Posted on Wed 25 February 2026 in Tech • Tagged with go, security, tls, cve
CVE-2025-68121 涉及 Go crypto/tls 的两个会话恢复(session resumption)问题:Config.Clone 复制了自动生成的 session ticket keys,导致不同 tls.Config 之间意外共享会话票据;以及服务端在判断会话是否可恢复时,只检查 leaf 证书过期而忽略完整证书链,可能让过期链条下的会话继续被恢复。
Posted on Thu 12 February 2026 in Journal • Tagged with security, timing-attack, constant-time, authentication, crypto
用 == 或 strings.Compare 比较密钥、密码或 HMAC 时,比较时间会随「猜对多少」变化,攻击者可以按响应时间逐字节猜出秘密;一文说清原理与常数时间比较的用法。
Posted on Thu 12 February 2026 in Journal • Tagged with microservices, security, service-mesh, privilege-escalation, injection, SSRF
Posted on Sun 25 January 2026 in Kubernetes • Tagged with Kubernetes, EKS, AWS, IAM, IRSA, OIDC, Security, STS
Node Role 像一把“万能钥匙”。IRSA 让你把权限精确绑定到 Pod:用 Kubernetes 的 ServiceAccount token 走 OIDC 联邦,去 STS 换临时凭证。
Posted on Sun 14 September 2025 in Journal • Tagged with journal, blog, security, encryption, aes-gcm, envelope-encryption