Home » Posts tagged "mode"

V8 version 6.5 (Chrome 65) 的改變

V8 version 6.5 將會有不少改變:「V8 release v6.5」。

其中因為 Spectre 的關係,新的 V8 設計了 Untrusted code mode,拿來跑不信任的程式,裡面會設計反制措施。而且這在新版的 Chrome 將會預設開啟:

In response to the latest speculative side-channel attack called Spectre, V8 introduced an untrusted code mode. If you embed V8, consider leveraging this mode in case your application processes user-generated, not-trustworthy code. Please note that the mode is enabled by default, including in Chrome.

另外是針對 WebAssembly 提供邊下載邊 compile 的能力,這讓速度大幅提昇。在原文是拿一個比較大包的 WebAssembly 來測試:

For the graph below we measure the time it takes to download and compile a WebAssembly module with 67 MB and about 190,000 functions. We do the measurements with 25 Mbit/sec, 50 Mbit/sec, and 100 Mbit/sec download speed.

可以看到網路不夠快的使用者就會直接被 compile 速度跟上,讓瀏覽器在下載時就做一些事情。

另外在某些情況下對 Array 的操作會有大幅改善:

這些新功能與改善都會在 Chrome 65 推出。依照「Chrome Platform Status」這邊的資料,stable 版預定在三月初,beta 版應該是要出了... (雖然上面寫著 2/1,但目前好像還沒更新)

Amazon Aurora (MySQL) 的 Stored Procedure 可以跑 AWS Lambda...

查了資料才發現去年十月 Amazon Aurora (MySQL-Compatible Edition) 就支援用 AWS Lambda 當 stored procedure 了,只是當時只支援 async mode,能做的事情比較有限:「Amazon Aurora New Features: AWS Lambda Integration and Data Load from Amazon S3 to Aurora Tables」。

Now you can invoke Lambda functions directly from within an Aurora database via stored procedures or user-defined functions. Lambda integration allows you to extend the capabilities of the database and invoke external applications to act upon data changes. For example, you can create a Lambda function that sends emails to customers whenever their address in the database is updated.

前幾天發表的則是支援 sync mode,可以等到:「Amazon Aurora with MySQL Compatibility Natively Supports Synchronous Invocation of AWS Lambda Functions」。

Starting with version 1.16, we are extending this feature to be able to able to synchronously invoke Lambda functions.

Use the native function lambda_sync when you must know the result of the execution before moving on to another action.

這解掉了 MySQL 的 stored procedure 一直很殘的問題...

這次 PKCS #1 1.5 的 ROBOT 攻擊,Cisco 沒打算修...

1998 年就發現的 security issue 因為 workaround 也很複雜,所以不是每一家都修對方法,於是 19 年後又被爆破了。這次叫做 ROBOT:「1998 attack that messes with sites’ secret crypto keys is back in a big way」。

可以看到中獎的表:

這次的攻擊在 client 端無法修正,只能在 server 端修正:

Do I need to update my browser?
No. This is an implementation bug in servers, there is nothing clients can do to prevent it.

如果 server 端無法盡快修正的話,想辦法避開 RSA encryption 可以躲開這個問題,而且因為現代瀏覽器都有非 RSA 的替代方案,這樣做應該都還有退路,可以維持連線的可能性:

Disable RSA encryption!
ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.

但使用 Cisco ACE 就哭了,因為 Cisco ACE 只支援 RSA encryption,而 Cisco 官方以產品線已經關閉,不再提供維護而沒有提供更新的計畫,所以就進入一個死胡同...

不過 Cisco 自己也還在用 Cisco ACE 就是了,不在意就不會痛的感覺 XD

I have a Cisco ACE device.
Cisco informed us that the ACE product line was discontinued several years ago and that they won't provide an update. Still, we found plenty of vulnerable hosts that use these devices.

These devices don't support any other cipher suites, therefore disabling RSA is not an option. To our knowledge it is not possible to use these devices for TLS connections in a secure way.

