> If I can get the site to distribute malicious JS, why couldn’t I also get it to distribute the correct hash for my JS?

Yeah, I mentioned that "the server hosting the hash" could be compromised too – but it's worth emphasizing that it needs to be a *different* server than the primary one, or the whole exercise is pointless.

Assuming a separate server, though, it should be easy to secure if it only needs to serve static text.


> Hashes require things to be exactly identical. Bit for bit.

Yeah, of course 😁

> as soon as you introduce load balancers, CDNs, reverse proxies and the other ephemera that come with scaling up, getting a bit for bit identical fetch is trickier

Hmm, I'm unconvinced.

I mean, sure scaling up would (like always) make it harder. But we're just hashing the html, not the headers – and CDNs/etc mostly don't mess with the content. Indeed, many use etags, so already depend on a content hash

Publishing a content hash would mean that the site couldn't roll out changes to their login page daily (contra the current CI/CD mantra). But a high security application really ought to version its releases, even for a web app (and, indeed, Bitwarden does: bitwarden.com/help/releasenote)

So each release would be a time when users/extensions would update their known-good hash.

All of ^^^^ seems workable. But it also seems obvious enough that I wonder if I'm missing a big flaw. Any thoughts?

Show thread

If the hash of the main HTML document matches, that would mean that it requests all the same javascript files. A malicious server could mess with the content of those JS files. But JS already has the <script> "integrity" tag to check each script's contents against a known-good hash, developer.mozilla.org/en-US/do

So, any change in any requested script (or CSS) would flunk the integrity check unless the HTML's hash gets updated – but changing *that* would make the HTML's hash flunk.


Show thread

> couldn't a site mitigate [the amount of trust in the server that client-side WebAuthn requires] by publishing a hash of the document HTML – basically like SSH's known_hosts?

To flesh that out, I'm imagining a site (eg, bitwarden) posting the hash of the HTML for their login page so that users can check the login page's actual hash against it (manually or maybe with an extension?)

Of course, the server hosting the hash could be compromised too, but it's a static page–a low surface area!


Show thread

The biggest flaw I've heard with WebAuthn/other attempts to do security critical or zero-trust tasks in client-side JS: even if you're *theoretically* not trusting the server with your secrets, you're *still* trusting them not to be so thoroughly compromised/malicious that they send malicious JS (which of course gets re-downloaded on each visit). See e.g., github.com//bitwarden/web/issu

But couldn't a site mitigate that by publishing a hash of the document HTML – basically like SSH's known_hosts?


Did some by-hand curation of my proposed word list that 1Password should adopt


Should I tweet it at them?


> Did some by-hand curation of my proposed word list that 1Password should adopt

> github.com/sts10/generated-wor

Very cool!

What was your methodology for this list? (Sorry if you already said/I missed it)

I recently learned that most pass-phrases use only the ~32,000 most common words (static.sched.com/hosted_files/) and, since then, I've wanted to create a word list with some less common (but still familiar/spell-able) words

(eg, "crouton" is apparently #102,925: wordfrequency.info/samples/wor )

Post sorting algorithm: Hot Take 


> > Why do you view focusing on content instead source as a good thing?

> Because of prejudices.

That's a fair point. In my experience, focusing on content ends up with people using "that sounds about right" as a heuristic, which is also subject to prejudice.

(Of course "this source has been credible and valuable in the past" is technically a form of prejudice (ie, pre judgment) but it's one that has better consequences)


> Guix turns ten! We celebrate... by highlighting ten great things about Guix!

This briefly made me feel *very* old, thinking that it couldn't possibly have been 10 years already. Then I realized that I was counting from Guix 1.0.0 (2019) and not the first Guix commit (2002). And, despite the way it sometimes feels, 2019 was *not* a decade ago!

(Congrats to on the milestone, by the way!)


Episode 44: Celebrating a Decade of Guix fossandcrafts.org/episodes/44-

Guix turns ten! We celebrate... by highlighting ten great things about Guix!
Hear all about functional package management, time-traveling operating systems, and why "Composable DSLs" are great!

Post sorting algorithm: Hot Take 


> Algorithms that promote posts which gather attention are good things. Reading posts served by these algorithms makes you focus more on content instead of source.

I disagree with the first sentence precisely because I agree with the second. Why do you view focusing on content instead source as a good thing?

Personally, I prefer a focus on the source because it encourages people/sources to build up their credibility and reputation over the long term


> Thinking and talking about this, I am coming more and more to the conclusion that billionaires are, almost by definition, mentally ill

Nearly all billionaires are people who had hundreds of millions of dollars and then decided to *keep striving to earn more*. I'm not sure I'd go as far as "mentally ill", but I don't think that's the psychologically *typical* response to that situation – and it shows


> [chart comparing programming to demon summoning]

I'm more-than-slightly troubled by the programmer column having a checkbox in the "sometimes you have to execute a child" box. Is there some context I'm missing there?

(Or maybe I've just been programming wrong all this time!)


> [its better to] mak[e] an account because you want to post, and maybe *connect* with *people.*

Blogs have comment sections and Mastodon has replies – and both allow for a little bit of connection. But only a little.

If someone really wants to connect with me as a person, they should send an email or say hi on IRC/Matrix/Mattermost/etc – Mastodon is mostly where I read/post dumb jokes ^W^W interesting tidbits that are too short for blog posts



> One of the worst things that could happen to the fediverse is for it to be seen as a place to join to have an audience. That it isnt is its key differential advantage as a social media platform

I mildly disagree (at least for the Mastodon-adjacent corner of the fediverse)

Imo, Mastodon etc are *microblogging* platforms – that is, a broadcast medium for sharing words/pictures with readers. And I post here for the same reasons I blog: because I have something to say


Here's a post-mortem of what we saw on over Monday and Tuesday with the influx of new members from Twitter.

Thought you fine folks would be interested in something like this.



> Just got an email with a free offer to celebrate 18 years on livejournal. Which got me thinking:

Personal blog

I'm too young to have had the first one and too old (?) for the last two. Which I guess is as good a statement of what generation I'm in as any other

I completely derailed a scrum meeting today by adding mood music on my synth whenever anyone gave a status update.

"I wrapped up blah."

me: fanfare

"I’m running into some unanticipated complexity."

me: ominous music swells


> Reinstalling Kubuntu. Lol.

Sometimes its hard to beat that fresh-install-clean feeling :D

Show older

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.