• Goodbye StartSSL, Hello Let's Encrypt

    Mozilla is considering taking action against two Certificate Authorities, WoSign and StartCom after an investigation into improper behavior, including not reporting that the WoSign bought StartCom outright.

    Read on →

  • Redirecting To An External Server May Leak Tokens In Headers

    While working on an HTTP API that serves binary files to client applications, I came upon some unexpected behavior.

    Read on →

  • The REPL: Issue 25 - August 2016


    Gary Bernhardt writes a great article on types, type systems and the differences in typing in different programming languages. He clarifies some of the adjective commonly associates with types: static, dynamic, weak, strong. It’s a very interesting read, as are some of the comments in the gist. Gary has also re-started his Destroy All Software screencast series: I haven’t watched any of the new ones, but I learned a lot from the old ones.

    CloudFlare, SSL and unhealthy security absolutism

    Troy Hunt explores the services that CloudFlare provides as a content delivery network (CDN), in particular with respect to SSL (or, more properly, TLS). As with most interesting things in life, it’s not black and white: CloudFlare is not evil – like some recent blog post claim – and provides valuable services, but users need to be aware what the security guarantees are, or more importantly what they are not. Security is hard and nuanced. The more you know…

    The Log: What every software engineer should know about real-time data’s unifying abstraction

    In the last few weeks I have been reading a lot on data pipelines. Many companies have been moving from centralized databases for all their data to distributed systems that present a set of challenges. In particular: How to make the data produced in one system available to other systems in a robust and consistent manner. In this articles Jay Kreps explains the Log in detail – the underlying abstraction necessary to understand database systems, replication, transactions, etc. The Log, in this context, refers to a storage abstraction that is append-only, totally-ordered sequence of records, ordered by time. The article is long, but thorough and absolutely worth your time. Many of the concepts are similar to what is described on a post about Apache Samza, also a enlightening read.

    Read on →

  • The REPL: Issue 24 - July 2016

    A Critique of the CAP Theorem

    Papers We Love San Diego is having their first meeting later this month, which unfortunately I won’t be able to attend. I was somewhat intimidated about reading Computer Science papers because of my lack of formal training, but Martin Kleppmann’s paper is very approachable. I found the paper very interesting and insightful and found that I was familiar with most of the concepts on which the paper is based. I’m looking forward to the next meeting.

    How To Explain Zero-Knowledge Protocols To Your Children

    A few hops away from a story in Hacker News, I found this whimsical introduction to Zero-Knowledge protocols, which I was ignorant of. If the topic piques your interested, read another introductory article.

    Ten Rules For Negotiating a Job Offer

    Salary negotiation can be uncomfortable. It’s a skill that we usually get to practice only once every few years. In the first part of a series, Haseeb gives out practical advice on how and why to negotiate your salary. I found the part about exploding offers particularly interesting. As it happens, I last year I received an exploding job offer that was good until the end of the day!. I played my cards pretty much as the author suggests: The company never relented. They would not give me any more time. I walked away without any regrets. That particular company’s high pressure tactics, more than anything else, tells me that I would not have been a good fit.

    Read on →

  • The REPL: Issue 23 - June 2016

    Flirting with Crystal, a Rubyist Perspective

    AkitaOnRails write on his perspective on Crystal – a new programming language that aims to be type-checked, compile to native code and have a syntax similar to Ruby. I have played with Crystal myself recently and found the discussion thoughtful and interesting. Lately, it seems that Crystal is gathering some steam, especially since Mike Perham ported Sidekiq and has been tweeting about it.

    My Candidate Description

    Erik Dietrich lays down his requirements that companies must meet for him to consider working for them. My list would certainly be different, but that is the point. There is high demand for Software Engineers. It might now hold for other industries, where people don’t have much choice but to take what is offered. Instead of taking the first option that is presented, let’s be more mindful of what we want from an employer.

    StartEncrypt considered harmful today

    Notwithstanding the cliché title, this articles shows how easy it is to get security wrong. The tragic part is that the security flaws come from a Certificate Authority, StartCom. As it happens, it’s the CA used for the certificate of this very blog (at the time of writing). I’ll have to re-consider that decision soon. Also clear from the story, is that Let’s Encrypt is putting some pressure on CAs – which functionality StartCom was trying to replicate. Some CAs are even trying to steal their brand.


    Unix tools have been around for a long time and haven’t changed much. Joey Hess took it upon himself to evaluate new simple tools that he thought are missing (and rejected some ideas in the process). I downloaded moreutils as soon as I read the descriptions. I am sure they will come in handy very soon. Kudos.

    Read on →