Search
1000 results for “im_a_GDeveloper”
-
#Development #Techniques
You’re not a CSS developer without a reset · A CSS reset can also elevate your typesetting https://ilo.im/160pq6_____
#CSS #CssReset #Scrolling #Spacing #Typesetting #Kerning #Accessibility #Browser #WebDev #Frontend -
#Development #Techniques
You’re not a CSS developer without a reset · A CSS reset can also elevate your typesetting https://ilo.im/160pq6_____
#CSS #CssReset #Scrolling #Spacing #Typesetting #Kerning #Accessibility #Browser #WebDev #Frontend -
#Development #Techniques
You’re not a CSS developer without a reset · A CSS reset can also elevate your typesetting https://ilo.im/160pq6_____
#CSS #CssReset #Scrolling #Spacing #Typesetting #Kerning #Accessibility #Browser #WebDev #Frontend -
So, I’m a developer. I am following along with and reading this thread:
https://oisaur.com/@renchap/116056634129526611
All I can think while reading this is: Well, that’s unfortunate.
So, one of the very popular features on Bluesky—also popular on Twitter—is the ability to select who can reply to a post. A major issue in the Fediverse is the inability to decide who can reply, and once you block someone, their harassing reply is still there. I honestly thought it was simply a case of them choosing not to add or address it for cultural reasons. What is clear from that thread is that they were always aware that the ActivityPub protocol and most Fediverse implementations don’t provide a universal way to control reply visibility or enforce blocks across instances. They were hedging and hiding behind cultural norms this whole time instead of working to fix it, because they were too busy waging political culture wars instead of doing their damn jobs.
That realization sunk my hopes. It basically means that the social media ecosystem with the most moderation tools is Bluesky and the ATmosphere, albeit Bluesky isn’t fully using all of them and is using the moderation tools in ways that selectively moderate according to their enigmatic interests. That does not make me feel good. Honestly, that makes me feel fucking awful about the future of the Internet.
ActivityStreams/ActivityPub was formalized around 2018, and platforms like Mastodon (which implement the ActivityPub protocol) have had years to work on federation and moderation tooling. Instead, many of those years were spent debating culture and writing manifestos. The most disturbing thing about all of this is that it had so much potential. But yeah, I think the Fediverse is going to be relegated to a legacy platform like Usenet or IRC. It’s not fixable, and the folks over at the Fediverse have alienated so many developers that no one really wants to work on fixing it.
The co-authors of ActivityPub are working on other social media projects that have nothing to do with the fediverse. Meanwhile, Mastodon’s founder, Eugen Rochko, stepped down as CEO in November 2025 as part of Mastodon’s transition to a nonprofit governance structure. The restructuring was intended to formalize governance and reduce reliance on a single individual. Rochko transferred control of Mastodon’s core assets and trademark to the nonprofit organization and remains involved in a strategic and advisory capacity. Day-to-day operations are now overseen by an executive director under a board-governed structure. I believe how badly Eugen fucked Mastodon is a large reason why he stepped down, albeit they are all doing the virtue signaling thing.
For the most part, I have pretty much pulled away from microblogging platforms as a whole. I was never a heavy user of anything but forums, and I was part of the occult niche. Since that is pretty much gone, there really isn’t a reason for me to be on social media, which is why I mostly blog. It really sucks because I wanted to believe in ActivityPub and the fediverse.
It pretty much comes down to the fact that the ActivityPub protocol is flawed at the protocol level when it comes to protecting people from harassment. While Bluesky’s app view is choosing to apply its tools selectively to address this, it is more capable of protecting people. Honestly, that really sucks, because that spells the death of this protocol. ActivityPub’s decentralized design doesn’t provide built-in, enforceable protections against harassment. This makes moderation and harassment mitigation practically impossible.
Renaud Chaput so much as admits it here:
“So we need to consider if we want to switch to a “thread context”-based approval model, there the author of the root of the thread controls all the tree of replies. Which would be a big change for Mastodon (and similar implementations), but might be more aligned with what user want, and solve other issues as well (replies federation).
But that would be a huge undertaking, with lot of problems related to backward compatibility (for example)”What I noticed was this phrase by Renaud Chaput:
“First step for us is probably staying alive and continuing having a team that is focused on building a better product, which is our focus right now. We are very well aware of this topic (as I keep repeating each time you mention me 😉 ).”
They are saying the quiet part out loud: We are having issues staying relevant.
ActivityPub is built on the ActivityStreams 2.0 vocabulary. Three core components define it: Actor, Object, and Activity. It provides a Client-to-Server (C2S) API that lets an Actor submit Activities to an outbox. It also provides a Server-to-Server (S2S) federation protocol. This protocol delivers those Activities to other servers’ inboxes.
Replies are created by setting the inReplyTo property on an Object. Servers may expose a replies Collection. However, that collection is optional and not globally authoritative. The specification describes how Activities are serialized and delivered. It does not introduce a canonical container for conversations. It does not define a required global index or binding enforcement rules for moderation. A Block Activity is defined as a type of Activity. However, remote servers are not obligated to remove or hide content beyond their own policies. Each server maintains its own inboxes, outboxes, collections, and storage model. It interprets incoming Activities according to local implementation choices.
This facilitates interoperability at the transport and vocabulary level. It does not do so at the level of governance. Servers do not have to construct identical conversation graphs from inReplyTo chains. Nothing in the protocol allows an Actor to assert authoritative control over all descendant replies. This is the main problem. Federation operates peer to peer among autonomous servers. Moderation decisions, including defederation, filtering, and suspensions, remain local. The specification does not define a global control layer.
The AT Protocol approaches the problem differently. Users are identified through Decentralized Identifiers (DIDs). They publish signed records stored in repositories. These repositories are usually hosted on a Personal Data Server (PDS). They are append-only and cryptographically verifiable. Records follow schemas defined in Lexicon. Lexicon describes types, fields, and RPC interfaces in machine-readable form. Updates propagate through relays. These relays aggregate repository changes into a network-wide event stream, often called the firehose. Higher-level services, including AppViews, subscribe to this stream. They may also query indexes derived from it. The AT Protocol defines message delivery, identity, storage, and synchronization.
Within the AT Protocol, moderation operates across the same repository data. Labeling and visibility controls are expressed as structured records. Clients or AppViews can apply them deterministically if they choose to consume them. Content exists as signed records keyed by DIDs. It is distributed through relays. Moderation services therefore work against a consistent dataset rather than isolated server copies. Identity portability follows from this structure. Users can move between hosting providers without losing their DID, repository history, or social graph.
ActivityPub standardizes how Activities move between servers and how they are described. It leaves indexing, thread authority, and enforcement to individual implementations. The AT Protocol defines repository structure, identity binding, record schemas, and synchronization across the network. ActivityPub centers on federated message exchange with local policy control. No participant has protocol-level authority over the shape or visibility of a conversation once it federates. The AT Protocol centers on a shared record system with portable identity and network-wide data propagation. Moderation and visibility decisions can attach to the same canonical records seen across the network.
In ActivityPub’s model, moderation is local. If someone replies to you in a harassing way, your server can hide it, block it, or defederate from the offending server. Other servers may still store, display, and propagate those replies according to their own policies. There is no protocol-level mechanism that lets you assert binding control over how replies to your post are indexed or rendered elsewhere. Harassment mitigation is fragmented. Harassment can persist in parallel contexts even after you act against it locally.
In the AT Protocol model, content exists as signed records in repositories keyed to portable identities. It is distributed through a shared data propagation layer. Because of this, moderation services can operate against a consistent dataset. Labels, visibility controls, or account-level actions can attach to the same canonical records that other services consume. While it does not eliminate harassment, it makes it technically possible for moderation decisions to propagate more coherently across applications that choose to honor them.
So the difference for harassment is this: in ActivityPub, protection is inherently piecemeal and server-scoped. In the AT Protocol, protection can be structurally network-aware. Identity, storage, and moderation signals live in the same shared data model.
