The Old Reader

25 Dec 13:28

Let’s Encrypt improves how we manage OCSP responses

Let’s Encrypt has improved how we manage Online Certificate Status Protocol (OCSP) responses by deploying Redis and generating responses on-demand rather than pre-generating them, making us more reliable than ever.

About OCSP Responses

OCSP is used to communicate the revocation status of TLS certificates. When an ACME agent signs a request to revoke a certificate, our Let’s Encrypt Certificate Authority (CA) verifies whether or not the request is authorized and if it is, we begin publishing a ‘revoked’ OCSP response for that certificate. Each time a relying party, such as a browser, visits a domain with a Let’s Encrypt certificate, they can request information about whether the certificate has been revoked and we serve a reply containing ‘good’ or ‘revoked’, signed by our CA, which we call an OCSP response.

An Enormous OCSP Response Load: 100,000 Every Second

Let’s Encrypt currently serves over 300 million domains, which means we receive an enormous number of certificate revocation status requests — fielding around 100,000 OCSP responses every second!

Normally 98-99% of our OCSP responses are handled by our Content Delivery Network (CDN). But there are times when our CDN has an issue resulting in Let’s Encrypt being required to directly accept a larger number of requests. Historically, we could effectively respond to a maximum of 6% of our OCSP response traffic on our own. Should the need arise for us to accept much higher than that, some of our systems might begin to take too long to return results, return significant numbers of errors, or even stop accepting new requests. Not an ideal situation for us, or the Internet.

Our inability to serve OCSP responses during an issue with one of our CDNs could result in a slowdown in users' browsing speed or not being able to connect to a website — or worse, Internet users unintentionally visiting domains for which a certificate has been revoked. Browsers react differently to unresponsive OCSP, but one thing was clear, our systems needed to handle these occasions much better.

Increasing our Reliability

After working on this throughout most of 2022, our engineers have dramatically improved our ability to independently serve OCSP responses. We did that by deploying Redis as an in-memory caching layer that helps protect our database by absorbing traffic spikes, whether due to CDN issues or our own actions, such as CDN cache clearing.

Pivot in Design

Our team developed a system architecture design to organize/change all of the various interconnected systems needed to make Redis trusted to serve our OCSP responses. Amidst the fervor of developing this design, our engineers identified a resource we could depend upon more heavily to simplify the overall architecture and still realize incredible reliability gains. Rather than pre-signing OCSP status responses at regular intervals, storing the results in a relational database, and asking Redis to keep copies—we could keep simple but authoritative certificate status information in our database. We could then leverage fast, concurrent signing power from our HSMs to Just-in-Time sign a fresh OCSP response, cache it in Redis, and return it to the requester. Thanks to this, the demands on the relational database became much lighter (especially total table-writes and write-contention), the speed was impressive, and Redis wasn’t holding anything that couldn’t be (very very quickly) regenerated.

Testing our Systems

The first test was to directly accept 1/16 of the requests by dropping a segment of our CDN cache. In that initial test we handled ~12,500 requests per second. Successive tests ratcheted up to 1/8th CDN cache drop, then 1/4th, then 1/2, then a 100% cache drop. With each ratcheting up of the test load we were able to monitor and glean insights as to how our deployment could handle the traffic. In the final test of 100% of requests, our systems remained responsive. This means that if we experience a spike in the number of OCSP responses we need to accept moving forward, we are equipped to handle them, dramatically reducing the risks to Internet users.

Supporting Let’s Encrypt

As a project of the Internet Security Research Group (ISRG), 100% of our funding comes from contributions from our community of users and supporters. We depend on their support in order to provide our public benefit services. If your company or organization would like to sponsor Let’s Encrypt please email us at sponsor@letsencrypt.org. If you can support us with a donation, we ask that you make an individual contribution.

19 Jul 12:45

My wife was outed to her father, and he had the most amazing response!

by /u/huff4bug

I just want to preface this post by saying that I just discovered this subreddit and I've never posted here before. I am apprehensive about this post because of the name of the group, but I have two X chromosomes, and this is my story. Sorry if this isn't an appropriate place to post this though.

I have never been a prouder wife than as of this very moment. My amazing wife, who is a trans woman, is the kind of person who can change the hearts and minds of prejudiced people just by being the kind, loving, selfless person she's always been. She was just outed to her father after hiding her gender identity from him for decades because he has always been very openly homophobic and transphobic. Of course, his acceptance is of the utmost importance to her since she has always lived her life to make him proud of her.

Just for clarification, my name is Linda. My wife's birth name is Joseph, so her dad calls her Joe since he had no idea until now that she didn't want to be known by her birth name.

This is the email he just sent to us:

"Hi Joe, I hope all is well with you & Linda. Your mom told me about the things you were into and I guess she expected me to be upset. I was not upset - I have come to respect you too much and along with the love I have always had for you, I just want you to know that I wish all the best for you and Linda. Love Always, Dad"

After this year of feeling mostly helpless as far as the bigotry and hatred in the world and even in our own family, I know this is just a small step, but it feels like we've finally started moving the mountain.

submitted by /u/huff4bug to /r/TwoXChromosomes
[link] [comments]

11 May 14:31

An Overview of Database Lifecycle Management

by Steve Jones

One of the ways in which many software development teams have tried to improve the quality of their output is by examining what has worked in other organizations and projects in the past. They look to experiment with new techniques and ideas, and to implement those items that work. This practice has allowed Agile, Scrum, OOP, XP, TDD, and other ideas to spread.

