The Weird World of OCSP Revocation Checks

OCSP, or Online Certificate Status Protocol, enables real-time verification (for clients like web browsers) of digital certificate validity (rather than use downloaded lists of revoked certificates, a la CRLs, or certificate revocation lists). 

It reduces overhead in validation (could be useful in real-time use cases e.g. transaction processing).

Statuses can be "good", "revoked" or "unknown".

Certificate Authorities (CAs) are mandated to track certificates they revoke.

whois under the hood (just basic TCP)

The whois protocol is a very basic TCP-based query-response protocol that gives information on domain names. Unfortunately, it is not installed by default in cmd.exe but is available in WSL. 

It works by opening a TCP connection (SYN, SYN+ACK), query sent, response sent and a close (FIN, FIN)- very basic indeed. It has no mechanism for indicating character set used, and there has been no effort to support internationalisation in that respect. Historically the predominant encoding used has been US-ASCII.

It has no security provisions. Mechanisms for access control, integrity and confidentiality are excluded.

rdap is a modern alternative to whois. RDAP stands for Registration Data Access Protocol.

Content Credentials

Want to know if something was generated by generative AI?  

Maybe try Content Credentials, a scheme supported by the Coalition for Content Provenance and Authenticity (C2PA) with support from Abode, Microsoft, Google, OpenAI and Sony.

Adobe's Creative Cloud website details their support for it here.

jsDelvr - Free CDN for Open Source Projects

 jsDelvr is a free CDN for open source projects ("fast, reliable, automated"). It is optimised for JS and ESM delivery (not "Enterprise Service Delivery" in this case but ECMAScript modules).

The HTTP 400 Error

The HTTP 400 error translates to Bad Request. It can sometimes be seen when attempting a logon to a website unsuccessfully.

In short, the server cannot process your request - potentially due to malformed URLs, corrupted cookies or outdated DNS data.

You can try flushing the DNS cache as well:

ipconfig /flushdns

which should yield the output "Successfully flushed the DNS Resolver Cache" if successful.

Debugging Web Access Issues with Microsoft Edge

Edge comes with Developer Tools (Control-Shift-I).  

These tools are surprisingly powerful. The tools appear right next to the rendered webpage in the browser.

Suppose you are trying to log in to a service called "Microsoft New Service" but it doesn't work.  The tab text says "Sign in to Microsoft New Service". Open up Dev Tools. Click on Network (the wifi-style icon). 

Now reload the webpage.  

You will see entire flow of HTTP requests and responses. A 200 response is status code OK, a 204 means No Content. In fact, any status code between 200 and 299 is a form of success. 300-399 are redirection messages, and anything about that represents an error.

You may be surprised by the number of conditional access-related HTTP requests that are involved in an authentication attempt.

Why Pre Shared Keys are not Wifi Passwords

It is tempting to think of wifi passwords as equivalent to Pre Shared Keys (PSKs) used in authenticating wifi connections.  In fact, the wifi password is combined with the SSID (Service Set Identifier) of the wifi network to produce a 256-bit cryptographic key.

The Pre Shared Key model is not ideal for enterprise deployments, as anyone who knows the password can decrypt traffic, if they capture the handshake. IoT devices using Pre Shared Keys are also not secure where keys are leaked in plaintext logs. This is why there is a separate WPA2-Enterprise that abandons the PSK model.

WPA3-Personal replaced PSK with SAE (Simultaneous Authentication of Equals) to enhance security, adding a principle of forward security, by introducing unique keys for every session.