Basically, the fediverse has no means to keep vulnerable, marginalized people safe. The AT Protocol does, albeit the Bluesky app view chooses not to use it. The point is that it has the potential. The last time I tried to explain all of this, I was harassed by a person who operates multiple servers and accounts on here:
@FediThing @FediTips @[email protected] @[email protected] @[email protected] and @[email protected]
The protocol is fundamentally flawed, and they do not know how to fix it. These people are incapable of good-faith conversations, so I am avoiding tagging them or attaching this response.to the thread, because their response is basically to stall, hedge, and gas light.
I’m not a fan of Bluesky — not at all. I really wanted to love ActivityPub, but I think Eugene pretty much killed it within the last three years. They had a very narrow, myopic culture and vision in mind, where they completely ignored all criticisms. Now, there is really no way to fix this mess, which is why they stick to gaslighting their users and literally harassing any developer who criticizes them. Social media has normalized lying to its users, so am I surprised?
Edit:
What a surprise. An anti-black reaction that pulls the it is okay to ignore you because you are an angry black person. Yes, black people are angry, and that you do not understand why is the problem.
I’m not going to go back and forth with a racist, nor am I going to quote them because of my stance on spreading misinformation and vitriol. A person who was implicated in the anti-Black behavior of the fediverse tried to discredit me as a Black person by claiming that I am not on Blacksky, have not worked on Blacksky, and am not happy or positive enough to be included in the Black folks who have been harmed by anti-Blackness.
Yes, they said that with a straight face. Blacksky exists because Black people were angry at being mistreated by the fediverse. Ergo, since I am not happy about being mistreated, I can’t be part of that demographic of Black folks. They are tacitly expecting trustworthy Black people to respond to abuse by being happy. What kind of Jim Crow shit is this? Therefore, it is acceptable to dismiss my experiences as a Black person because I don’t conform to the stereotype of what a Black person in America is.
In other words, they are saying I am a hostile angry black person, and we can disregard what I have to say because I am an angry Black person in Donald Trump’s America.
What kills me is that these folks have no insight into their own racism. This is all the attention they get, because I believe racists should be isolated among other things. They truly believe they are the good guys and that the savior complex is an imperialistic colonial archetype flies over their heads I don’t think white racists can ever change, so I will not be addressing them. That’s all I will say about that.
Edit again:
Welp, after seeing the first edit, the hit racist dog deleted the top level of the thread about me. That is what is called a consciousness of guilt, because if they had genuine good intentions and truly believed what they said was right, they would have said it with their whole chest and would not have deleted the top thread reply. Also, the little group of Fediverse racists explicitly rushed to report me. Report me to who—myself? It’s my instance. I have not explicitly violated any rules of this person’s home instance, but they feel entitled to try and have me removed from the Fediverse because I did not respond to their triangulation, brigading, and harassment by being nice. I did not take the mistreatment with a smile and a nod. Racist white people can fuck all the way off.
-
So, I’m a developer. I am following along with and reading this thread:
https://oisaur.com/@renchap/116056634129526611
All I can think while reading this is: Well, that’s unfortunate.
So, one of the very popular features on Bluesky—also popular on Twitter—is the ability to select who can reply to a post. A major issue in the Fediverse is the inability to decide who can reply, and once you block someone, their harassing reply is still there. I honestly thought it was simply a case of them choosing not to add or address it for cultural reasons. What is clear from that thread is that they were always aware that the ActivityPub protocol and most Fediverse implementations don’t provide a universal way to control reply visibility or enforce blocks across instances. They were hedging and hiding behind cultural norms this whole time instead of working to fix it, because they were too busy waging political culture wars instead of doing their damn jobs.
That realization sunk my hopes. It basically means that the social media ecosystem with the most moderation tools is Bluesky and the ATmosphere, albeit Bluesky isn’t fully using all of them and is using the moderation tools in ways that selectively moderate according to their enigmatic interests. That does not make me feel good. Honestly, that makes me feel fucking awful about the future of the Internet.
ActivityStreams/ActivityPub was formalized around 2018, and platforms like Mastodon (which implement the ActivityPub protocol) have had years to work on federation and moderation tooling. Instead, many of those years were spent debating culture and writing manifestos. The most disturbing thing about all of this is that it had so much potential. But yeah, I think the Fediverse is going to be relegated to a legacy platform like Usenet or IRC. It’s not fixable, and the folks over at the Fediverse have alienated so many developers that no one really wants to work on fixing it.
The co-authors of ActivityPub are working on other social media projects that have nothing to do with the fediverse. Meanwhile, Mastodon’s founder, Eugen Rochko, stepped down as CEO in November 2025 as part of Mastodon’s transition to a nonprofit governance structure. The restructuring was intended to formalize governance and reduce reliance on a single individual. Rochko transferred control of Mastodon’s core assets and trademark to the nonprofit organization and remains involved in a strategic and advisory capacity. Day-to-day operations are now overseen by an executive director under a board-governed structure. I believe how badly Eugen fucked Mastodon is a large reason why he stepped down, albeit they are all doing the virtue signaling thing.
For the most part, I have pretty much pulled away from microblogging platforms as a whole. I was never a heavy user of anything but forums, and I was part of the occult niche. Since that is pretty much gone, there really isn’t a reason for me to be on social media, which is why I mostly blog. It really sucks because I wanted to believe in ActivityPub and the fediverse.
It pretty much comes down to the fact that the ActivityPub protocol is flawed at the protocol level when it comes to protecting people from harassment. While Bluesky’s app view is choosing to apply its tools selectively to address this, it is more capable of protecting people. Honestly, that really sucks, because that spells the death of this protocol. ActivityPub’s decentralized design doesn’t provide built-in, enforceable protections against harassment. This makes moderation and harassment mitigation practically impossible.
Renaud Chaput so much as admits it here:
“So we need to consider if we want to switch to a “thread context”-based approval model, there the author of the root of the thread controls all the tree of replies. Which would be a big change for Mastodon (and similar implementations), but might be more aligned with what user want, and solve other issues as well (replies federation).
But that would be a huge undertaking, with lot of problems related to backward compatibility (for example)”What I noticed was this phrase by Renaud Chaput:
“First step for us is probably staying alive and continuing having a team that is focused on building a better product, which is our focus right now. We are very well aware of this topic (as I keep repeating each time you mention me 😉 ).”
They are saying the quiet part out loud: We are having issues staying relevant.
ActivityPub is built on the ActivityStreams 2.0 vocabulary. Three core components define it: Actor, Object, and Activity. It provides a Client-to-Server (C2S) API that lets an Actor submit Activities to an outbox. It also provides a Server-to-Server (S2S) federation protocol. This protocol delivers those Activities to other servers’ inboxes.
Replies are created by setting the inReplyTo property on an Object. Servers may expose a replies Collection. However, that collection is optional and not globally authoritative. The specification describes how Activities are serialized and delivered. It does not introduce a canonical container for conversations. It does not define a required global index or binding enforcement rules for moderation. A Block Activity is defined as a type of Activity. However, remote servers are not obligated to remove or hide content beyond their own policies. Each server maintains its own inboxes, outboxes, collections, and storage model. It interprets incoming Activities according to local implementation choices.
This facilitates interoperability at the transport and vocabulary level. It does not do so at the level of governance. Servers do not have to construct identical conversation graphs from inReplyTo chains. Nothing in the protocol allows an Actor to assert authoritative control over all descendant replies. This is the main problem. Federation operates peer to peer among autonomous servers. Moderation decisions, including defederation, filtering, and suspensions, remain local. The specification does not define a global control layer.
The AT Protocol approaches the problem differently. Users are identified through Decentralized Identifiers (DIDs). They publish signed records stored in repositories. These repositories are usually hosted on a Personal Data Server (PDS). They are append-only and cryptographically verifiable. Records follow schemas defined in Lexicon. Lexicon describes types, fields, and RPC interfaces in machine-readable form. Updates propagate through relays. These relays aggregate repository changes into a network-wide event stream, often called the firehose. Higher-level services, including AppViews, subscribe to this stream. They may also query indexes derived from it. The AT Protocol defines message delivery, identity, storage, and synchronization.
