ralscha / blog2019 Goto Github PK

see my post on SO: https://stackoverflow.com/questions/67862991/progressive-web-app-pwa-not-able-to-make-push-notifications-pop-up-on-screen-o

is this a known limitation of web push compared to native apps?

At train.js line 41 const stats is set to cross validate the training data, but the variable is never used. The model.json never records model accuracy, only model parameters; is this because of the stats?

IntelliJ IDEA tips Application#L23-L24
Could not autowire. There is more than one bean of 'HazelcastInstance' type.
Beans:
hazelcastInstance   (HazelcastServerConfiguration.class) hazelcastInstance   (HazelcastClientConfiguration.class)

Just an FYI, the code here https://github.com/ralscha/blog2019/blob/master/java11httpclient/client/src/main/java/ch/rasc/httpclient/File.java#L69-L91

is not compliant with the RFC. From the RFC:

The boundary delimiter MUST occur at the beginning of a line, i.e., following a CRLF, and the initial CRLF is considered to be attached to the boundary delimiter line rather than part of the preceding part. The boundary may be followed by zero or more characters of linear whitespace.

The code adds a CRLF at the end of the file, so the 'part end' becomes compliant.

It should be adding a CRLF as part of the first boundary, otherwise the data stream looks like:

headerCRLF
header...CRLF
--boundary...

when it should be

headerCRLF
header...CRLF
CRLF--boundary...

I think most parsers will deal with this regardless, but I felt it should be noted.

How we can run this demo locally?

Let's say I know a user account's password, or I guessed it, but I do not have their TOTP device. That is precisely the scenario TOTP is supposed to protect against.

And yet 6 hours later, I'm in their account. For sure. Guaranteed. If it's a nice server or it's hosting in a virtual park where I can trivially colocate right next to it in the network, maybe as little as half an hour. How?

I just keep guessing codes. Hey, any given time, 5 TOTP codes are valid, and there are only a million codes, so, any time I guess, I have a 1 in 200,000 shot of getting lucky. Assuming I can make a request every 100msec (and that's being 'generous'; usually I can go much faster; TOTP checking is not intentionally speed limited the way things like bcrypt are), I can fire off about 200k requests, giving me very reasonable odds I hit the jackpot in one of those, in less than 6 hours.

The only secure way to do TOTP is to persistently remember that a given user entered an invalid TOTP code: Have a boolean flag in the database.

After a single miss, that user is now in 'TOTP additional security' mode. In this mode, the user must enter 3 consecutive codes from their device. Yes, annoying, but by triggering after even a single failed attempt, you also prevent against scheduled attacks (if I know you log in in the morning and also log in after lunch, and you give the user 10 chances, resetting these shots after a successful TOTP code, then I can still try 20 codes a day without the user ever figuring it out).

3 codes give you such good assurances they really do have a device with the original secret key, that you can be quite generous: Check every code up to 13 to 24 hours ahead and behind (that's around 5000 codes; no, the odds of randomly guessing right are astronomical and not worth taking seriously. a million-million-million is a very large divider, fortunately), and tell the user if their clock is off as a service while you're at it.

This is not a denial-of-service attack: TOTP checking isn't done unless the user knows their password. A hacker that knows the user's password and is now guessing TOTP? That's not denial of service. That is an active security case. It is entirely justified to inconvenience the user. Good, even. Let em know if they don't recall messing up a TOTP scan that their password may be compromised.