The Backend Engineering Show with Hussein Nasser
535 episodes - English - Latest episode: about 2 months ago - ★★★★★ - 5 ratingsWelcome to the Backend Engineering Show podcast with your host Hussein Nasser. If you like software engineering you’ve come to the right place. I discuss all sorts of software engineering technologies and news with specific focus on the backend. All opinions are my own.
Most of my content in the podcast is an audio version of videos I post on my youtube channel here http://www.youtube.com/c/HusseinNasser-software-engineering
Buy me a coffee
https://www.buymeacoffee.com/hnasr
🧑🏫 Courses I Teach
https://husseinnasser.com/courses
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
My thoughts on the CAP theorem
June 12, 2021 02:00 - 18 minutes - 12.6 MBCAP stands for Consistency, Availability, and Partition tolerance. Understanding the CAP theorem can help engineers make better design choices when building distributed systems. In this show, I will explain the CAP theorem and how you can use it to make tradeoffs in your backend design. You probably already are using the CAP theorem without even knowing. Resources https://www.infoq.com/articles/cap-twelve-years-later-how-the-rules-have-changed/#:~:text=The%20CAP%20theorem%20states%20that,to...
Fastly's Outage Took Down Amazon, Reddit, Stack Overflow and many other websites (Early reports)
June 08, 2021 16:02 - 14 minutes - 8.55 MBFastly, a very popular CDN went down and took down many services, let’s talk about what could have caused this. Resources https://status.fastly.com/incidents/vpk0ssybt3bj https://twitter.com/fastly/status/1402221348659814411?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1402221348659814411%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Ftwitter.com%2F https://apple.news/ASVV6TIepT8GPIEDjFbyNRg Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://w...
The Backend of this Fintech Exposed Users' Personal Information - The Klarna Leak (Full Report)
June 08, 2021 07:00 - 35 minutes - 20.5 MBOn May 27, 2021, Klarna, a popular fintech company has suffered a serious exposure of personal data which caused a planned outage. Resources https://twitter.com/KezStew/status/1397845638956605440 https://www.klarna.com/us/blog/detailed-incident-report-incorrect-cache-configuration-leading-to-klarna-app-exposing-personal-information/ https://en.wikipedia.org/wiki/Klarna#cite_note-22 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/cha...
13 TB of Dominos Pizza India customers’ data leaked and put on the Dark Web
June 04, 2021 00:49 - 14 minutes - 8.32 MBDominos Pizza India hacked and 13TB of customers' data is now on the dark web. https://www.indiatoday.in/technology/news/story/leaked-data-of-dominos-india-users-now-available-on-search-engine-created-by-hacker-1805595-2021-05-22 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join
QUIC is FINALLY a Standard. RIP TCP?
June 03, 2021 04:00 - 15 minutes - 8.91 MBQUIC is officially an IETF standard after a very long time. Is this going to replace the TCP protocol? https://www.theregister.com/2021/05/31/quic_becomes_standard/ https://datatracker.ietf.org/doc/html/rfc9000 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses
why it is very hard to cancel an HTTP request
June 02, 2021 03:00 - 22 minutes - 12.6 MBIn this episode of the backend engineering show, I go through the lifetime of an HTTP request and why it is extremely difficult to cancel an HTTP request in a real production environment. Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses
The Flavors of Database Replication - The Backend Engineering Show with Hussein Nasser
May 31, 2021 06:19 - 19 minutes - 11.3 MBIn this episode, I will discuss the different types of database replication and the pros and cons of each, streaming, binary, logical, synchronous, asynchronous, one-way and two-way replication. Stay tuned if you like databases and check out my database engineering course head to husseinnasser.com/courses for a discount code Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://hus...
