Leaks, SHA-1 Collision, And Brotli – Smashing Magazine

webberoDesign0 Comments



Smashing Conf San Francisco Leaks, SHA-1 Collision, And Brotli – Smashing Magazine

We use ad-blockers as well, you know. We gotta keep those servers running though.
Did you know that we publish useful books and run
friendly conferences
— crafted for pros like yourself? E.g. upcoming SmashingConf San Francisco,
dedicated to smart front-end techniques and design patterns.

Phew, what a week! Due to an HTML-parsing bug, Cloudflare experienced a major data leak, and the first practical collision for SHA-1 was revealed as well. We should take these events as an occasion to reconsider if a centralized front-end load balancer that modifies your traffic is a good idea after all. And it’s definitely time to upgrade your TLS-certificate if you still serve SHA-1, too. Here’s what else happened this week.

Further Reading on SmashingMag: Link

News Link

General Link

Tools & Workflows Link

  • Joseph Zimmerman introduces us to Webpack10. What I really like about this article is that it’s not another article sharing pre-built sets of configurations but that it explains every detail step-by-step.
  • Oh shit, git!11 Don’t be afraid of git anymore thanks to this emergency guide that helps you solve the most common problems with the versioning system.
Oh shit, git! Leaks, SHA-1 Collision, And Brotli – Smashing Magazine12
Something went wrong in Git, but you don’t know how to get yourself out of the mess? “Oh shit, git!13” has got your back.

Security Link

  • Mitigating Cross-Site Request Forgery attacks has never been easy. Luckily, it seems that we now got a proper solution for it: Same-Site Cookies14. The only thing you need to do to make it work is adding SameSite to your existing Set-Cookie header. Of course, you should know how same-site cookies differ from “normal” cookies, but for most sites this should be easy to implement.
  • A joint-venture of five journalists researched how the private security industry works and what price we as citizens pay for our security15.

Privacy Link

  • It’s not your computer that is the most vulnerable device, it’s your smartphone. In fact, for a small amount of money, everyone can easily buy spyware16 that works on most Android phones. For iOS, things look a bit better unless the device is jailbroken. But this doesn’t necessarily mean that spyware doesn’t exist for that system as well.

Web Performance Link

Brotli support Leaks, SHA-1 Collision, And Brotli – Smashing Magazine18
With support for Chrome, Firefox, Opera and the Android browser, Brotli does a better job at compressing resources19 than its predecessor Gzip.

JavaScript Link

Going Beyond… Link

AirInk Leaks, SHA-1 Collision, And Brotli – Smashing Magazine23
Turn something ugly into something beautiful: A team at the MIT Media Lab developed artist’s ink made from air pollution. (Image credit24)

And with that, I’ll close for this week. If you like what I write each week, please support me with a donation25 or share this resource with other people. You can learn more about the costs of the project here26. It’s available via email, RSS and online.

— Anselm

  1. 1 https://www.smashingmagazine.com/2016/10/next-generation-server-compression-with-brotli/
  2. 2 https://www.smashingmagazine.com/2015/12/making-accessibility-simpler/
  3. 3 https://www.smashingmagazine.com/2014/05/team-collaboration-closing-efficiency-gaps-responsive-design/
  4. 4 https://www.smashingmagazine.com/2015/07/development-to-deployment-workflow/
  5. 5 https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
  6. 6 https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
  7. 7 https://webkit.org/blog/7423/release-notes-for-safari-technology-preview-24/
  8. 8 https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
  9. 9 https://ana-balica.github.io/2017/02/21/code-review-checklist/
  10. 10 https://www.smashingmagazine.com/2017/02/a-detailed-introduction-to-webpack/
  11. 11 http://ohshitgit.com/
  12. 12 http://ohshitgit.com/
  13. 13 http://ohshitgit.com/
  14. 14 https://scotthelme.co.uk/csrf-is-dead/
  15. 15 https://thecorrespondent.com/10221/security-for-sale-the-price-we-pay-to-protect-europeans
  16. 16 https://motherboard.vice.com/en_us/article/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy
  17. 17 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
  18. 18 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
  19. 19 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
  20. 20 https://medium.com/@matuzo/writing-javascript-with-accessibility-in-mind-a1f6a5f467b9
  21. 21 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
  22. 22 http://transit.iee.ucsb.edu/research/computing/projects
  23. 23 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
  24. 24 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
  25. 25 https://wdrl.info/donate
  26. 26 https://wdrl.info/costs/

↑ Back to top

Tweet itShare on Facebook

Leaks, SHA-1 Collision, And Brotli – Smashing Magazine

Anselm Hannemann is a freelance front-end developer and architect and cares about sustainable front-end experiences and ethical choices in life. He curates the WDRL, a weekly handcrafted web development newsletter that thousands of developers love and subscribe to.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *