> Isn’t session token theft as much of an issue as JWT token theft? Why is there a difference in security just because in one case it’s a JSON blob that says user_id:4,is_admin:false and in the other it’s an opaque string? Surely session tokens are equally vulnerable to XSS as JWT tokens?
The difference is that if your session cookie uses HttpOnly (which should _always_ be the case) then it can’t be read by JS, which makes it less vulnerable to XSS than a JWT (or worse, a refresh token) stored in a cookie by the client or localstorage and therefore accessible to JS. Basically, you have to be more careful with how you handle JWTs, which makes it more likely for an inexperienced or careless dev to do something insecure like store a JWT in localstorage.
> How does it affect things? Does it affect request latency, or server time decoding the JSON?… Where is the latency introduced?
I think their point is that it’s faster not to hit the DB, assuming you aren’t hitting the DB for any other reason. Any performance optimisation should be justified and profiled. There aren’t many applications operating at a scale where the difference in performance between JWTs and session tokens is going to make a significant difference, and even fewer who can genuinely use JWTs without hitting the DB (eg, to ensure the JWT hasn’t been revoked)
> Part of me wonders whether the move to electric vehicles from ICE will resemble the move from CRT to LCD televisions. Less robust…
EVs are far more robust than ICEs from a mechanical level, as the number of moving parts is reduced by orders of magnitude. The problem is electronics, but this has been plaguing ICEs for over 30 years. There’s no reason for the electronics in an EV to any less robust than an ICE, but we are going to see far fewer mechanical failures.
EV or ICE, it seems unlikely any of these cars will be running in 30 years let alone 50. Eventually the electronics fail to a point that is too difficult to diagnose or fix.
Case in point - had a friend with a mid 2000s Astra. Everything worked except for the left indicator. Eventually the car was written off as no one could fix it. The car was just over 10 years old at the time.
The other thing that worries me is how integrated modern headunits are. It used to be that when your headunit broke or became obsolete, you could just whack a new one in for a few hundred dollars, prolonging the life of your vehicle. Now even basic cars have fully integrated headunits making upgrades impossible. Even if the headunit continues to function, the technology is going to become so obsolete that they’ll be virtually useless in 20 years. I doubt the iPhone 35 will connect to a 2023 car. I guess people who buy new cars couldn’t care less about what happens to them in 20 years, which is an easy win for car manufacturers looking for ways to reduce the effective lifespan of their vehicles.
Yep, exactly. My personal vehicle is a 2000 model year Toyota. It has an incredibly good, stable, and modern CarPlay head unit from Sony, because back whin the car was made we had standards like double-DIN head units and you could just plop in a new stereo. Which is exactly what I did, and now I have a "golden age" mechanically reliable, nigh-un-killable Toyota with a modern carplay head unit.
And as a bonus, I can adjust everything about the car (climate control, volume, overdrive, 4wd, ECT mode, etc) with real buttons and tactile feedback while going down a washboard track, without ever having to take my eyes off the road.
If anyone out there starts making EVs with the same bare-bones attitude (analog knobs and dials, no flashy infotainment system, double-DIN head unit slot, modern safety features and a simple ultra-reliable EV powertrain), sign me up. It'll probably never happen because there's not really an economic incentive right now to try to hit lower price-points in the EV market, everyone's going upmarket. But I'd still love to see somebody try.
One of my favourite things they’ve done recently is remove support for TOTP. Now, if you want 2FA, you have to download their proprietary Adobe Account Security app. This in turn requires you to provide a phone number, because unlike TOTP there’s no alternative method of backup.
I really do wonder why they removed an easy-to-use, known, secure, and trusted standard in favour of a clunky app that’s ultimately only as secure as a phone number (in reality less so as DIY security always results in holes). More vendor lock-in? Another avenue to harvest data?
Not that it really affects me as I no longer use any Adobe products.
These can be hidden using uBlock origin. I’ve got a list you can import (just use the raw link). The selector isn’t perfect in Google (sometimes leaves some unattached content) but the link is always removed. Feel free to submit a PR if you find any other SO clones - there seems to be no end to them.
I wouldn’t say I’m part of the community, but I’m certainly a fan of ZZT. A text-based game engine developed in 1991 by Tim Sweeney which still has a community going and new games being released to this day. I was able to make my way around it a 14 year old kid, which says a lot about its accessibility.
However, holders can’t opt themselves in; inexplicably this needs to be supported at the broker level. I’ve spoken to one of the large brokers who advised me they have no plans to support this feature.
These don’t go into the ear as far so aren’t painful. I feel the reduction in noise isn’t as good, but the frequency response is much more even. I wear these under noise cancelling headphones to watch TV and listen to music in total isolation. You do lose a bit of fidelity but it’s still very liveable.
Also, I get about 6 months to a year out of each pair which is less wasteful than foam earplugs.
And now we’ve come full-circle as 1Password 8 requires you to save your password prior to submitting the form instead of offering to save it after submission. Which is a huge regression as it results in this exact issue all over again.
Sadly, 1Password seems to just get worse and worse in terms of usability with each release. The latest incarnation has so many little annoyances that makes me seriously consider switching. The one thing it's got going for it that really is kind of a killer feature for me is SSH key handling. It's super nice being able to sign your commits with Touch ID. Everything else is meh at best.
It's truly baffling how they manage to consistently make the software worse every single release. I was a huge fan of 1Password many years ago (and have been happy to pay for it throughout), but each successive release is more confusing and less reliable.
The UI isn't all that intuitive, the 'ask to save'/'ask to update' prompts don't work that well, but I don't really blame them because they are injecting into the DOM which usually changes. As someone else mentioned, it's a bit slow to sync and load sometimes. I wish it was more obvious when I have an existing session with the desktop app which can send a token to the browser extension to keep it loaded.
You can tell i'm really reaching for bad things to say about it, haha
The promlem with using apple password management on macos is that I need vertical tabs. Only vivaldi and Firefox provide them now and they don't use the macos key chain
But simpler vertical tabs are on Vivaldi, OmniWeb which had them since the mid 1990s but unfortunately has not kept up with allowing other extensions, Opera used to have them when it was not Chrome. Chrome had them at one stage but reading the issues on that the developers really showed a complete lack of understanding.
Gotcha. Thanks for clearing that up. And yes, the indentation of tabs is actually a good idea.
Although, iOS has tab groups now. I rarely use them because the menu is out of sight so I forget. But on macOS they’re convenient for when I’m researching a topic.
I love Bitwarden, but I don't understand why it takes 10 seconds to search a database with 100 entries (Android app, when searching for a saved password). It's aggravating.
The difference is that if your session cookie uses HttpOnly (which should _always_ be the case) then it can’t be read by JS, which makes it less vulnerable to XSS than a JWT (or worse, a refresh token) stored in a cookie by the client or localstorage and therefore accessible to JS. Basically, you have to be more careful with how you handle JWTs, which makes it more likely for an inexperienced or careless dev to do something insecure like store a JWT in localstorage.
> How does it affect things? Does it affect request latency, or server time decoding the JSON?… Where is the latency introduced?
I think their point is that it’s faster not to hit the DB, assuming you aren’t hitting the DB for any other reason. Any performance optimisation should be justified and profiled. There aren’t many applications operating at a scale where the difference in performance between JWTs and session tokens is going to make a significant difference, and even fewer who can genuinely use JWTs without hitting the DB (eg, to ensure the JWT hasn’t been revoked)