Tor’s Connection Establishment - The Backend Engineering Show with Hussein Nasser
May 29, 2021 01:29 - 34 minutes - 19.9 MBIn this episode, I will discuss Tor’s circuit Establishment which is the core of the Tor protocol. https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf https://youtu.be/gIkzx7-s2RU Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses
I almost Burnt out creating software engineering content on YouTube, here is what I learned
May 27, 2021 15:57 - 15 minutes - 7.06 MBThis is an honest video about burnout and what a content creator can do to avoid it creating content on YouTube. Support my work on PayPal https://bit.ly/33ENps4
Long Polling and how it differs from Push, Poll and SSE - The Backend Engineering Show
May 26, 2021 03:00 - 26 minutes - 15.2 MBIn this episode of the backend engineering show, I'll discuss long polling technique of backend communication. I will also touch upon Polling and Pushing too and the pros and cons of each. * Intro 0:00 * Polling 2:45 * Pushing 6:30 * Long Polling 18:00 * SSE 23:00 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses
Long Polling - The Backend Engineering Show with Hussein Nasser
May 26, 2021 03:00 - 26 minutes - 24.6 MBIn this episode of the backend engineering show, I'll discuss long polling technique of backend communication. I will also touch upon Polling and Pushing too and the pros and cons of each. * Intro 0:00 * Polling 2:45 * Pushing 6:30 * Long Polling 18:00 * SSE 23:00 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses --- Send in a voice messa...
The New Postgres 14 Looks Promising - The Backend Engineering Show with Hussein Nasser
May 23, 2021 03:54 - 39 minutes - 22.7 MBIn this episode of the Backend Engineering show, we will go through the new features in Postgres 14. Here is a rundown of improvements made to the database platform with timestamps. 0:00 Intro 2:20 Performance 18:50 Data Types and SQL 23:00 Administration 32:30 Replication and Recovery 35:47 Security Postgres 14 Beta 1 https://www.postgresql.org/about/news/postgresql-14-beta-1-released-2213/ Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube 🧑🏫 Courses ...
The OSI Model by Example - The Backend Engineering Show with Hussein Nasser
May 20, 2021 20:04 - 32 minutes - 18.3 MBIn this episode of the Backend Engineering Show, I’ll explain the OSI Model with an example. I start with the physical layer which is often ignored moved up to the application layer, presentation layer, session layer, transport layer, IP layer, and data link layer. I believe every software engineer should understand the OSI Model as it helps cement the fundamental understanding of networking applications. Intro 0:00 Layer 1 Physical 4:00 Layer 7 Application 9:45 Layer 6 Presentation 11:3...
Optimizing Communication and Networking in Database Systems
May 18, 2021 23:11 - 41 minutes - 19 MBIn today's show, I discuss the nature of communications in database systems and how the pattern completely changed with 3-tier web architecture. I also discuss whether multiplexing protocols such as HTTP/2 and QUIC can help elevate some of the inefficiencies introduced. * Intro 0:00 * Communication Protocols 2:00 * 3 Web Tier Architecture 8:00 * Connection Pooling 14:50 * Database Connection Multiplexing 23:40 * Will Databases handle high concurrency 32:00 Support my work on PayPal ht...
If you are using Let’s Encrypt Watch out for this
May 17, 2021 17:12 - 14 minutes - 8.42 MBDST Root CA X3 Expires on September 2021, a ROOT certificate that signs Let's Encrypt Certificate authority, a very popular CA. In this video, I will discuss the ramification of this change. Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses 🏭 Backend Engineering Videos in Order https://backend.husseinnasser.com
This is why Salesforce services went down on May 11 2021
May 13, 2021 16:18 - 13 minutes - 7.76 MBSalesforce services went down as a result of a DNS update, let us discuss how can tiny DNS unavailability cause a severe outage of 5 hours. From salesforce "On May 11, 2021, at approximately 21:08 Universal Coordinated Time (UTC), the Salesforce Technology team became aware of a service disruption across Salesforce production instances. The disruption impacted the ability for users to log into their Salesforce environments within the core Salesforce services, Marketing Cloud, Commerce Cloud...
How HAProxy forwards 2 Million Requests Per Second? - The Backend Engineering Show
May 10, 2021 19:27 - 47 minutes - 27.3 MBIn this show, I go into detail on how HAProxy achieved 2 million HTTP requests per second. This is a very well-written article that discusses how the HAProxy team benchmarked the product on a 64 core ARM machine leading to over 2 million requests per second. There are many components and low-level points that I try to elaborate on, timestamps below. 0:00 Intro 2:40 Summary of the Article 11:55 Latency and Throughput in HAProxy 2.3 vs 2.4 21:00 How TCP Connections Affects Performance ...
