The Backend Engineering Show with Hussein Nasser

Guys this is absolutely genius and nuts! I have never seen anything like this before. This guy got access to paypal json and saw some private packages.. created public ones with a similar name and then made them do bad things, then thing because firewalls will shut those down.. he used DNS DNS requests are practically safe so firewalls allow them 11:05 chrome root https://youtu.be/qpC1YH0FhuY https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Reads and Writes don’t have to live in the same database, data model or even the same service. Let us discuss CQRS no separation one service that does read/write partial separation You can keep one service but backend have multiple connections with different users same database full separation Read services / write services two databases OLAP / OLTP Pros scalability security Cons complex and very hard to follow, what we see with microservices.. resources https://martinfowler.com/bliki/CQRS.html http://codebetter.com/gregyoung/2010/02/16/cqrs-task-based-uis-event-sourcing-agh/

In this video, I will discuss the new TLS extension Encrypted Client Hello which is a new mechanism to encrypt the entire client hello, very interesting and elegantly design but I have my few reservations and criticisms. Let us discuss. Intro 0:00 Classic TLS with SNI 7:00 ESNI 9:30 ECH 12:30 Limitations and Problems 21:00 Let's say the backend server hosts example.com with the cert of example.com and let us call this the “real” SNI. To support ECH, the same server should also host a client facing cert, lets call it server-ech.com with corresponding server-ech.com cert. So your server IP address is hosting two domains. example.com and ( server-ech.com just to support ech) So when you perform an oDoH/DoH query looking for example.com you will get back the IP address of example.com, (which is the same ip address as server-ech.com), you will also get the ephemeral public key of example.com from the HTTPSSVC DNS record. This will be used to encrypt the inner client hello, and finally, you will get a record of the front-facing server domain name which is server-ech.com. The client prepares the TLS ECH, it builds the outer client hello with the SNI value as server-ech.com, and the inner client hello with the real SNI (example.com) along side ALPN and other stuff.. It then uses the public key of example.com retrieved from the HTTPS DNS record to encrypt the inner client hello. The client sends the ECH. Server receives the ECH, and attempts to decrypt the inner client hello with the corresponding ephemeral private key, if it succeeds it then completes the server hello and key exchange as normal. if it fails to decrypt the inner client hello with its own private key that means the public key used, was stale, outdated, bad etc.. . The client then uses the outer client hello and it checks, do I have server-ech.com, yes I do have a cert for that, let me just finish the key exchange and server hello with that instead, and btw, here is my REAL public key for example.com so you can use it for future ECHs. the public key is going to be encrypted for sure (that was something not clear in the article) because its TLS 1.3 and things are immediately encrypted from the server. The client then finishes the handshake and finds out the public key and immediately terminate the connection and re-establishes it with brand new encrypted inner client hello that uses the new server public key which we know this time its going to work .. I can image getting into an infinite loop if the server accidentally gave a wrong public key. also some cons of ECH comes to mind is the larger client hello + the additional backend management to host that client facing server and cert. Also another question, what If I’m hosting 100 domains on my single IP address, do I get a single ephmeral public key for ECH? or is it per domain? and how does my server know what private key to use to decrypt, does it just try them one by one? or is there an indication to which public key was used to encrypt the inner client hello.. (I’m guessing there is ) https://blog.cloudflare.com/encrypted-client-hello/

MySQL is clustered by default on the primary key which means inserts have to be ordered, let us discuss why UUID (random in nature) has bad performance in MySQL and whether postgres wins here. We will also explain why Sequential Writes are Faster than Random in MYSQL and     https://www.percona.com/blog/2019/11/22/uuids-are-popular-but-bad-for-performance-lets-discuss/

This is a very interesting article that I encourage you to read it as it has lots of useful lessons in postgres. Using partial indexes, full vacuum, dropping unused indexes and much more helped this company save 70G worth of disk space.    https://hakibenita.com/postgresql-unused-index-size

In this video I discuss my approach of learning new technology and how I break it down so I understand it. Hope it helps

The InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system. IPFS uses content-addressing to uniquely identify each file in a global namespace connecting all computing devices. Intro 0:00 Why IPFS? 2:00 Explain the original web model and the limitation * Content addressing instead of location addressing * decentralized content distributed among peers Content 3:30 * Content is hashed as CID * Content is immutable each update generates new CID * Content addressing Routing 4:30 * Distributed Hash Table (DHTs) maps CID / Peer IP address * DHT server hosts content and DHT Publishing Content 6:30 * New Content that you want to share on ipfs * hash the content creating new CID * Update your local DHT CID / your ip address * DHT will be updated to all the content peer (NOT the CONTENT) * People searching for your CID will be connected to you and only you. Consuming Content 8:48 * ipfs client (dht client) want to consume Ipfs://cid/ * ipfs client consults its local DHT table to see where this CID is located, gets back a collection of IP addresses * client connects to some or all the peers found hosting that CID * client downloads chunks of the content from each peer so it speeds up * Once the client has the content it is now also updating its local DHT table that it now also hosts that CID (if it supports being a DHT server) * New updated DHT is propogated across peer IPFS Overview (Digrams) 11:30 Demo 13:45 More Information 18:30 Immutable Content * if Content gets updated changes URI how do I inform the user? * hash the public key of the user instead and share that Brand new Client/server * I know nothing about the network (Bootstraping) * you will be bootstrapped with a collection of ip addresses to start you up. More * IPFS gateway * IP Name server * Solve content * Deleting Content( once other node hosts it no way to delete it from their network) NAT traversal Resources https://datatracker.ietf.org/meeting/interim-2020-dinrg-01/materials/slides-interim-2020-dinrg-01-sessa-an-overview-of-the-interplanetary-file-system-ipfs.pdf https://www.youtube.com/watch?v=K4Usud4g4iY&feature=youtu.be&t=1008 https://twitter.com/hnasr/status/1353548949945163776?s=21 https://docs.ipfs.io/conce 🎙️Listen to the Backend Engineering Podcast https://husseinnasser.com/podcast 🏭 Backend Engineering Videos https://backend.husseinnasser.com 💾 Database Engineering Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2 🏰 Load Balancing and Proxies Videos https://www.youtube.com/playlist?list=PLQnljOFTspQVMeBmWI2AhxULWEeo7AaMC 🏛️ Software Archtiecture Videos https://www.youtube.com/playlist?list=PLQnljOFTspQXNP6mQchJVP3S-3oKGEuw9 📩 Messaging Systems https://www.youtube.com/playlist?list=PLQnljOFTspQVcumYRWE2w9kVxxIXy_AMo Become a Member https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join Support me on PayPal https://bit.ly/33ENps4 Join our Thriving Backend Community on Discord https://discord.com/invite/CsFbFce Stay Awesome, Hussein

It looks like digital certificates and other certificate authorities issued by Spanish certificate authority Camerfirma will stop working in Chrome 90, in April.   https://www.zdnet.com/article/google-bans-another-misbehaving-ca-from-chrome/  https://wiki.mozilla.org/CA:Camerfirma_Issues

I explain why and when SELECT * can become expensive. 

David Schuts, a security researcher earned $5000 dollars in Google VRP by finding a Backend YouTube API that leaks Private Video Thumbnails. let us discuss how did he do that.   Resources https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ Twitter @xdavidhu https://twitter.com/xdavidhu