However, if you use these products you're in good company: As far as we can tell Cisco is using them to serve the cisco.com domain.

AWS 推出 Cloud Native Networking,在每個 Container 內都有自己獨立的網路卡

AWSAmazon ECS 變得更好用了:「Introducing Cloud Native Networking for Amazon ECS Containers」。

Today, AWS announced task networking for Amazon ECS. This feature brings Amazon EC2 networking capabilities to tasks using elastic network interfaces.

awsvpc 模式下會給每個 container 一個獨立的網路卡 (Elastic Network Interface,ENI):

這樣有兩個好處。第一個是 port 就不需要拆開,所有 container 如果都是跑 nginx,都可以跑在同一個 port (80 或是 443),這對於前端應用程式會簡單一些。第二個整合了 AWS 的 security group,這對在 AWS 上本來就會使用 security group 的大多數人來說就可以輕鬆整合了。

Firefox 的 Headless 模式

Google Chrome 推出 Headless 模式後,Firefox 也推出了:「Headless mode」。

目前正式版是 55 版,只有 Linux 版本有支援,下一個版本 56 版就會包括 Windows 與 Mac 了:

Headless Firefox works on Fx55+ on Linux, and 56+ on Windows/Mac.

然後大家也都是以 Selenium 為重心,所以使用上應該不會是大問題...

Vim 的 Easy Mode

Twitter 上看到 Vim 的 Easy Mode 是無法直接用 :q! 直接離開的,對於用 Vim 用很久的人反而不知道怎麼辦 XDDD:

因為知道是 -y,所以查了 manual 後發現是 easy mode。有了關鍵字後解法就很好找了,是「How to quit vim's easy mode (vim -y)」這篇,先用 Ctrl-L 回到 Normal Mode 再用 :q! 離開...

OpenSSL 1.1.1 將支援 TLS 1.3

OpenSSL 的文章「Using TLS1.3 With OpenSSL」提到了:

The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3.

另外也提到了 TLS 1.3 的標準是 blocker,在 TLS 1.3 沒出來前不會出 OpenSSL 1.1.1:

OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised.

OpenSSL 實做的 TLS 1.3 支援了這些 cipher:

  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-128-CCM-8-SHA256
  • TLS13-AES-128-CCM-SHA256

GCM 的部份不算意外,比較特別的是包括了 ChaCha20Poly1305 (喊很久了),另外包括了 CCM mode 的實做...

Google Chrome 的 Headless 模式與 PhantomJS 的歷史

瀏覽器的 headless 模式讓開發者可以透過 command line 或是 API 界面操作,對於自動化開發測試很有用。而 Google Chrome 將在 59 版 (目前 57 版) 引入 headless 模式:「Headless mode」。

Headless mode allows running Chromium in a headless/server environment. Expected use cases include loading web pages, extracting metadata (e.g., the DOM) and generating bitmaps from page contents -- using all the modern web platform features provided by Chromium and Blink.

To use headless, start Chrome with a command line flag:

$ chrome --headless --remote-debugging-port=9222 https://chromium.org

PhantomJS 則是因為 Google Chrome 決定要支援 headless 模式,主要的貢獻者 Vitaly Slobodin (參考 Contributors to ariya/phantomjs 這邊) 決定退出維護:「[Announcement] Stepping down as maintainer」。

是個功成身退的感覺...

Mac 上的 Cleartext

看到 Mac 上的「Cleartext」這個軟體:

A text editor that only allows the 1,000 most common words in English

限制你使用比較簡單的英文,這樣可以讓讀的人比較容易了解 (尤其是非母語的人)。

有種跟 Simple English Wikipedia 的想法很像的感覺:

The project uses around 2,000 common English words, and is based on Basic English, an 850-word auxiliary international language created by Charles Kay Ogden in the 1920s.

另外還有提供 Trump mode XDDD:

Trained with a few of Trump's best known speeches, the app is now ready to help you write like a billionaire.

這好壞 XDDD

Archives