The Tale of OLTP, OLAP, and HTAP in Data Warehousing - The Backend Engineering Show with Hussein Nasser
May 09, 2021 05:01 - 42 minutes - 24.5 MBIn this show, I discuss why we have 3 data models in database systems, OLTP (Online Transactional Processing) OLAP (Online Analytical Processing), and HTAP (Hybrid Transactional Analytical Processing). I’ll also explain the difference between them, the use of ETL tools (extract transform load) to load data from transactional to analytical databases, and what is the future of HTAP. Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/...
This Python And NodeJS IP Address Validation Vulnerability is Severe, Watch out
May 04, 2021 13:00 - 16 minutes - 9.23 MBWatch this if you are using IP Address validation in both NodeJS and Python, these two libraries strip leading zeros which can lead to server side request forgery. Let us discuss Resources https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/ https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/ Support my work on PayPal https://bit.ly/33ENps4 Become a Member on Yo...
These Hackers Snuck their Trojan through PING
May 04, 2021 01:00 - 19 minutes - 11.1 MBIn this video, I’ll discuss the Pingback attack, a new clever attack that uses both DLL files through Oracle Component Interface (OCI.dll) and ICMP protocol to deliver commands between the victim machines and the command center. Resources https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol https://en.wikipedia.org/wiki/Oracle_Call_Interface Support my work on PayPal https://bit.ly/33ENps4 Become a M...
CLEVER! These Hackers Snuck their Trojan through PING
May 04, 2021 01:00 - 19 minutes - 18 MBIn this video, I’ll discuss the Pingback attack, a new clever attack that uses both DLL files through Oracle Component Interface (OCI.dll) and ICMP protocol to deliver commands between the victim machines and the command center. Resources https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol https://en.wikipedia.org/wiki/Oracle_Call_Interface --- Send in a voice message: https://anchor.fm/hnasr/message
Publish-Subscribe Pattern vs Message Queues vs Request Response (Detailed Discussions with Examples)
May 02, 2021 03:07 - 44 minutes - 30.6 MBIn this podcast I’ll explain the message queues, the request response pattern and the publish subscribe pattern. I will also illustrate the main differences between them and when to use over another. 0:00 Intro 0:30 Message Queues in 60 Seconds 1:24 When to Use Message Queues? 14:33 Request Response Pattern 20:00 Request Response Pros & Cons 24:11 Publish Subscribe Pattern in 60 Seconds 25:13 Publish Subscribe Pattern 31:49 Publish Subscribe Pattern Pros and Cons Support my work on ...
HTTP Code 502 Bad Gateway Explained (All its Possible Causes on the Backend)
April 30, 2021 05:00 - 17 minutes - 9.91 MB502 Bad Gateway is one of the most infamous errors on the backend, it usually means “hey something wrong with your backend server” but it doesn’t really give enough information. In this video, I’ll go through details on why proxies and gateways like NGINX and HAProxy should consider throwing more fine detailed HTTP error codes. 502 Bad Gateway The server was acting as a gateway or proxy and received an invalid response from the upstream server. 0:00 intro 3:45 What Causes a 502 B...
Technical Discussion on VPNs - How VPNs Work, their benefits, and What happens when VPNs are Hacked
April 26, 2021 17:09 - 26 minutes - 15.3 MBIn this episode I’ll talk about how VPN works, networking, IPSec and will also discuss the benefits of VPN and what happens when a VPN is hacked? * Intro 0:00 * How Networking Works? 2:20 * How VPN Works? 10:00 * VPN Benefits 17:50 * What happens when VPN is hacked 20:20 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses
Let us discuss the Linux Kernel community and University of Minnesota situation
April 22, 2021 18:28 - 15 minutes - 8.88 MBThere is an ongoing situation with the Linux kernel community and the University of Minnesota Department of Computer Science & Engineering. We discuss this in this episode and I give my opinion
Auth0 Outage (Early report)
April 20, 2021 21:34 - 11 minutes - 6.33 MBAuth0 went down on April/20/2021 and this is the early report. Let us discuss. This incident affects: Auth0 US (PROD) (User Authentication, Machine to Machine Authentication, Multi-factor Authentication, Management API), Auth0 US (PREVIEW) (User Authentication, Machine to Machine Authentication, Multi-factor Authentication, Management API), and Management Dashboard (manage.auth0.com). 0:00 Update on Auth0 outage 6:00 Speculation of the outage https://auth0.com/blog/how-we-store-data-in-the-cl...