Within the AT Protocol, moderation operates across the same repository data. Labeling and visibility controls are expressed as structured records. Clients or AppViews can apply them deterministically if they choose to consume them. Content exists as signed records keyed by DIDs. It is distributed through relays. Moderation services therefore work against a consistent dataset rather than isolated server copies. Identity portability follows from this structure. Users can move between hosting providers without losing their DID, repository history, or social graph.
ActivityPub standardizes how Activities move between servers and how they are described. It leaves indexing, thread authority, and enforcement to individual implementations. The AT Protocol defines repository structure, identity binding, record schemas, and synchronization across the network. ActivityPub centers on federated message exchange with local policy control. No participant has protocol-level authority over the shape or visibility of a conversation once it federates. The AT Protocol centers on a shared record system with portable identity and network-wide data propagation. Moderation and visibility decisions can attach to the same canonical records seen across the network.
In ActivityPub’s model, moderation is local. If someone replies to you in a harassing way, your server can hide it, block it, or defederate from the offending server. Other servers may still store, display, and propagate those replies according to their own policies. There is no protocol-level mechanism that lets you assert binding control over how replies to your post are indexed or rendered elsewhere. Harassment mitigation is fragmented. Harassment can persist in parallel contexts even after you act against it locally.
In the AT Protocol model, content exists as signed records in repositories keyed to portable identities. It is distributed through a shared data propagation layer. Because of this, moderation services can operate against a consistent dataset. Labels, visibility controls, or account-level actions can attach to the same canonical records that other services consume. While it does not eliminate harassment, it makes it technically possible for moderation decisions to propagate more coherently across applications that choose to honor them.
So the difference for harassment is this: in ActivityPub, protection is inherently piecemeal and server-scoped. In the AT Protocol, protection can be structurally network-aware. Identity, storage, and moderation signals live in the same shared data model.
Basically, the fediverse has no means to keep vulnerable, marginalized people safe. The AT Protocol does, albeit the Bluesky app view chooses not to use it. The point is that it has the potential. The last time I tried to explain all of this, I was harassed by a person who operates multiple servers and accounts on here:
@FediThing @FediTips @[email protected] @[email protected] @[email protected] and @[email protected]
The protocol is fundamentally flawed, and they do not know how to fix it. These people are incapable of good-faith conversations, so I am avoiding tagging them or attaching this response.to the thread, because their response is basically to stall, hedge, and gas light.
I’m not a fan of Bluesky — not at all. I really wanted to love ActivityPub, but I think Eugene pretty much killed it within the last three years. They had a very narrow, myopic culture and vision in mind, where they completely ignored all criticisms. Now, there is really no way to fix this mess, which is why they stick to gaslighting their users and literally harassing any developer who criticizes them. Social media has normalized lying to its users, so am I surprised?
Edit:
What a surprise. An anti-black reaction that pulls the it is okay to ignore you because you are an angry black person. Yes, black people are angry, and that you do not understand why is the problem.
I’m not going to go back and forth with a racist, nor am I going to quote them because of my stance on spreading misinformation and vitriol. A person who was implicated in the anti-Black behavior of the fediverse tried to discredit me as a Black person by claiming that I am not on Blacksky, have not worked on Blacksky, and am not happy or positive enough to be included in the Black folks who have been harmed by anti-Blackness.
Yes, they said that with a straight face. Blacksky exists because Black people were angry at being mistreated by the fediverse. Ergo, since I am not happy about being mistreated, I can’t be part of that demographic of Black folks. They are tacitly expecting trustworthy Black people to respond to abuse by being happy. What kind of Jim Crow shit is this? Therefore, it is acceptable to dismiss my experiences as a Black person because I don’t conform to the stereotype of what a Black person in America is.
In other words, they are saying I am a hostile angry black person, and we can disregard what I have to say because I am an angry Black person in Donald Trump’s America.
What kills me is that these folks have no insight into their own racism. This is all the attention they get, because I believe racists should be isolated among other things. They truly believe they are the good guys and that the savior complex is an imperialistic colonial archetype flies over their heads I don’t think white racists can ever change, so I will not be addressing them. That’s all I will say about that.
Edit again:
Welp, after seeing the first edit, the hit racist dog deleted the top level of the thread about me. That is what is called a consciousness of guilt, because if they had genuine good intentions and truly believed what they said was right, they would have said it with their whole chest and would not have deleted the top thread reply. Also, the little group of Fediverse racists explicitly rushed to report me. Report me to who—myself? It’s my instance. I have not explicitly violated any rules of this person’s home instance, but they feel entitled to try and have me removed from the Fediverse because I did not respond to their triangulation, brigading, and harassment by being nice. I did not take the mistreatment with a smile and a nod. Racist white people can fuck all the way off.
-
So, I’m a developer. I am following along with and reading this thread:
https://oisaur.com/@renchap/116056634129526611
All I can think while reading this is: Well, that’s unfortunate.
So, one of the very popular features on Bluesky—also popular on Twitter—is the ability to select who can reply to a post. A major issue in the Fediverse is the inability to decide who can reply, and once you block someone, their harassing reply is still there. I honestly thought it was simply a case of them choosing not to add or address it for cultural reasons. What is clear from that thread is that they were always aware that the ActivityPub protocol and most Fediverse implementations don’t provide a universal way to control reply visibility or enforce blocks across instances. They were hedging and hiding behind cultural norms this whole time instead of working to fix it, because they were too busy waging political culture wars instead of doing their damn jobs.
That realization sunk my hopes. It basically means that the social media ecosystem with the most moderation tools is Bluesky and the ATmosphere, albeit Bluesky isn’t fully using all of them and is using the moderation tools in ways that selectively moderate according to their enigmatic interests. That does not make me feel good. Honestly, that makes me feel fucking awful about the future of the Internet.
ActivityStreams/ActivityPub was formalized around 2018, and platforms like Mastodon (which implement the ActivityPub protocol) have had years to work on federation and moderation tooling. Instead, many of those years were spent debating culture and writing manifestos. The most disturbing thing about all of this is that it had so much potential. But yeah, I think the Fediverse is going to be relegated to a legacy platform like Usenet or IRC. It’s not fixable, and the folks over at the Fediverse have alienated so many developers that no one really wants to work on fixing it.
The co-authors of ActivityPub are working on other social media projects that have nothing to do with the fediverse. Meanwhile, Mastodon’s founder, Eugen Rochko, stepped down as CEO in November 2025 as part of Mastodon’s transition to a nonprofit governance structure. The restructuring was intended to formalize governance and reduce reliance on a single individual. Rochko transferred control of Mastodon’s core assets and trademark to the nonprofit organization and remains involved in a strategic and advisory capacity. Day-to-day operations are now overseen by an executive director under a board-governed structure. I believe how badly Eugen fucked Mastodon is a large reason why he stepped down, albeit they are all doing the virtue signaling thing.
For the most part, I have pretty much pulled away from microblogging platforms as a whole. I was never a heavy user of anything but forums, and I was part of the occult niche. Since that is pretty much gone, there really isn’t a reason for me to be on social media, which is why I mostly blog. It really sucks because I wanted to believe in ActivityPub and the fediverse.
It pretty much comes down to the fact that the ActivityPub protocol is flawed at the protocol level when it comes to protecting people from harassment. While Bluesky’s app view is choosing to apply its tools selectively to address this, it is more capable of protecting people. Honestly, that really sucks, because that spells the death of this protocol. ActivityPub’s decentralized design doesn’t provide built-in, enforceable protections against harassment. This makes moderation and harassment mitigation practically impossible.
Renaud Chaput so much as admits it here:
“So we need to consider if we want to switch to a “thread context”-based approval model, there the author of the root of the thread controls all the tree of replies. Which would be a big change for Mastodon (and similar implementations), but might be more aligned with what user want, and solve other issues as well (replies federation).
But that would be a huge undertaking, with lot of problems related to backward compatibility (for example)”What I noticed was this phrase by Renaud Chaput:
“First step for us is probably staying alive and continuing having a team that is focused on building a better product, which is our focus right now. We are very well aware of this topic (as I keep repeating each time you mention me 😉 ).”
They are saying the quiet part out loud: We are having issues staying relevant.
