123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 |
- <?php
- /**
- * <https://y.st./>
- * Copyright © 2016 Alex Yst <mailto:copyright@y.st>
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <https://www.gnu.org./licenses/>.
- **/
- $xhtml = array(
- 'title' => 'Progress has been made by Qt, but Webkit doesn't actually understand the issue',
- 'body' => <<<END
- <p>
- I woke up this morning and found a letter in my inbox saying that the $a[SNI] bug in Qt had been labeled as important by the developers.
- Mozilla reclassified my bug as being a bug in their $a[HTTP] handling, which means that they are actually taking notice.
- Google was working on this bug before I told them about it.
- It's been a short period of time since I submitted these reports, but those that have taken notice actually seem to care.
- Both ellyjones and I thought that people would fail to realize that this is important.
- There are more bugs to report to other Web browsers, as well as Wget and $a[cURL], but that will have to wait for now.
- </p>
- <p>
- Later in the day, I received an email alerting me to a commit to Qt's code repository <a href="https://codereview.qt-project.org/#/c/152150/">fixing the bug</a>.
- I'm not sure if the commit is to the main repository or if this is some sort of pull request, but even if it's only a pull request, I doubt there's any reason to avoid accepting it.
- The code has already been written and it fixes a known problem.
- My best guess is that this is a pull request of sorts, as it shows a table listing different people that need to check the code and sign off on it.
- The commit message even shows that they are properly leaving the Host header alone while fixing the $a[SNI] error.
- I am so excited!
- </p>
- <blockquote>
- <h6>Do not send the trailing dot of a hostname as part of the SNI</h6>
- <p>
- The SNI extension must not include the trailing dot, even though this is legitimate for the host header.
- </p>
- </blockquote>
- <p>
- Still later though, I received an email with bad news.
- The Webkit people think that I'm talking about in-browser certificate mismatch errors, not the malformed $a[SNI] host names that the browser is sending.
- As they didn't understand what I meant, they <a href="https://bugs.webkit.org/show_bug.cgi?id=155378">don't think there's a problem</a>.
- Unless I can get through to them what I really mean and convince them that there is a problem, nothing will be done about it.
- </p>
- <p>
- I applied for four jobs today, looked into three places that turned out not to be hiring, and got a lead on a job that I will be able to look into on Monday.
- </p>
- <p>
- I learned something very interesting from sfan5 of <a href="ircs://sbuk7aqcxkoyipwv.onion:49152/%23Minetest">#Minetest</a>.
- As it turns out, the reason that some $a[Tor] exit nodes are able to access the freenode network isn't because freenode staff are too incompetent to implement the $a[Tor] $a[DNS] blacklist.
- Instead, it's because these nodes are specifically whitelisted.
- To be specific, $a[IP] addresses used by a $a[VPN] company called <a href="https://www.privateinternetaccess.com/">Private Internet Access</a> are allowed to access the freenode $a[IRC] network even if these $a[IP] addresses are currently used to relay traffic from the $a[Tor] network.
- Furthermore, it appears that Private Internet Access is one of freenode's sponsors; the money that Private Internet Access pays freenode may very well be in part a bribe for whitelisting their $a[VPN] servers' $a[IP] addresses.
- </p>
- END
- );
|