North Korean Hackers Hide Malicious Code within BMP image, Goes Undetected by AntiVirus software
April 20, 2021 16:43 - 14 minutes - 8.5 MBLet us discuss the complexity behind this trojan hack, the multi-layer approach of hiding the RAT (remote access trojan) is absolutely genius. https://en.wikipedia.org/wiki/HTML_Application https://en.wikipedia.org/wiki/Portable_Network_Graphics https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
These New WhatsApp Vulnerabilities Can Leak Images, Voice Notes, and Chat by Opening an HTML message
April 18, 2021 16:59 - 21 minutes - 12.4 MBFew vulnerabilities in WhatsApp for Andriod discovered that allow an attacker to send an HTML file attachment full access to the user's media, voice notes, pictures, and eventually chat messages (through TLS session resumption keys). In this video, we will discuss the scope of this attack. The vulnerabilities have been patched by facebook. Full article from CENSUS labs discussing in detail how to carry POC attack. https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE...
A Look into Modern Leaky Abstractions - Postgres, MySQL, HTTP/2, TCP, ORMs GraphQL, N+1, Axios, git
April 17, 2021 06:00 - 37 minutes - 21.6 MBLeaky abstractions occur when the consumer of the abstraction started asking questions about certain behavior which ends up with the need to understand the details behind the abstraction. Joel Spolsky coined this term and in this video I’d like to discuss this concept and provide few examples of my own experience towards leaky abstractions. Let us get on with the show. 6:00 Postgres Dead Tuples 7:25 MySQL Clustering 9:23 Axios HTTP Library 11:30 ORMs (N+1) 13:30 Beyond Abstractions 15:...
Here is what caused the Hack to PHP Source Code git Server
April 15, 2021 19:20 - 13 minutes - 7.72 MBTwo weeks ago the PHP source code git server got hacked and two malicious commits were made to the source code. Since then the PHP maintainers identified the source of the hack, let us discuss
Which career would I choose if I wasn't a developer - Q&A April 2021
April 12, 2021 22:10 - 11 minutes - 11.1 MBLight episode today let's have some fun with Q&A, I collected some questions on Twitter and YouTube community and I'm going to attempt to answer them here. --- Send in a voice message: https://anchor.fm/hnasr/message
If I wasn’t a Backend Engineer, I would pick this as my career - Q&A April 2021
April 12, 2021 22:10 - 11 minutes - 6.86 MBLight episode today let's have some fun with Q&A, I collected some questions on Twitter and YouTube community and I'm going to attempt to answer them here. Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join 🧑🏫 Courses I Teach https://husseinnasser.com/courses
Can NULLs Improve your Database Queries Performance? - The Backend Engineering Show
April 11, 2021 19:10 - 22 minutes - 13 MBIn this episode, we will discuss NULLs in database systems. I’ll go through the following: What is Null? NULLs persistence Whether you store a 0 or 2 billion value in the field 32bit integer field it costs 32 bit when you store a NULL in 32 bit integer field we save 32 bit but add overheads When NULLs are naughty Semantics and inconsistent result Select count(*). Includes nulls count(column) ignores nulls T is NULL returns the null rows T is NOT NULL returns not null rows T In (NU...
10 Vulnerabilities to watch for When building secure backend application (OWASP recommendations)
April 07, 2021 17:00 - 28 minutes - 16.4 MBThe open web application security project is a recognized entity that helps developers identify critical security vulnerabilities to build secure web applications. In this video I will go through the 10 vulnerabilities and explain each one and give examples and anecdotes from real life examples. 0:00 Building Secure Backends 2:30 Injection 4:50 Broken Authentication 6:43 Sensitive Data Exposure 11:00 XML External Entities (XXE) 13:45 Broken Access Control 17:00 Security Misconfigurati...
Browser Caching best practices, when to use no-cache vs max-age without breaking your site
April 07, 2021 05:00 - 18 minutes - 10.9 MBCaching is the hardest problem in building software, and having the browser cache is not any different. In this video, I'll discuss Jake Archibald's article https://jakearchibald.com/2016/caching-best-practices/ 0:00 Intro 2:00 Pattern 1: Immutable content + long max-age 5:40 Pattern 2: Mutable content, always server-revalidated 8:00 max-age on mutable content is often the wrong choice 12:20 CDN and Caching Article https://jakearchibald.com/2016/caching-best-practices/ https://twitt...