ActivityPub is built on the ActivityStreams 2.0 vocabulary. Three core components define it: Actor, Object, and Activity. It provides a Client-to-Server (C2S) API that lets an Actor submit Activities to an outbox. It also provides a Server-to-Server (S2S) federation protocol. This protocol delivers those Activities to other servers’ inboxes.
Replies are created by setting the inReplyTo property on an Object. Servers may expose a replies Collection. However, that collection is optional and not globally authoritative. The specification describes how Activities are serialized and delivered. It does not introduce a canonical container for conversations. It does not define a required global index or binding enforcement rules for moderation. A Block Activity is defined as a type of Activity. However, remote servers are not obligated to remove or hide content beyond their own policies. Each server maintains its own inboxes, outboxes, collections, and storage model. It interprets incoming Activities according to local implementation choices.
This facilitates interoperability at the transport and vocabulary level. It does not do so at the level of governance. Servers do not have to construct identical conversation graphs from inReplyTo chains. Nothing in the protocol allows an Actor to assert authoritative control over all descendant replies. This is the main problem. Federation operates peer to peer among autonomous servers. Moderation decisions, including defederation, filtering, and suspensions, remain local. The specification does not define a global control layer.
The AT Protocol approaches the problem differently. Users are identified through Decentralized Identifiers (DIDs). They publish signed records stored in repositories. These repositories are usually hosted on a Personal Data Server (PDS). They are append-only and cryptographically verifiable. Records follow schemas defined in Lexicon. Lexicon describes types, fields, and RPC interfaces in machine-readable form. Updates propagate through relays. These relays aggregate repository changes into a network-wide event stream, often called the firehose. Higher-level services, including AppViews, subscribe to this stream. They may also query indexes derived from it. The AT Protocol defines message delivery, identity, storage, and synchronization.
Within the AT Protocol, moderation operates across the same repository data. Labeling and visibility controls are expressed as structured records. Clients or AppViews can apply them deterministically if they choose to consume them. Content exists as signed records keyed by DIDs. It is distributed through relays. Moderation services therefore work against a consistent dataset rather than isolated server copies. Identity portability follows from this structure. Users can move between hosting providers without losing their DID, repository history, or social graph.
ActivityPub standardizes how Activities move between servers and how they are described. It leaves indexing, thread authority, and enforcement to individual implementations. The AT Protocol defines repository structure, identity binding, record schemas, and synchronization across the network. ActivityPub centers on federated message exchange with local policy control. No participant has protocol-level authority over the shape or visibility of a conversation once it federates. The AT Protocol centers on a shared record system with portable identity and network-wide data propagation. Moderation and visibility decisions can attach to the same canonical records seen across the network.
In ActivityPub’s model, moderation is local. If someone replies to you in a harassing way, your server can hide it, block it, or defederate from the offending server. Other servers may still store, display, and propagate those replies according to their own policies. There is no protocol-level mechanism that lets you assert binding control over how replies to your post are indexed or rendered elsewhere. Harassment mitigation is fragmented. Harassment can persist in parallel contexts even after you act against it locally.
In the AT Protocol model, content exists as signed records in repositories keyed to portable identities. It is distributed through a shared data propagation layer. Because of this, moderation services can operate against a consistent dataset. Labels, visibility controls, or account-level actions can attach to the same canonical records that other services consume. While it does not eliminate harassment, it makes it technically possible for moderation decisions to propagate more coherently across applications that choose to honor them.
So the difference for harassment is this: in ActivityPub, protection is inherently piecemeal and server-scoped. In the AT Protocol, protection can be structurally network-aware. Identity, storage, and moderation signals live in the same shared data model.
Basically, the fediverse has no means to keep vulnerable, marginalized people safe. The AT Protocol does, albeit the Bluesky app view chooses not to use it. The point is that it has the potential. The last time I tried to explain all of this, I was harassed by a person who operates multiple servers and accounts on here:
@FediThing @FediTips @[email protected] @[email protected] @[email protected] and @[email protected]
The protocol is fundamentally flawed, and they do not know how to fix it. These people are incapable of good-faith conversations, so I am avoiding tagging them or attaching this response.to the thread, because their response is basically to stall, hedge, and gas light.
I’m not a fan of Bluesky — not at all. I really wanted to love ActivityPub, but I think Eugene pretty much killed it within the last three years. They had a very narrow, myopic culture and vision in mind, where they completely ignored all criticisms. Now, there is really no way to fix this mess, which is why they stick to gaslighting their users and literally harassing any developer who criticizes them. Social media has normalized lying to its users, so am I surprised?
Edit:
What a surprise. An anti-black reaction that pulls the it is okay to ignore you because you are an angry black person. Yes, black people are angry, and that you do not understand why is the problem.
I’m not going to go back and forth with a racist, nor am I going to quote them because of my stance on spreading misinformation and vitriol. A person who was implicated in the anti-Black behavior of the fediverse tried to discredit me as a Black person by claiming that I am not on Blacksky, have not worked on Blacksky, and am not happy or positive enough to be included in the Black folks who have been harmed by anti-Blackness.
Yes, they said that with a straight face. Blacksky exists because Black people were angry at being mistreated by the fediverse. Ergo, since I am not happy about being mistreated, I can’t be part of that demographic of Black folks. They are tacitly expecting trustworthy Black people to respond to abuse by being happy. What kind of Jim Crow shit is this? Therefore, it is acceptable to dismiss my experiences as a Black person because I don’t conform to the stereotype of what a Black person in America is.
In other words, they are saying I am a hostile angry black person, and we can disregard what I have to say because I am an angry Black person in Donald Trump’s America.
What kills me is that these folks have no insight into their own racism. This is all the attention they get, because I believe racists should be isolated among other things. They truly believe they are the good guys and that the savior complex is an imperialistic colonial archetype flies over their heads I don’t think white racists can ever change, so I will not be addressing them. That’s all I will say about that.
Edit again:
Welp, after seeing the first edit, the hit racist dog deleted the top level of the thread about me. That is what is called a consciousness of guilt, because if they had genuine good intentions and truly believed what they said was right, they would have said it with their whole chest and would not have deleted the top thread reply. Also, the little group of Fediverse racists explicitly rushed to report me. Report me to who—myself? It’s my instance. I have not explicitly violated any rules of this person’s home instance, but they feel entitled to try and have me removed from the Fediverse because I did not respond to their triangulation, brigading, and harassment by being nice. I did not take the mistreatment with a smile and a nod. Racist white people can fuck all the way off.
-
@knees To add to the chorus of wonderful replies from all ( @tomnorthfilm @shom @tapasinthesun) …here is my method (sorry it's a bit of a book), that works best for me. I tried to approach as well as I could the workflow I was getting from #NegativeLabPro to maintain metadata, as I recently went all-in on the switch to #darktable so I can ditch #Adobe #Lightroom.
When I develop film, I write on a piece of painters tape the film type, speed, speed shot at, and dev time/temp. This gets stuck to the dev tank while developing and then on the piece of wood I hang my negs from to dry above my bath tub. This seems unnecessary if you're only developing a single roll or a single film stock/shooting speed but if you have a mix it’s a lot easier than trying to remember the next day which films were shot at which speeds, etc.
After drying I scan via digital camera and import into darktable. In the light table view, I have a set of custom xmp metadata fields that I use to record these things. If I use multiple lenses in a roll, I leave that blank, and if I am using a camera with a fixed lens, I leave it blank. 4x5 is the only photography that I record the aperture/shutter settings for every single photo, so I don't generally need to label anything like aperture and shutter speed…for me personally that's more time than I’m willing to spend while blasting through rolls of 135 or 120. 4x5 has it written on the negative sleeve if I need to refer back to it.
I've attached a screenshot of both the metadata editor in the light table view and the metadata editor preferences showing the specific fields I'm using. I can then also search and filter by these looking through photos (e.g. looking for images that were tri-X pushed two stops or images that were developed in Rodinal 1+25)
I then edited the export metadata settings to pull the data from some of these fields and concatenate them into the description field (screenshot of those settings added as well) so that for the Mastodon client I use (usually Mona) it automatically pulls in as alt text showing the film stock, developer, etc. (see final pic below). I usually try to manually add additional alt text about the image itself, but at least I'm not having to paste in the film/camera/etc.
If you do want to go down the road of recording extra data for every single image then you can probably just shift around which data fields you want to use to include things like aperture, etc. I don't remember offhand how many custom data fields there are, but you can probably also add/overwrite the standard exif/xmp fields for those values as well, but for my needs that’s avoided entirely...the settings from my digital camera will be what is in those fields, since I don't use/ingest those in any way so I haven't cared enough to clear them out.
Hope that helps you or anyone else reading and you continue to enjoy your journey.
#FilmPhotography #AnalogPhotography #BelieveInFilm #DevelopYourOwn #FOSS
-
if you're a developer interested in agentic engineering, I'm starting a newsletter called The Agent Loop.
I've been running AI agents at the core of my workflow since last summer. What works, what doesn't, and how to keep up in a landscape that's moving faster than ever.
-
Making a new #Introduction since I moved instances!
Hello, I'm Wasp (they/xe/it pronouns), I'm a nonbinary artist, furry PNGTuber, and amateur web developer/programmer! I'm also the admin/owner of the autisticats.xyz instance.
My partner is also on Mastodon at the accounts @radioactive_transfem and @NorseTeaMaiden, she's a very talented pixel artist and Twitch streamer who you should absolutely go check out!
My other semi-active Fediverse accounts are @waspsystem and @[email protected] (videos, synced up with my YouTube channel).
I'm also neurodivergent (autism/ADHD/DID), physically disabled, and proudly on the aroace spectrum.
Hashtags:
#Artist #DigitalArtist #Art #Furry #FurryFandom #Nonbinary #ActuallyAutistic #ADHD #Disability #WebDev #WebRevival #DID #DIDSystem #PNGTuber #VTuber #Transgender #TransgenderArtist #FurryArtist -
I’m a solo developer, and I made a free AAC-style app called TalkTiles.
It’s designed to help non-speaking kids build simple sentences using visual tiles.
💬 No ads
🧩 Kid-friendly interface
🔗 Free to try: https://nestables.orgI’d love thoughts or feedback from AAC users, parents, or educators — if this could be useful or how to improve it.
#AAC #Neurodivergent #CommunicationAccess #AutismSupport #TalkTiles #AssistiveTech #AmazonAppstore
-
Hey #freelancers beware 😬
Got targeted on Upwork with a malware repo. Job post says "Senior Rust Developer — convert Node.js to Rust."
It sounded great as I'm back to upwork after a long while. But they insisted that i clone and run the repo, then i would have the job:
> Just show me with a screenshot that you were able to run the project and we can start from there
Thankfully my "bullshit radar" kicked in and I asked opencode to check the code instead
-
“Linux ‘just works’ – if you can see.
…
This isn’t a bug.
This is neglect.”(And its ableist culture will sooner make you the villain for criticising it rather than acknowledging the failing and fixing the status quo. https://ar.al/2024/06/23/fedora-has-been-shipping-with-a-broken-screen-reader-for-nine-years-but-the-real-problem-is-me/ There’s a reason I’m back on Mac after six years on Linux. As a developer, it was impacting my ability to make what I’m building accessible. And I reject the unspoken premise that the source being open is somehow more important than the human right to universal access. Ethical technology requires more than just the “four freedoms” https://web.archive.org/web/20250418090901/https://ind.ie/ethical-design/ This is why inclusivity is a core Small Technology principle. https://small-tech.org/about/#small-technology)
#accessibility #inclusivity #universalAccess #a11y #linux #FOSS #openSource #freeSoftware #freedom
-
Earlier this year, Cendyne wrote a blog post covering the use of HKDF, building partially upon my own blog post about HKDF and the KDF security definition, but moreso inspired by a cryptographic issue they identified in another company’s product (dubbed AnonCo).
At the bottom they teased:
Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.
Cendyne
If you read Cendyne’s post, you may have nodded along with that remark and not appreciate the degree to which our naga friend was putting it mildly. So I thought I’d share some of my knowledge about real-world database cryptography in an accessible and fun format in the hopes that it might serve as an introduction to the specialization.
Note: I’m also not going to fix Cendyne’s sketch of AnonCo’s software here–partly because I don’t want to get in the habit of assigning homework or required reading, but mostly because it’s kind of obvious once you’ve learned the basics.
I’m including art of my fursona in this post… as is tradition for furry blogs.If you don’t like furries, please feel free to leave this blog and read about this topic elsewhere.
Thanks to CMYKat for the awesome stickers.
Contents
- Database Cryptography?
- Cryptography for Relational Databases
- The Perils of Built-in Encryption Functions
- Application-Layer Relational Database Cryptography
- Confused Deputies
- Canonicalization Attacks
- Multi-Tenancy
- Cryptography for NoSQL Databases
- NoSQL is Built Different
- Record Authentication
- Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
- Searchable Encryption
- Order-{Preserving, Revealing} Encryption
- Deterministic Encryption
- Homomorphic Encryption
- Searchable Symmetric Encryption (SSE)
- You Can Have Little a HMAC, As a Treat
- Intermission
- Case Study: MongoDB Client-Side Encryption
- MongoCrypt: The Good
- How is Queryable Encryption Implemented?
- MongoCrypt: The Bad
- MongoCrypt: The Ugly
- MongoCrypt: The Good
- Wrapping Up
Database Cryptography?
The premise of database cryptography is deceptively simple: You have a database, of some sort, and you want to store sensitive data in said database.
The consequences of this simple premise are anything but simple. Let me explain.
Art: ScruffKerfluffThe sensitive data you want to store may need to remain confidential, or you may need to provide some sort of integrity guarantees throughout your entire system, or sometimes both. Sometimes all of your data is sensitive, sometimes only some of it is. Sometimes the confidentiality requirements of your data extends to where within a dataset the record you want actually lives. Sometimes that’s true of some data, but not others, so your cryptography has to be flexible to support multiple types of workloads.
Other times, you just want your disks encrypted at rest so if they grow legs and walk out of the data center, the data cannot be comprehended by an attacker. And you can’t be bothered to work on this problem any deeper. This is usually what compliance requirements cover. Boxes get checked, executives feel safer about their operation, and the whole time nobody has really analyzed the risks they’re facing.
But we’re not settling for mere compliance on this blog. Furries have standards, after all.
So the first thing you need to do before diving into database cryptography is threat modelling. The first step in any good threat model is taking inventory; especially of assumptions, requirements, and desired outcomes. A few good starter questions:
- What database software is being used? Is it up to date?
- What data is being stored in which database software?
- How are databases oriented in the network of the overall system?
- Is your database properly firewalled from the public Internet?
- How does data flow throughout the network, and when do these data flows intersect with the database?
- Which applications talk to the database? What languages are they written in? Which APIs do they use?
- How will cryptography secrets be managed?
- Is there one key for everyone, one key per tenant, etc.?
- How are keys rotated?
- Do you use envelope encryption with an HSM, or vend the raw materials to your end devices?
The first two questions are paramount for deciding how to write software for database cryptography, before you even get to thinking about the cryptography itself.
(This is not a comprehensive set of questions to ask, either. A formal threat model is much deeper in the weeds.)
The kind of cryptography protocol you need for, say, storing encrypted CSV files an S3 bucket is vastly different from relational (SQL) databases, which in turn will be significantly different from schema-free (NoSQL) databases.
Furthermore, when you get to the point that you can start to think about the cryptography, you’ll often need to tackle confidentiality and integrity separately.
If that’s unclear, think of a scenario like, “I need to encrypt PII, but I also need to digitally sign the lab results so I know it wasn’t tampered with at rest.”
My point is, right off the bat, we’ve got a three-dimensional matrix of complexity to contend with:
- On one axis, we have the type of database.
- Flat-file
- Relational
- Schema-free
- On another, we have the basic confidentiality requirements of the data.
- Field encryption
- Row encryption
- Column encryption
- Unstructured record encryption
- Encrypting entire collections of records
- Finally, we have the integrity requirements of the data.
- Field authentication
- Row/column authentication
- Unstructured record authentication
- Collection authentication (based on e.g. Sparse Merkle Trees)
And then you have a fourth dimension that often falls out of operational requirements for databases: Searchability.
