by dbdbPosted on Posted in all 2 Comments ↓

So I spent a bit of time debugging something this am, and I thought I would share. Its super detailed, so feel free to gloss over.

There is a class of browser-security issues addressed by CORS. They are meant to prevent inadvertent (or malicious) cross-origin resource sharing. E.g. some javascript in your current web page posts a password.

I am using Istio. It magically takes the CORS origin and rewrites it. So if you do a:

GET /
Origin: foo

then it will respond:

200 OK
Access-Control-Allow-Origin: *

*if* its configured for '*' policy.

Now, the problem is, I have two clients that are using OpenID Connect. They are fetching the keys for jwks validation. They run in the same browser. One of them does:

GET /keys
Origin: app-1

the other does

GET /keys
Origin: app-2

Unfortunately, the browser *caches* the 2nd response, returning the response app-1 got (with the wrong Access-Control-Allow-Origin) in it.

Why? Well, let's dive into some specs. Here we find the answer.

If CORS protocol requirements are more complicated than setting `Access-Control-Allow-Origin` to * or a static origin, `Vary` is to be used. [HTML] [HTTP] [HTTP-SEMANTICS] [HTTP-COND] [HTTP-CACHING] [HTTP-AUTH]

Huh. I'm supposed to add a 'Vary' header to these. But, sadly, I am not in control of these applications. What is one to do? RTFC for envoy?

To work around Vary Origin header in apps needing CORS, I should:

View Results

Loading ... Loading ...

by dbdbPosted on Posted in all 1 Comment ↓

Apply early, apply often, tell all your friends, particularly if they want to get down and dirty with the inner workings of the big fluffy cloud called computing.

https://www.workintech.ca/job-details/10757/cloud-security-hacker/

And while I'm begging, feel free to follow us in Linkedin. Or Twitter. or why not both!

 

by dbdbPosted on Posted in all 2 Comments ↓

So last year I installed a whole lot of LED bulbs. Power dropped off, great.

 

One area that got new bulbs was the porchlight. This was 2 sconces, outdoors but covered (both covered by the overhang and covered by the sconce). So not a 'wet' environment per se. Into this were installed a pair of 'corn-cob' lights.

Fast forward a year and they have both failed. So, lets have a quick look.

First, we discover that the 'open' nature of these bulbs (let the heat out) allows a variety of small inects in. Nice. Crusty.

Now lets look inside.

Um, yes that is the high-voltage power supply just flapping around. The tape is just to lightly insulate it from the metalised plastic sides. No structural support. Great. It was more or less supported by those two wires that were tacked to the bottom to a could of pads. Hmm.

Now, i'm not sure what output voltage that supply is meant to give (e.g. the parallel/series arrangement of the LED's). My bench supply only goes to 30V and that was not enough to light (so either we have burnt-out LED in series, or >30V). If we count the LED, we se there are 15 per row, my guess would be all in series.

Let's have a closer look at this supply. Its not a capacitive dropped, and it is isolated galvanically by the transformer (but not really by the tape, and there are no cutouts on the PCB). The soldering looks kinda crusty, so the board was not likely cleaned. Of course, it has been somewhat out side, so that could be garden variety rust too... No conformal coat here.

the writing on the IC is a bit hard to make out, 'TROWER'(?) TP8533A maybe? its below if you want to have a shot at CSI-enhance. (update: datasheet attached).

the meter suggests maybe this is 5S3P arrangement, so ~10-12V output?

O well, bought another two. These are not that cheap (in $). Hmm.

by dbdbPosted on Posted in all No Comments ↓

Stack Overflow has just released their survey. Turns out I am the 1.0%. If you are in the 20.5% and looking to trade, I'm game.

by dbdbPosted on Posted in all No Comments ↓

Last year I wrote about the mysterious feeding setup at the 101/Millbrae Ave overpass. It looks very lush and tropical and isolated in the below picture: its not. This is a very industrial location beside an airport and major highway.

After many days of walking over this bridge and peering down at the feeding setup (its large, ~10 feeders, a few boxes, etc), today I spotted a customer. That little blob of white fur.

I'm not sure who's trekking across all the traffic and 'reclaimed water ponds' to get there, but, well, it seems you have at least one happy customer.