Write Amplification Explained in Backend Apps, Database Systems and SSDs
April 05, 2021 00:16 - 22 minutes - 15.4 MBWrite Amplification Is a phenomenon where the actual writes that physically happen are multiples of the actual writes desired. In this episode, I'll discuss 3 types of write amplifications and their effects on performance and lifetime of storage mediums. 0:00 intro 2:00 Application write amplification 4:30 Database write amplification 9:30 SSD Disk write amplification 16:00 SSD hates BTrees 20:00 summary Resources https://en.wikipedia.org/wiki/Write_amplification https://www.cyberte...
DNS issue impacting multiple Microsoft services on April’s fool day (with Bonus content)
April 04, 2021 01:07 - 26 minutes - 15.3 MBMicrosoft Had an Outage on April 1st that is caused by DNS surge, let us discuss this. Bonus I’ll also discuss the outage that happened on March 18th cpu 100% utilization RCA - DNS issue impacting multiple Microsoft services (Tracking ID GVY5-TZZ) Summary of Impact: Between 21:21 UTC and 22:00 UTC on 1 Apr 2021, Azure DNS experienced a service availability issue. This resulted in customers being unable to resolve domain names for services they use, which resulted in intermittent failures a...
My Python CRUD App hits 2 million rows, Should I Shard my Database?
April 03, 2021 04:00 - 21 minutes - 12.2 MBHey Hussein I have a 2 million row table used in my CRUD python app, I’m worried that as the table grow my inserts will slow down, should I consider sharding my database or partition the table? thank you I’m avid of simplicity in design if I can do it in one machine I’ll do it. Sharding/Partitioning are all great inserts are fast, queries are slow 0:00 inserts can be slow 3:00 indexes/stored procedures selects, updates, and deletes can be slow 12:00 add proper indexes....
My Python CRUD App hit 2 million rows, Should I Shard my Database?
April 03, 2021 04:00 - 21 minutes - 19.7 MBHey Hussein I have a 2 million row table used in my CRUD python app, I’m worried that as the table grow my inserts will slow down, should I consider sharding my database or partition the table? thank you I’m avid of simplicity in design if I can do it in one machine I’ll do it. Sharding/Partitioning are all great inserts are fast, queries are slow 0:00 inserts can be slow 3:00 indexes/stored procedures selects, updates, and deletes can be slow 12:00 add proper indexes. simplicity win...
cURL TLS 1.3 session ticket proxy host mixup Vulnerability
March 31, 2021 18:20 - 9 minutes - 5.69 MBEnabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS ...
PHP’s Source Code hacked - Two Remote Code execution added to the Git server, let us discuss
March 31, 2021 00:58 - 8 minutes - 5.03 MBTwo malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The commits were found and reverted two hours after it was committed. PHP is moving to github as a result. Article https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
What happens when your Backend Web Server Certificate Private Key is Leaked?
March 28, 2021 04:02 - 24 minutes - 22.7 MBWe have been told to take care of our private key that we use on backend servers without clear instructions as to what could happen when that key is leaked. In today’s backend engineering show I discuss exactly what could go wrong when your backend server private key is leaked. Let us discuss Intro 0:00 What is a Certificate? 1:10 Where is the Private Key used? 4:10 TLS 1.2 with RSA 4:20 Why RSA no longer used 9:00 TLS 1.3 & TLS 1.2 Digital Signature 12:00 How often should you recycle...
What happens when your Web Server Private Key is Leaked?
March 28, 2021 04:02 - 24 minutes - 16.9 MBWe have been told to take care of our private key that we use on backend servers without clear instructions as to what could happen when that key is leaked. In today’s backend engineering show I discuss exactly what could go wrong when your backend server private key is leaked. Let us discuss Intro 0:00 What is a Certificate? 1:10 Where is the Private Key used? 4:10 TLS 1.2 with RSA 4:20 Why RSA no longer used 9:00 TLS 1.3 & TLS 1.2 Digital Signature 12:00 How often...