Why store data in a database if you have no way to index or search the data for fast retrieval?
Credit: HarubakiIf you’re starting to feel overwhelmed, you’re not alone. A lot of developers drastically underestimate the difficulty of the undertaking, until they run head-first into the complexity.
Some just phone it in with
AES_Encrypt()calls in their MySQL queries. (Too bad ECB mode doesn’t provide semantic security!)Which brings us to the meat of this blog post: The actual cryptography part.
Cryptography is the art of transforming information security problems into key management problems.
Former coworker
Note: In the interest of time, I’m skipping over flat files and focusing instead on actual database technologies.
Cryptography for Relational Databases
Encrypting data in an SQL database seems simple enough, even if you’ve managed to shake off the complexity I teased from the introduction.
You’ve got data, you’ve got a column on a table. Just encrypt the data and shove it in a cell on that column and call it a day, right?
But, alas, this is a trap. There are so many gotchas that I can’t weave a coherent, easy-to-follow narrative between them all.
So let’s start with a simple question: where and how are you performing your encryption?
The Perils of Built-in Encryption Functions
MySQL provides functions called AES_Encrypt and AES_Decrypt, which many developers have unfortunately decided to rely on in the past.
It’s unfortunate because these functions implement ECB mode. To illustrate why ECB mode is bad, I encrypted one of my art commissions with AES in ECB mode:
Art by Riley, encrypted with AES-ECBThe problems with ECB mode aren’t exactly “you can see the image through it,” because ECB-encrypting a compressed image won’t have redundancy (and thus can make you feel safer than you are).
ECB art is a good visual for the actual issue you should care about, however: A lack of semantic security.
A cryptosystem is considered semantically secure if observing the ciphertext doesn’t reveal information about the plaintext (except, perhaps, the length; which all cryptosystems leak to some extent). More information here.
ECB art isn’t to be confused with ECB poetry, which looks like this:
Oh little one, you’re growing up
You’ll soon be writing C
You’ll treat your ints as pointers
You’ll nest the ternary
You’ll cut and paste from github
And try cryptography
But even in your darkest hour
Do not use ECBCBC’s BEASTly when padding’s abused
And CTR’s fine til a nonce is reused
Some say it’s a CRIME to compress then encrypt
Or store keys in the browser (or use javascript)
Diffie Hellman will collapse if hackers choose your g
And RSA is full of traps when e is set to 3
Whiten! Blind! In constant time! Don’t write an RNG!
But failing all, and listen well: Do not use ECBThey’ll say “It’s like a one-time-pad!
The data’s short, it’s not so bad
the keys are long–they’re iron clad
I have a PhD!”
And then you’re front page Hacker News
Your passwords cracked–Adobe Blues.
Don’t leave your penguins showing through,
Do not use ECB— Ben Nagy, PoC||GTFO 0x04:13
Most people reading this probably know better than to use ECB mode already, and don’t need any of these reminders, but there is still a lot of code that inadvertently uses ECB mode to encrypt data in the database.
Also,
Credit: CMYKattSHOW processlist;leaks your encryption keys. Oops.Application-layer Relational Database Cryptography
Whether burned by ECB or just cautious about not giving your secrets to the system that stores all the ciphertext protected by said secret, a common next step for developers is to simply encrypt in their server-side application code.
And, yes, that’s part of the answer. But how you encrypt is important.
Credit: Harubaki“I’ll encrypt with CBC mode.”
If you don’t authenticate your ciphertext, you’ll be sorry. Maybe try again?“Okay, fine, I’ll use an authenticated mode like GCM.”
Did you remember to make the table and column name part of your AAD? What about the primary key of the record?“What on Earth are you talking about, Soatok?”
Welcome to the first footgun of database cryptography!Confused Deputies
Encrypting your sensitive data is necessary, but not sufficient. You need to also bind your ciphertexts to the specific context in which they are stored.
To understand why, let’s take a step back: What specific threat does encrypting your database records protect against?
We’ve already established that “your disks walk out of the datacenter” is a “full disk encryption” problem, so if you’re using application-layer cryptography to encrypt data in a relational database, your threat model probably involves unauthorized access to the database server.
What, then, stops an attacker from copying ciphertexts around?
Credit: CMYKattLet’s say I have a legitimate user account with an ID 12345, and I want to read your street address, but it’s encrypted in the database. But because I’m a clever hacker, I have unfettered access to your relational database server.
All I would need to do is simply…
UPDATE table SET addr_encrypted = 'your-ciphertext' WHERE id = 12345…and then access the application through my legitimate access. Bam, data leaked. As an attacker, I can probably even copy fields from other columns and it will just decrypt. Even if you’re using an authenticated mode.
We call this a confused deputy attack, because the deputy (the component of the system that has been delegated some authority or privilege) has become confused by the attacker, and thus undermined an intended security goal.
The fix is to use the AAD parameter from the authenticated mode to bind the data to a given context. (AAD = Additional Authenticated Data.)
- $addr = aes_gcm_encrypt($addr, $key);+ $addr = aes_gcm_encrypt($addr, $key, canonicalize([+ $tableName,+ $columnName,+ $primaryKey+ ]);
Now if I start cutting and pasting ciphertexts around, I get a decryption failure instead of silently decrypting plaintext.
This may sound like a specific vulnerability, but it’s more of a failure to understand an important general lesson with database cryptography:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
Canonicalization Attacks
In the previous section, I introduced a pseudocode called
canonicalize(). This isn’t a pasto from some reference code; it’s an important design detail that I will elaborate on now.First, consider you didn’t do anything to canonicalize your data, and you just joined strings together and called it a day…
function dumbCanonicalize( string $tableName, string $columnName, string|int $primaryKey): string { return $tableName . '_' . $columnName . '#' . $primaryKey;}Consider these two inputs to this function:
dumbCanonicalize('customers', 'last_order_uuid', 123);dumbCanonicalize('customers_last_order', 'uuid', 123);
In this case, your AAD would be the same, and therefore, your deputy can still be confused (albeit in a narrower use case).
In Cendyne’s article, AnonCo did something more subtle: The canonicalization bug created a collision on the inputs to HKDF, which resulted in an unintentional key reuse.
Up until this point, their mistake isn’t relevant to us, because we haven’t even explored key management at all. But the same design flaw can re-emerge in multiple locations, with drastically different consequence.
Multi-Tenancy
Once you’ve implemented a mitigation against Confused Deputies, you may think your job is done. And it very well could be.
Often times, however, software developers are tasked with building support for Bring Your Own Key (BYOK).
This is often spawned from a specific compliance requirement (such as cryptographic shredding; i.e. if you erase the key, you can no longer recover the plaintext, so it may as well be deleted).
Other times, this is driven by a need to cut costs: Storing different users’ data in the same database server, but encrypting it such that they can only encrypt their own records.
Two things can happen when you introduce multi-tenancy into your database cryptography designs:
- Invisible Salamanders becomes a risk, due to multiple keys being possible for any given encrypted record.
- Failure to address the risk of Invisible Salamanders can undermine your protection against Confused Deputies, thereby returning you to a state before you properly used the AAD.
So now you have to revisit your designs and ensure you’re using a key-committing authenticated mode, rather than just a regular authenticated mode.
Isn’t cryptography fun?
“What Are Invisible Salamanders?”
This refers to a fun property of AEAD modes based on Polynomical MACs. Basically, if you:
- Encrypt one message under a specific key and nonce.
- Encrypt another message under a separate key and nonce.
…Then you can get the same exact ciphertext and authentication tag. Performing this attack requires you to control the keys for both encryption operations.
This was first demonstrated in an attack against encrypted messaging applications, where a picture of a salamander was hidden from the abuse reporting feature because another attached file had the same authentication tag and ciphertext, and you could trick the system if you disclosed the second key instead of the first. Thus, the salamander is invisible to attackers.
Art: CMYKatWe’re not quite done with relational databases yet, but we should talk about NoSQL databases for a bit. The final topic in scope applies equally to both, after all.
Cryptography for NoSQL Databases
Most of the topics from relational databases also apply to NoSQL databases, so I shall refrain from duplicating them here. This article is already sufficiently long to read, after all, and I dislike redundancy.
