12.xhtml 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263
  1. <?php
  2. /**
  3. * <https://y.st./>
  4. * Copyright © 2016 Alex Yst <mailto:copyright@y.st>
  5. *
  6. * This program is free software: you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation, either version 3 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program. If not, see <https://www.gnu.org./licenses/>.
  18. **/
  19. $xhtml = array(
  20. 'title' => 'Progress has been made by Qt, but Webkit doesn&apos;t actually understand the issue',
  21. 'body' => <<<END
  22. <p>
  23. I woke up this morning and found a letter in my inbox saying that the $a[SNI] bug in Qt had been labeled as important by the developers.
  24. Mozilla reclassified my bug as being a bug in their $a[HTTP] handling, which means that they are actually taking notice.
  25. Google was working on this bug before I told them about it.
  26. It&apos;s been a short period of time since I submitted these reports, but those that have taken notice actually seem to care.
  27. Both ellyjones and I thought that people would fail to realize that this is important.
  28. There are more bugs to report to other Web browsers, as well as Wget and $a[cURL], but that will have to wait for now.
  29. </p>
  30. <p>
  31. Later in the day, I received an email alerting me to a commit to Qt&apos;s code repository <a href="https://codereview.qt-project.org/#/c/152150/">fixing the bug</a>.
  32. I&apos;m not sure if the commit is to the main repository or if this is some sort of pull request, but even if it&apos;s only a pull request, I doubt there&apos;s any reason to avoid accepting it.
  33. The code has already been written and it fixes a known problem.
  34. My best guess is that this is a pull request of sorts, as it shows a table listing different people that need to check the code and sign off on it.
  35. The commit message even shows that they are properly leaving the Host header alone while fixing the $a[SNI] error.
  36. I am so excited!
  37. </p>
  38. <blockquote>
  39. <h6>Do not send the trailing dot of a hostname as part of the SNI</h6>
  40. <p>
  41. The SNI extension must not include the trailing dot, even though this is legitimate for the host header.
  42. </p>
  43. </blockquote>
  44. <p>
  45. Still later though, I received an email with bad news.
  46. The Webkit people think that I&apos;m talking about in-browser certificate mismatch errors, not the malformed $a[SNI] host names that the browser is sending.
  47. As they didn&apos;t understand what I meant, they <a href="https://bugs.webkit.org/show_bug.cgi?id=155378">don&apos;t think there&apos;s a problem</a>.
  48. Unless I can get through to them what I really mean and convince them that there is a problem, nothing will be done about it.
  49. </p>
  50. <p>
  51. I applied for four jobs today, looked into three places that turned out not to be hiring, and got a lead on a job that I will be able to look into on Monday.
  52. </p>
  53. <p>
  54. I learned something very interesting from sfan5 of <a href="ircs://sbuk7aqcxkoyipwv.onion:49152/%23Minetest">#Minetest</a>.
  55. As it turns out, the reason that some $a[Tor] exit nodes are able to access the freenode network isn&apos;t because freenode staff are too incompetent to implement the $a[Tor] $a[DNS] blacklist.
  56. Instead, it&apos;s because these nodes are specifically whitelisted.
  57. To be specific, $a[IP] addresses used by a $a[VPN] company called <a href="https://www.privateinternetaccess.com/">Private Internet Access</a> are allowed to access the freenode $a[IRC] network even if these $a[IP] addresses are currently used to relay traffic from the $a[Tor] network.
  58. Furthermore, it appears that Private Internet Access is one of freenode&apos;s sponsors; the money that Private Internet Access pays freenode may very well be in part a bribe for whitelisting their $a[VPN] servers&apos; $a[IP] addresses.
  59. </p>
  60. END
  61. );