tdp_org, 7 months ago to webdev

If you run a publicly available website/service, keep an eye on https://www.cve.org/CVERecord?id=CVE-2023-44487.

It'll be announced at midday UTC today (10th Oct 2023).

If there isn't an update you can deploy quickly for your affected services immediately (there should be for the better known software, they've had advance notice) then you should consider disabling the affected element until there is.

Can't share more right now but it's important so don't forget (& tell your friends!).

#WebDev #InfoSec #Security

tdp_org, 1 year ago to infosec

Very interesting info on modern password cracking using PassGAN (https://arxiv.org/abs/1709.00440).
I can't vouch for this but also have no reason to doubt it.

https://www.homesecurityheroes.com/ai-password-cracking/

#infoSec #security #AI

tdp_org, 1 month ago to webdev

I enabled Brotli compression on the CDN which serves the main BBC websites (www.bbc.co.uk. www.bbc.com etc.) outside the UK this morning.
Over ~4 hours, we're seeing a mean of ~20% better compression (smaller responses) via Brotli & ~95% of responses being Brotli now.
I've not had time to look in detail at performance but there doesn't look to be a significant change (LMK if you see diferent!).
(the spikes are breaking news events linking to a large "live" pages)
#Brotli #WebDev #BBC

tdp_org, 1 year ago to random

It would be super cool if the chat from a zoom call was still available to read after the call ends...for when you forgot to copy/paste stuff out...

tdp_org, 7 months ago to webdev

Lazy post:
Are there common web clients which do not support TLS SNI but do support TLS1.2+?
#TLS #webDev

tdp_org, 6 months ago to wordpress

After #Wordpress update to 6.4 website is broken, err:

Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /site/wp-content/db.php:124  
Stack trace:  
#0 /site/wp-includes/class-wpdb.php(752): WP_SecureDBConnection_DB->db_connect()  
#1 /site/wp-content/db.php(182): wpdb->__construct()  
#2 /site/wp-includes/load.php(671): require_once('...')  
#3 /site/wp-settings.php(124): require_wp_db()  

wp CLI connects to the DB fine. Disabling plugins/themes doesn't help.
Any ideas?

tdp_org, 8 months ago to random

/usr/bin/java -jar apps/TLS-Server-Scanner.jar -connect www.bbc.co.uk:443

Exception in thread "main" java.lang.UnsupportedClassVersionError: de/rub/nds/tlsscanner/serverscanner/Main has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

Great. But what do I need to do to fix it?
#CrapErrorMessage

tdp_org, 8 months ago to BBC

Friday treat for your delectation...
BBCs 1997 UK Election Website - yeah it's partly broken but check out the source HTML!
The whole page, including all assets is just under 210KB.
I miss websites that were this simple.
https://www.bbc.co.uk/news/special/politics97/
#BBC #WebDev #RetroWeb

If you love your HTML simple and small, you'll love this screenshot of the source HTML for BBC Politics 97. It's got a and everything!

tdp_org, 11 months ago to random

Now that's a proper close call
https://www.bbc.co.uk/news/world-europe-65926381

tdp_org, 8 months ago to wordpress

Don't suppose anyone knows how to fix this WordPress problem?
In the JS console: window.wp is undefined
So the Media Library is totally broken (appears empty but the files are on disk & work on the front-end).
Searching suggests a JS optimiser but I'm not running any of those, plugins are as per the screenshot.
Tried everything I can think of for the past 4 hours 😭.
#WordPress #WebDev

Screenshot of the WordPress plugins list

tdp_org, 1 year ago to random

Yesterday I added a graph to track TLS ciphersuite usage over time & immediately spotted an anomaly.
In mid-Feb, on our commercial CDN, CHACHA usage dropped from ~10-12% to ~0.5% & stayed there. The same did not happen on our own CDN so it seemed unlikely to be client behaviour.
Raised it with the CDN vendor & they tied it to a release which accidentally changed the behaviour to pref CHACHA for clients for whom CHACHA is top pref.
Having good data is 💯
#TLS #CDN #Grafana #webStats

tdp_org, 11 days ago to webdev

My pals in BBC World Service have been doing some awesome work on "lite" versions of their news articles (other page types to follow).
They essentially skip the Server-Side React hydration which means you end up with a simpler HTML+CSS page, no JS.
Page sizes drop significantly:

• Transferred: ~600KB -> 30KB
• Total: 1.65MB -> 135KB
  Just append .lite on a URL e.g. https://www.bbc.com/mundo/articles/crgyyvdz1dro.lite
  There's no on/off UX at the moment but they're working on that too.
  #WebDev #WebPerf #WebPerformance #BBC

Screenshot of a BBC World Service Mundo "lite" page with Dev Tools open showing bytes transferred and total as stated

tdp_org, 6 months ago to devops

Hands up if you caused a global outage today...
Just me?
Sorry!