NoSQL is Built Different
The main thing that NoSQL databases offer in the service of making cryptographers lose sleep at night is the schema-free nature of NoSQL designs.
What this means is that, if you’re using a client-side encryption library for a NoSQL database, the previous concerns about confused deputy attacks are amplified by the malleability of the document structure.
Additionally, the previously discussed cryptographic attacks against the encryption mode may be less expensive for an attacker to pull off.
Consider the following record structure, which stores a bunch of data stored with AES in CBC mode:
{ "encrypted-data-key": "<blob>", "name": "<ciphertext>", "address": [ "<ciphertext>", "<ciphertext>" ], "social-security": "<ciphertext>", "zip-code": "<ciphertext>"}If this record is decrypted with code that looks something like this:
$decrypted = [];// ... snip ...foreach ($record['address'] as $i => $addrLine) { try { $decrypted['address'][$i] = $this->decrypt($addrLine); } catch (Throwable $ex) { // You'd never deliberately do this, but it's for illustration $this->doSomethingAnOracleCanObserve($i); // This is more believable, of course: $this->logDecryptionError($ex, $addrLine); $decrypted['address'][$i] = ''; }}Then you can keep appending rows to the
Art: Harubaki"address"field to reduce the number of writes needed to exploit a padding oracle attack against any of the<ciphertext>fields.This isn’t to say that NoSQL is less secure than SQL, from the context of client-side encryption. However, the powerful feature sets that NoSQL users are accustomed to may also give attackers a more versatile toolkit to work with.
Record Authentication
A pedant may point out that record authentication applies to both SQL and NoSQL. However, I mostly only observe this feature in NoSQL databases and document storage systems in the wild, so I’m shoving it in here.
Encrypting fields is nice and all, but sometimes what you want to know is that your unencrypted data hasn’t been tampered with as it flows through your system.
The trivial way this is done is by using a digital signature algorithm over the whole record, and then appending the signature to the end. When you go to verify the record, all of the information you need is right there.
This works well enough for most use cases, and everyone can pack up and go home. Nothing more to see here.
Except…
When you’re working with NoSQL databases, you often want systems to be able to write to additional fields, and since you’re working with schema-free blobs of data rather than a normalized set of relatable tables, the most sensible thing to do is to is to append this data to the same record.
Except, oops! You can’t do that if you’re shoving a digital signature over the record. So now you need to specify which fields are to be included in the signature.
And you need to think about how to model that in a way that doesn’t prohibit schema upgrades nor allow attackers to perform downgrade attacks. (See below.)
I don’t have any specific real-world examples here that I can point to of this problem being solved well.Art: CMYKat
Furthermore, as with preventing confused deputy and/or canonicalization attacks above, you must also include the fully qualified path of each field in the data that gets signed.
As I said with encryption before, but also true here:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
This requirement holds true whether you’re using symmetric-key authentication (i.e. HMAC) or asymmetric-key digital signatures (e.g. EdDSA).
Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
Art: HarubakiOkay, how do you solve this problem so that you can perform updates and upgrades to your schema but without enabling attackers to downgrade the security? Here’s one possible design.
Let’s say you have two metadata fields on each record:
- A compressed binary string representing which fields should be authenticated. This field is, itself, not authenticated. Let’s call this
meta-auth. - A compressed binary string representing which of the authenticated fields should also be encrypted. This field is also authenticated. This is at most the same length as the first metadata field. Let’s call this
meta-enc.
Furthermore, you will specify a canonical field ordering for both how data is fed into the signature algorithm as well as the field mappings in
meta-authandmeta-enc.{ "example": { "credit-card": { "number": /* encrypted */, "expiration": /* encrypted */, "ccv": /* encrypted */ }, "superfluous": { "rewards-member": null } }, "meta-auth": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true /* meta-enc */ ]), "meta-enc": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false /* example.superfluous.rewards-member */ ]), "signature": /* -- snip -- */}When you go to append data to an existing record, you’ll need to update
meta-authto include the mapping of fields based on this canonical ordering to ensure only the intended fields get validated.When you update your code to add an additional field that is intended to be signed, you can roll that out for new records and the record will continue to be self-describing:
- New records will have the additional field flagged as authenticated in
meta-auth(andmeta-encwill grow) - Old records will not, but your code will still sign them successfully
- To prevent downgrade attacks, simply include a schema version ID as an additional plaintext field that gets authenticated. An attacker who tries to downgrade will need to be able to produce a valid signature too.
You might think
meta-authgives an attacker some advantage, but this only includes which fields are included in the security boundary of the signature or MAC, which allows unauthenticated data to be appended for whatever operational purpose without having to update signatures or expose signing keys to a wider part of the network.{ "example": { "credit-card": { "number": /* encrypted */, "expiration": /* encrypted */, "ccv": /* encrypted */ }, "superfluous": { "rewards-member": null } }, "meta-auth": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true, /* meta-enc */ true /* meta-version */ ]), "meta-enc": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true /* meta-version */ ]), "meta-version": 0x01000000, "signature": /* -- snip -- */}If an attacker tries to use the
meta-authfield to mess with a record, the best they can hope for is an Invalid Signature exception (assuming the signature algorithm is secure to begin with).Even if they keep all of the fields the same, but play around with the structure of the record (e.g. changing the XPath or equivalent), so long as the path is authenticated with each field, breaking this is computationally infeasible.
Searchable Encryption
If you’ve managed to make it through the previous sections, congratulations, you now know enough to build a secure but completely useless database.
Art: CMYKatOkay, put away the pitchforks; I will explain.
Part of the reason why we store data in a database, rather than a flat file, is because we want to do more than just read and write. Sometimes computer scientists want to compute. Almost always, you want to be able to query your database for a subset of records based on your specific business logic needs.
And so, a database which doesn’t do anything more than store ciphertext and maybe signatures is pretty useless to most people. You’d have better luck selling Monkey JPEGs to furries than convincing most businesses to part with their precious database-driven report generators.
Art: SophieSo whenever one of your users wants to actually use their data, rather than just store it, they’re forced to decide between two mutually exclusive options:
- Encrypting the data, to protect it from unauthorized disclosure, but render it useless
- Doing anything useful with the data, but leaving it unencrypted in the database
This is especially annoying for business types that are all in on the Zero Trust buzzword.
Fortunately, the cryptographers are at it again, and boy howdy do they have a lot of solutions for this problem.
Order-{Preserving, Revealing} Encryption
On the fun side of things, you have things like Order-Preserving and Order-Revealing Encryption, which Matthew Green wrote about at length.
[D]atabase encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.
Attack of the week: searchable encryption and the ever-expanding leakage function
The problem with these designs is that they have a significant enough leakage that it no longer provides semantic security.
From Grubbs, et al. (GLMP, 2019.)
Colors inverted to fit my blog’s theme better.To put it in other words: These designs are only marginally better than ECB mode, and probably deserve their own poems too.
Order revealing
Reveals much more than order
Softcore ECBOrder preserving
Semantic security?
Only in your dreamsHaiku for your consideration
Deterministic Encryption
Here’s a simpler, but also terrible, idea for searchable encryption: Simply give up on semantic security entirely.
If you recall the
AES_{De,En}crypt()functions built into MySQL I mentioned at the start of this article, those are the most common form of deterministic encryption I’ve seen in use.SELECT * FROM foo WHERE bar = AES_Encrypt('query', 'key');However, there are slightly less bad variants. If you use AES-GCM-SIV with a static nonce, your ciphertexts are fully deterministic, and you can encrypt a small number of distinct records safely before you’re no longer secure.
From Page 14 of the linked paper. Full view.That’s certainly better than nothing, but you also can’t mitigate confused deputy attacks. But we can do better than this.
Homomorphic Encryption
In a safer plane of academia, you’ll find homomorphic encryption, which researchers recently demonstrated with serving Wikipedia pages in a reasonable amount of time.
Homomorphic encryption allows computations over the ciphertext, which will be reflected in the plaintext, without ever revealing the key to the entity performing the computation.
