block-floc-with-duckduckgo/

https://www.w3.org/TR/permissions-policy-1/#introduction


2021-10-29 10:30:19 onefang: BoringSSL might be useful to replace OpenSSL?

"LibTLS is basically a very thin wrapper which constrains how you hold an

SSL library, essentially making it very hard to hold it in the wrong way.

As a nice benefit it's become a common API for abstracting away an SSL

implementation (LibreSSL, OpenSSL, BearSSL, etc)

The OpenSSL implementation here is using all of the defaults, in other

words you are assuming OpenSSL is using sane defaults which has,

historically, not been the case. But for more recent versions of OpenSSL

(1.1.1b and higher) is reasonably safe. This is also using the BIO

abstraction which is the simplest "modern" way to hold OpenSSL correctly

that I know of."

Or libressl?

"The libressl team, in the wake of heartbleed which spawned the project, eliminated tens of thousands of lines of code in the first few weeks of the project existing. That code was never going to come back."


2021-12-21 08:13:51 onefang: https://www.theregister.com/2021/03/08/postspectreprogramming/


2022-11-22 06:48:25 onefang: Maybe -fsantiize=address,undefined

And it might have friends.


2022-11-22 07:28:49 onefang: Spin might be useful, it's in the Devuan repos.


2023-03-16 05:13:16 onefang: Instead of sending a URL to click on for email validation, send a code they have to copy to their account.

Or send both, and have the link tell them off for clicking email links.  Muahahaha!


2023-07-29 06:43:19 onefang: Double check I'm doing this right https://www.theregister.com/2023/07/29/cisansaidor_australia/


2024-02-17 00:03:29 onefang: I've seen someone fishing for what I think is a wordpress login page.  So double check I'm dealing with shit like

/opt/opensim_SC/../../../../../../etc/passwd