I was making a change to our "outside the UK" CDN config today for www.bbc.co.uk & www.bbc.com & the change included 2 bugs which pre-testing didn't spot:

• A regex typo which caused 404s on www.bbc.co.uk
• An incorrect TLS cert on the CDN origin which caused 503s on www.bbc.com

These caused ~7 minutes of significant global outage.

I spent most of the afternoon writing tests to catch this for next time.

#DevOps #WebDev #CDN

Cache status graph for www.bbc.com which shows a significant spike of "error" for ~7 minutes

tdp_org, 8 months ago to random

Does this story imply that the UK can decrypt Russian military comms? Surely they don't broadcast unencrypted?
Wondering whether the timing (~1 year from the incident) suggests it takes time to decrypt or whether the timing is related to rules rather than tech.
Anyone know?
https://www.bbc.co.uk/news/uk-66798508

tdp_org, 7 months ago to AWS

Prob a bit unfair but mostly true IME
#AWS

tdp_org, 8 months ago to random

Who's using Apache Traffic Server as an HTTP reverse proxy in a large-ish scale way?
Interested to hear any opinions and/or loves/frustrations with it...Eyeing it up as a potential successor (one day, would be a chunk of work) to our NGINX-based in-house CDN. So that'd mean it'd go into 3+ datacentres, each configured as clustered machines, serving 10s of thousands to millions of RPS across 10s of domains as a reverse proxy.
https://trafficserver.apache.org/

tdp_org, 10 months ago to random

On Friday, I spotted that TLS1.3 was not available on our main web assets domain, static.files.bbci.co.uk (fronted by Akamai).

It took a bit of digging but we were using Akamai's 2016 TLS ciphersuite list which is deprecated & lacks TLS1.3 ciphers.

I've just switched pre-live environments to the 2017 cipher list as the changes were minimal (-3DES, +TLS1.3 ciphers). I'll roll this to live tomorrow morning.

This opens the door to enabling QUIC/HTTP/3 (requires TLS1.3) for our static assets.

tdp_org, 9 months ago to webdev

Does anyone know of a commonly used Chrome/ium extension which would set expect-ct on web pages?
We're getting several million deprecation reports on our web pages for expect-ct but we don't set it ourselves.
Weird.
#WebDev #InfoSec #Security #ExpectCT #TLS

tdp_org, 6 months ago to random

Wow, braverman has somehow found a way to be even more of a piece of shit.
https://www.bbc.co.uk/news/uk-67321319

tdp_org, 10 months ago to webdev

Still bends the mind a bit that we serve nearly 14M web pages every day to Search Engine indexers & bots (and those are just the bigger orgs indexers/bots). That's 4% of our traffic.

Also super strange how skewed towards Google this is, they're making 75% (over 10M) of those requests.

Might be interesting to plot the decline of Twitter actually...

Then there's "monitoring" which is everyone's "is the internet working" - nearly 32M of those every day.

#webStats #webDev #BBC

tdp_org, 5 months ago to random

tl;dr: multicast media streaming trial/PoC from BT (in the UK).

Some of my colleagues have been helping to test and evaluate MAUD. Possibly worth mentioning the (IMO) major missing point in the article - you have to be running a BT router for it to work as that becomes a local distribution endpoint. Maybe that was just too much technical detail for a broad audience peace which is fair enough, without knowing that it won't make sense to techies though.

https://newsroom.bt.com/bt-group-announces-live-tv-technology-breakthrough-to-meet-growing-customer-demand/

tdp_org, 5 months ago to random

So here's a new one.
I was crossing the street in front of our local petrol station/shop and a car was pulling out of the same, opposite me.
The driver wasn't indicating and was taking ages so I started walking over the road. The driver then pretty much drove into me so I gestured to him to indicate.
He got out of the car, super aggressive & pushed me. I told him, "if you can't be arsed to indicate, I can't be arsed to wait for you".
He backed down & drove off.
Don't be this guy, people.

tdp_org, 10 months ago to random

After many years of work (e2e time), on Monday, I'm turning off m.bbc.co.uk & m.bbc.com.
They did their job when they were needed but that time has passed. Here's been our process for decomm:

1. 301 m. to www. (> 1 year)
2. 410 m. with custom "please use www" message (~6 months)
3. Delete all monitoring/graphing
4. Delete DNS for m.
5. Delete CDN/server configs
6. Remove m. from cert renewals
7. Remove m. from docs & processes
8. Remove m. from IP allocations

tdp_org, 1 month ago to random

🚨 **UK TV Licensing scam! **🚨

I just recieved this scam email purporting to be a TV Licensing renewal reminder. It's reasonably well done except for:

1. The sender email address
2. The trademark symbol - AFAIK that's never used by TVL

I believe they're using the data from the People's Energy data breach as the email address they sent this to used the unique plus alias I used on my account with PE.

The "sign in" link goes to an AWS S3 hosted file BTW.

https://www.bbc.co.uk/news/technology-55350995

#DataBreach

tdp_org, 1 month ago to random

If you could launch any 3 people to Mars and never see or hear from them again, who would it be?