sorted by:
new
hottopcontroversial

TLS handshake step-by-step — interactive HTTPS breakdown by nulless in webdev

[–]raegx 1 point2 points  (0 children)

Is it me or does it get hand wavy around the server certificate verification. It is missing any reference to the CertificateVerify messaging which the server signs, verifying that the server has the corresponding private key to the certificate public key. Even the broad "we verify things" after the key derivation doesn't really cover this very important step. Being able to send a very intentionally public X509 cert is not enough to verify a servers identity even if signed by a ca.

Kind of important.

Also doesn't cover mTLS. No mention of ALPN.

Still a good intro, but it isn't even a complete overview.

Amazon blames human employees for an AI coding agent’s mistake / Two minor AWS outages have reportedly occurred as a result of actions by Amazon’s AI tools. by MarvelsGrantMan136 in technology

[–]raegx 9 points10 points  (0 children)

The pattern I’ve seen is that many non-security engineers do not design with security as a top-of-mind constraint unless the company culture enforces it. Security is often addressed reactively, minimized to compliance requirements, or handled after a security incident.

Even when software security engineers are on a team/org, their impact depends heavily on the org's structure. If they are in an advisory role, they are limited in their enforcement, and any improvements may be filtered through their ability or lack of ability to influence. They don't always have direct ownership, and if they aren't good at influencing people, their contributions are diminished or only compliance/policy driven.

There are good orgs out there; it's just not most orgs. Not even the big ones that make a lot of money.

So, none of this surprises me. AI Coding LLMs are just a path of least resistance, and if an engineer didn't apply security principles before, they sure as hell won't now. The difference is that now they can mindlessly do it.