Web Development Reading List #171: Leaks, SHA-1 Collision, And Brotli

Phew, what a week! Due to an HTML-parsing bug, Cloudflare experienced a major data leak, and the first practical collision for SHA-1 was revealed as well. We should take these events as an occasion to reconsider if a centralized front-end load balancer that modifies your traffic is a good idea after all. And it’s definitely time to upgrade your TLS-certificate if you still serve SHA-1, too. Here’s what else happened this week.

Further Reading on SmashingMag: Link

• Next Generation Server Compression With Brotli¹
• Making Accessibility Simpler, With Ally.js²
• Team Collaboration And Closing Efficiency Gaps In Responsive Design³
• A Simple Workflow From Development To Deployment⁴

News Link

• Cloudflare experienced a memory leak caused by its document parser⁵. Here is the incident report by Cloudflare⁶.
• The fresh Safari Technology Preview 24⁷ added support for PerformanceObserver and added <link preload> as an experimental feature. Furthermore, they implemented the dynamic JavaScript import operator and suspended SVG animations on hidden pages.
• It was just a matter of time until browsers would stop accepting SHA-1 certificates. But this week, things took a sudden turn as Google researchers revealed the first practical collision for SHA-1, affirming the insecurity of the algorithm. As a result of this, starting from today, Mozilla will remote-update Firefox to not accept SHA-1 in certificates anymore⁸.

General Link

• How does your team review code? Ana Balica shares a useful checklist for reviewing your and your teammates code⁹.

Tools & Workflows Link

• Joseph Zimmerman introduces us to Webpack¹⁰. What I really like about this article is that it’s not another article sharing pre-built sets of configurations but that it explains every detail step-by-step.
• Oh shit, git!¹¹ Don’t be afraid of git anymore thanks to this emergency guide that helps you solve the most common problems with the versioning system.

¹²

Security Link

• Mitigating Cross-Site Request Forgery attacks has never been easy. Luckily, it seems that we now got a proper solution for it: Same-Site Cookies¹⁴. The only thing you need to do to make it work is adding SameSite to your existing Set-Cookie header. Of course, you should know how same-site cookies differ from “normal” cookies, but for most sites this should be easy to implement.
• A joint-venture of five journalists researched how the private security industry works and what price we as citizens pay for our security¹⁵.

Privacy Link

• It’s not your computer that is the most vulnerable device, it’s your smartphone. In fact, for a small amount of money, everyone can easily buy spyware¹⁶ that works on most Android phones. For iOS, things look a bit better unless the device is jailbroken. But this doesn’t necessarily mean that spyware doesn’t exist for that system as well.

Web Performance Link

• Thadee Trompetter shares insights into how Brotli can improve your site’s performance¹⁷ and why he relies on pre-compressing rather than doing it on the fly on the server.

¹⁸

JavaScript Link

• Manuel Matuzovic explains how to write JavaScript with accessibility in mind²⁰.

Going Beyond… Link

• A team at the MIT Media Lab invented a device that captures air pollution and turns the pollution into safe, high-quality ink for art²¹.
• The Institute For Energy Efficiency’s computing solutions group has a couple of interesting projects and data to share. For example, they try to figure out solutions to selectively shut down unnecessary components while retaining access to critical data. This is only one of their ambitious projects and shows how much potential there is when it comes to improving energy efficiency in our networks²².

²³

And with that, I’ll close for this week. If you like what I write each week, please support me with a donation²⁵ or share this resource with other people. You can learn more about the costs of the project here²⁶. It’s available via email, RSS and online.

— Anselm

Footnotes Link

1. 1 https://www.smashingmagazine.com/2016/10/next-generation-server-compression-with-brotli/
2. 2 https://www.smashingmagazine.com/2015/12/making-accessibility-simpler/
3. 3 https://www.smashingmagazine.com/2014/05/team-collaboration-closing-efficiency-gaps-responsive-design/
4. 4 https://www.smashingmagazine.com/2015/07/development-to-deployment-workflow/
5. 5 https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
6. 6 https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
7. 7 https://webkit.org/blog/7423/release-notes-for-safari-technology-preview-24/
8. 8 https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
9. 9 https://ana-balica.github.io/2017/02/21/code-review-checklist/
10. 10 https://www.smashingmagazine.com/2017/02/a-detailed-introduction-to-webpack/
11. 11 http://ohshitgit.com/
12. 12 http://ohshitgit.com/
13. 13 http://ohshitgit.com/
14. 14 https://scotthelme.co.uk/csrf-is-dead/
15. 15 https://thecorrespondent.com/10221/security-for-sale-the-price-we-pay-to-protect-europeans
16. 16 https://motherboard.vice.com/en_us/article/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy
17. 17 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
18. 18 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
19. 19 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
20. 20 https://medium.com/@matuzo/writing-javascript-with-accessibility-in-mind-a1f6a5f467b9
21. 21 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
22. 22 http://transit.iee.ucsb.edu/research/computing/projects
23. 23 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
24. 24 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
25. 25 https://wdrl.info/donate
26. 26 https://wdrl.info/costs/

↑ Back to topTweet itShare on Facebook