Across the decades that we have been using computers, there have been quite a few development models against which developers have measured themselves — the most well-known of which is the CMMI Model from Carnegie Mellon University.

25 Sep 21:19

ES6 Strings (and Unicode, ❤) in Depth

Comments

25 Sep 21:17

An Introduction to JavaScript Promises With Node.js

Comments

14 Mar 02:16

Replicant Hackers Find and Close Samsung Galaxy Back-door

by timothy

gnujoshua writes "Paul Kocialkowski (PaulK), a developer for the Replicant project, a fully free/libre version of Android, wrote a guest blog post for the Free Software Foundation announcing that whlie hacking on the Samsung Galaxy, they "discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system." They then replaced the proprietary program with free software. While it may be a while before we can have a 100% free software microcode/firmware on the the cellular hardware itself, isolating that hardware from the rest of your programming and data is a seemingly important step that we can take right now. At least to the FSF anyhow. What do others think: is a 100% free software mobile device important to you?"

Evaluating JIRA Agile: JIRA Agile is for everyone

by Dan Radigan

Transitioning to agile is a journey for all teams. Fortunately, JIRA Agile has powerful tools for scrum and kanban teams that will help them optimize their journey to agile. JIRA Agile is deeply integrated in JIRA’s powerful issue tracking platform, so when everyone in the organization uses JIRA, it’s easier to collaborate and get work done. Requirements can be broken down into manageable chunks of work and distributed across the organization., and company leadership can make informed decisions around the entire company with JIRA’s powerful reports.

Non-agile teams can be a part of evaluating JIRA Agile as well. To do this, they should structure work based on requirements and use a phase-based approach to get work done, ideally with a kanban board with swimlanes to organize work. Each team will have unique values and needs for visualizing work, and for many, JIRA Agile helps with this. Use the example here as a starting point to help you build your first board.

Optimize delivery with workflow

Workflow is a critical part of every team. Workflow defines how people work together in a repeatable fashion to deliver innovation out to the customer base. For example, many software teams have a predictable workflow to track development. New to workflows? Check out my articles on building and using workflows.

jira_agile_for_evereyone_workflow

Teams can implement their own workflow in JIRA Agile using its flexible column configuration. Each column can map to one or more states so that it’s easy to see what phase work is in and who is responsible for delivery

jira_agile_for_evereyone_columns

JIRA Agile makes workflow come alive. When a team member is ready to hand off an issue, JIRA Agile highlights the next step for that issue.

Categorize work with swimlanes

Almost all projects have key functional areas of value they deliver to their customers organized into themes. Swimlanes aggregate issues on a kanban board so that it’s easy to see the flow of work within each area. JIRA’s powerful issue tracking platform has deep support for custom fields. Let’s add a custom field to track the theme of each issue. We can use a select list for the custom field theme.

jira_agile_for_evereyone_add_field

Now you’ve added a custom field named theme with a few options, go ahead and update a few issues with the new theme value.

Swimlanes use JQL, JIRA’s flexible query language. Let’s set up a swimlane to correspond with each theme.

jira_agile_for_evereyone_swimlane_configuration

You should now be able to see your agile board swimlanes aggregating issues into each theme.

Icon

Pro tip: Many teams use the top swimlane for critical and blocking issues so everyone is aware of high priority program issues. Use the JQL statement “priority in (Blocker, Critical)” for the first swimlane.

Drill down with quick filters

JIRA Agile’s quick filters provide an easy way to drill down to the next level of detail in your program. Some teams want to filter by version. Not a problem! Other teams use quick filters to see which issues were reported outside of the team. Quick filters also use JQL in the same way that swimlanes do.

jira_agile_quickfilters

Highlight risk quickly

Effective teams manage risk proactively rather than reactively. JIRA Agile supports flagging. Team members occasionally find impediments that need to be resolved by the team quickly. Flagging keeps an issue’s priority in tack, but lets the team know that progress is blocked. To flag an issue, just right click the issue, and choose add flag. The issue’s background turns yellow to alert the team.

jira_agile_for_evereyone_flagging

Once it’s resolved or a workaround is found, the flag can easily be removed as the issue is no longer critical. Some teams also use card colors to highlight schedule sensitivity. Check out how we use card colors to manage blogs.atlassian.com.

Transition to agile

As you can see, JIRA Agile helps make every team more productive. If the team decides to adopt agile practices, JIRA Agile makes the migration easier as it can leverage all of the team’s assets right inside of JIRA.

Many non-agile teams also engage in capacity planning. Check out our article in how to get more out of capacity planning in JIRA. Interested in learning more about agile? Check out Atlassian’s agile micro-site to learn more.

The post Evaluating JIRA Agile: JIRA Agile is for everyone appeared first on Atlassian Blogs.

04 Dec 07:26

Examples of Image Caption Animations with CSS3

by Ray Cheung

Advertise here via BSA

Here we have some exmaples of Image Caption Animations with CSS3 Transitions and Transforms. There is no Javascript used so it will work on modern browsers where CSS3 animations are supported. You can check the source code of the page to understand how the animation is working.