Researcher bypasses Google, Azure, and Cloudflare Reverse Proxy Security - HTTP/2 Smuggling (h2c)
March 26, 2021 18:50 - 14 minutes - 13.1 MB6 months ago, Jake Miller released a blog article and python tool describing H2C smuggling, or http2 over cleartext smuggling. By using an obscure feature of http2, an attacker could bypass authorization controls on reverse proxies. Sean managed to leverage Jack’s original research to bypass reverse proxy rules, lets discuss My original Video on Jack’s h2c smuggling https://youtu.be/B2VEQ3jFq6Q This article https://blog.assetnote.io/2021/03/18/h2c-smuggling/ --- Send in a voice messa...
Researcher bypasses Azure, and Cloudflare Reverse Proxy Security - HTTP/2 Smuggling (h2c)
March 26, 2021 18:50 - 14 minutes - 9.72 MB6 months ago, Jake Miller released a blog article and python tool describing H2C smuggling, or http2 over cleartext smuggling. By using an obscure feature of http2, an attacker could bypass authorization controls on reverse proxies. Sean managed to leverage Jack’s original research to bypass reverse proxy rules, lets discuss My original Video on Jack’s h2c smuggling https://youtu.be/B2VEQ3jFq6Q This article https://blog.assetnote.io/2021/03/18/h2c-smuggling/
High severity flaw can crash your WebServer when using OpenSSL - Let us discuss
March 26, 2021 07:00 - 17 minutes - 12.2 MBOn Thursday, OpenSSL maintainers released a fix for two high severity vulnerabilities, let us discuss the impact. OpenSSL two major vulnerabilities 0:00 why OpenSSL 1:00 Bug 1 - Renegotiating TLS 1.2 (CVE-2021-3449) 3:50 Bug 2 - Cert verification bypass (CVE-2021-3450) 8:42 Update to OpenSSL 1.1.1k 12:30 Resources https://www.openssl.org/news/vulnerabilities.html https://arstechnica.com/gadgets/2021/03/openssl-fixes-high-severity-flaw-that-allows-hackers-to-crash-servers/
When is NodeJS Single Threaded and when is it multi-Threaded?
March 24, 2021 03:08 - 9 minutes - 6.25 MBNode JS Is single-threaded asynchronous non-blocking javascript runtime, but it's not always single-threaded there are occasions where nodejs uses multi-threading, so the questions we will try to answer in this video, when is nodejs single-threaded and when does it use multi-threading and how will that affect my app? Event Loop single thread, that really just loops for callbacks 0:00 Threading in Node jS (libuv) 4:00 used for IO/intensive DNS queries file system reads CPU intensive c...
Slack's Migrating Millions of Websockets from HAProxy to Envoy, let's discuss
March 21, 2021 23:37 - 35 minutes - 24.5 MBSlack started migrating from HAProxy to Envoy for their backend architecture, in this video, I’ll discuss their recent article when they moved the WebSockets portions, why they moved from HAProxy to Envoy and their production plans. Resources Article https://slack.engineering/migrating-millions-of-concurrent-websockets-to-envoy/ RFC8441 https://tools.ietf.org/html/rfc8441 3:15 Websockets Crash Course https://youtu.be/XgFzHXOk8IQ 9:50 HAProxy Runtime API https://youtu.be/JjXUH0VORnE 20:...
Why WebSockets over HTTP/2 (RFC8441) is Critical for Effective Load Balancing and Backend Scaling
March 21, 2021 01:22 - 16 minutes - 12.9 MBIn this video, I'll discuss RFC8441 bootstrapping WebSockets with HTTP/2 which I believe a critical protocol to allow WebSockets tunneling to scale on the backend. We will also discuss the current state of the art of Proxy and Backend Supports for this tech. Let us have a discussion. 0:00 Intro 3:00 WebSockets over HTTP/2 7:40 Proxy Supports 13:15 Browsers Supports 14:00 Summary RFC 8441 Resources RFC8441 https://tools.ietf.org/html/rfc8441#section-4 nginx support https://trac.ngi...
How HTTP Compression Leaks Sessions and JWT - CRIME Explained and how HPACK in HTTP/2 fixes this
March 19, 2021 20:57 - 21 minutes - 14.5 MBIn this video we will explore one of the most popular side attacks CRIME Compression Ratio Info-leak Made Easy) and the different ways to mitigate this. Intro 0:00 * HTTP/1.1 SPDY header compression 4:00* TLS compression * Response body attackers can’t inject 13:00 * Mitigations 14:10 * HPACK/QPACK * TLS Padding