diff --git a/Projects/Pinata b/Projects/Pinata index fbcb922..52771d0 100644 --- a/Projects/Pinata +++ b/Projects/Pinata @@ -17,11 +17,11 @@ Piñata transmits the private key to a bitcoin wallet which is filled with ~10BT On startup, the Piñata generates its certificate authority on the fly, including certificates and private keys. This means that only the Piñata itself contains -private keys which can authenticate successfully, thus an attacker has to find +private keys which can authenticate successfully, and an attacker has to find an exploitable flaw in any software layer (OCaml runtime, virtual network -device, TCP/IP stack, TLS library, X.509 validation, or elsewhere). +device, TCP/IP stack, TLS library, X.509 validation, or elsewhere) to complete the challenge. -The Piñata is online since February 2015, and although thousands of unique IP +The Piñata is online since February 2015, and even though thousands of unique IP addresses initiated connections, the wallet still contains the 10 BTC. By using a Bitcoin wallet, the Piñata is a transparent bug bounty. Everybody diff --git a/Projects/TLStunnel b/Projects/TLStunnel index bc2d54c..305c7da 100644 --- a/Projects/TLStunnel +++ b/Projects/TLStunnel @@ -8,15 +8,15 @@ abstract: ![TLS reverse proxy](/static/img/reverse.png) The [tlstunnel](https://github.com/hannesm/tlstunnel) is a proxy unikernel which listens for TLS connections, and forwards requests to backend services, such as a -web server. The specific backend is chosen by inspecting the Server Name +web server. The backend is chosen by inspecting the Server Name Indication, a widely deployed extension of the TLS protocol, where a client requests the server name to talk with during the TLS handshake. -It is similar to other projects such as stunnel or stud, but uses our TLS +The project is similar to others, such as stunnel or stud, but uses our TLS implementation written in the memory-safe language OCaml, instead of one written -in the error-prone language C. The backend web servers don't need TLS support, -which lowers the maintainence burden. Many security issues in TLS -implementations are due to memory safety and support for outdated ciphersuites. +in C. The backend web servers don't need TLS support, +which lowers the maintainence burden. Most security problems in TLS +implementations are caused by unsafe memory handling and support for weak cryptographic primitives. This TLS reverse proxy is deployed on various websites, including [Real World OCaml](https://realworldocaml.org) since 2015. diff --git a/Technology b/Technology index ef9a33a..c057b8a 100644 --- a/Technology +++ b/Technology @@ -167,13 +167,13 @@ simcorp, lexifi) and academia. The OCaml compiler generates native code for x86, arm, etc., and has a bytecode backend, which can target microcontrollers (PIC18 family in the [OcaPIC project](http://www.algo-prog.info/ocapic/web/?id=OCAPIC:OCAPIC)). -OCaml can also be compiled to JavaScript, which allow to develop both client -and server side of a web application in a single language (more details at the [ocsigen project](http://ocsigen.org/)). +OCaml can also be compiled to JavaScript, so both client +and server side of a web application can be developed in the same language with shared interface code (more details at the [ocsigen project](http://ocsigen.org/)). In 2016, Facebook developed [reason](https://reasonml.github.io/), a dialect of OCaml which syntax is closer to JavaScript, and easier to comprehend for -beginners. Reason and OCaml code can be easily combined in a single -application, since the same compiler is used. +beginners. Reason and OCaml code can be easily combined into a single +application, since they use the same compiler. More literature on why OCaml is a good choice has been written by Yaron Minsky (Jane Street) in the article [OCaml for the masses](http://queue.acm.org/detail.cfm?id=2038036), and more recently by the crypto-ledger [tezos](https://www.tezos.com/static/papers/position_paper.pdf).