If this sounds vaguely similar to the conditions that enable chosen-ciphertext attacks, you probably have a good intuition for how it works: RSA is homomorphic to multiplication, AES-CTR is homomorphic to XOR. Fully homomorphic encryption uses lattices, which enables multiple operations but carries a relatively enormous performance cost.
Art: HarubakiHomomorphic encryption sometimes intersects with machine learning, because the notion of training an encrypted model by feeding it encrypted data, then decrypting it after-the-fact is desirable for certain business verticals. Your data scientists never see your data, and you have some plausible deniability about the final ML model this work produces. This is like a Siren song for Venture Capitalist-backed medical technology companies. Tech journalists love writing about it.
However, a less-explored use case is the ability to encrypt your programs but still get the correct behavior and outputs. Although this sounds like a DRM technology, it’s actually something that individuals could one day use to prevent their ISPs or cloud providers from knowing what software is being executed on the customer’s leased hardware. The potential for a privacy win here is certainly worth pondering, even if you’re a tried and true Pirate Party member.
Just say “NO” to the copyright cartels.Art: CMYKat
Searchable Symmetric Encryption (SSE)
Forget about working at the level of fields and rows or individual records. What if we, instead, worked over collections of documents, where each document is viewed as a set of keywords from a keyword space?
Art: CMYKatThat’s the basic premise of SSE: Encrypting collections of documents rather than individual records.
The actual implementation details differ greatly between designs. They also differ greatly in their leakage profiles and susceptibility to side-channel attacks.
Some schemes use a so-called trapdoor permutation, such as RSA, as one of their building blocks.
Some schemes only allow for searching a static set of records, while others can accommodate new data over time (with the trade-off between more leakage or worse performance).
If you’re curious, you can learn more about SSE here, and see some open source SEE implementations online here.
You’re probably wondering, “If SSE is this well-studied and there are open source implementations available, why isn’t it more widely used?”
Your guess is as good as mine, but I can think of a few reasons:
- The protocols can be a little complicated to implement, and aren’t shipped by default in cryptography libraries (i.e. OpenSSL’s libcrypto or libsodium).
- Every known security risk in SSE is the product of a trade-offs, rather than there being a single winner for all use cases that developers can feel comfortable picking.
- Insufficient marketing and developer advocacy.
SSE schemes are mostly of interest to academics, although Seny Kamara (Brown Univeristy professior and one of the luminaries of searchable encryption) did try to develop an app called Pixek which used SSE to encrypt photos.
Maybe there’s room for a cryptography competition on searchable encryption schemes in the future.
You Can Have Little a HMAC, As a Treat
Finally, I can’t talk about searchable encryption without discussing a technique that’s older than dirt by Internet standards, that has been independently reinvented by countless software developers tasked with encrypting database records.
The oldest version I’ve been able to track down dates to 2006 by Raul Garcia at Microsoft, but I’m not confident that it didn’t exist before.
The idea I’m alluding to goes like this:
- Encrypt your data, securely, using symmetric cryptography.
(Hopefully your encryption addresses the considerations outlined in the relevant sections above.) - Separately, calculate an HMAC over the unencrypted data with a separate key used exclusively for indexing.
When you need to query your data, you can just recalculate the HMAC of your challenge and fetch the records that match it. Easy, right?
Even if you rotate your keys for encryption, you keep your indexing keys static across your entire data set. This lets you have durable indexes for encrypted data, which gives you the ability to do literal lookups for the performance hit of a hash function.
Additionally, everyone has HMAC in their toolkit, so you don’t have to move around implementations of complex cryptographic building blocks. You can live off the land. What’s not to love?
Hooray!However, if you stopped here, we regret to inform you that your data is no longer indistinguishable from random, which probably undermines the security proof for your encryption scheme.
How annoying!Of course, you don’t have to stop with the addition of plain HMAC to your database encryption software.
Take a page from Troy Hunt: Truncate the output to provide k-anonymity rather than a direct literal look-up.
“K-What Now?”
Imagine you have a full HMAC-SHA256 of the plaintext next to every ciphertext record with a static key, for searchability.
Each HMAC output corresponds 1:1 with a unique plaintext.
Because you’re using HMAC with a secret key, an attacker can’t just build a rainbow table like they would when attempting password cracking, but it still leaks duplicate plaintexts.
For example, an HMAC-SHA256 output might look like this:
Art: CMYKat\04a74e4c0158e34a566785d1a5e1167c4e3455c42aea173104e48ca810a8b1aeIf you were to slice off most of those bytes (e.g. leaving only the last 3, which in the previous example yields
a8b1ae), then with sufficient records, multiple plaintexts will now map to the same truncated HMAC tag.Which means if you’re only revealing a truncated HMAC tag to the database server (both when storing records or retrieving them), you can now expect false positives due to collisions in your truncated HMAC tag.
These false positives give your data a discrete set of anonymity (called k-anonymity), which means an attacker with access to your database cannot:
- Distinguish between two encrypted records with the same short HMAC tag.
- Reverse engineer the short HMAC tag into a single possible plaintext value, even if they can supply candidate queries and study the tags sent to the database.
As with SSE above, this short HMAC technique exposes a trade-off to users.
- Too much k-anonymity (i.e. too many false positives), and you will have to decrypt-then-discard multiple mismatching records. This can make queries slow.
- Not enough k-anonymity (i.e. insufficient false positives), and you’re no better off than a full HMAC.
Even more troublesome, the right amount to truncate is expressed in bits (not bytes), and calculating this value depends on the number of unique plaintext values you anticipate in your dataset. (Fortunately, it grows logarithmically, so you’ll rarely if ever have to tune this.)
If you’d like to play with this idea, here’s a quick and dirty demo script.
Intermission
If you started reading this post with any doubts about Cendyne’s statement that “Database cryptography is hard”, by making it to this point, they’ve probably been long since put to rest.
Art: HarubakiConversely, anyone that specializes in this topic is probably waiting for me to say anything novel or interesting; their patience wearing thin as I continue to rehash a surface-level introduction of their field without really diving deep into anything.
Thus, if you’ve read this far, I’d like to demonstrate the application of what I’ve covered thus far into a real-world case study into an database cryptography product.
Case Study: MongoDB Client-Side Encryption
MongoDB is an open source schema-free NoSQL database. Last year, MongoDB made waves when they announced Queryable Encryption in their upcoming client-side encryption release.
Taken from the press release, but adapted for dark themes.A statement at the bottom of their press release indicates that this isn’t clown-shoes:
Queryable Encryption was designed by MongoDB’s Advanced Cryptography Research Group, headed by Seny Kamara and Tarik Moataz, who are pioneers in the field of encrypted search. The Group conducts cutting-edge peer-reviewed research in cryptography and works with MongoDB engineering teams to transfer and deploy the latest innovations in cryptography and privacy to the MongoDB data platform.
If you recall, I mentioned Seny Kamara in the SSE section of this post. They certainly aren’t wrong about Kamara and Moataz being pioneers in this field.
So with that in mind, let’s explore the implementation in libmongocrypt and see how it stands up to scrutiny.
MongoCrypt: The Good
MongoDB’s encryption library takes key management seriously: They provide a KMS integration for cloud users by default (supporting both AWS and Azure).
MongoDB uses Encrypt-then-MAC with AES-CBC and HMAC-SHA256, which is congruent to what Signal does for message encryption.
How Is Queryable Encryption Implemented?
From the current source code, we can see that MongoCrypt generates several different types of tokens, using HMAC (calculation defined here).
According to their press release:
The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
Which means that most of the juicy details probably aren’t public yet.
These HMAC-derived tokens are stored wholesale in the data structure, but most are encrypted before storage using AES-CTR.
There are more layers of encryption (using AEAD), server-side token processing, and more AES-CTR-encrypted edge tokens. All of this is finally serialized (implementation) as one blob for storage.
Since only the equality operation is currently supported (which is the same feature you’d get from HMAC), it’s difficult to speculate what the full feature set looks like.
However, since Kamara and Moataz are leading its development, it’s likely that this feature set will be excellent.
MongoCrypt: The Bad
Every call to
do_encrypt()includes at most the Key ID (but typicallyNULL) as the AAD. This means that the concerns over Confused Deputies (and NoSQL specifically) are relevant to MongoDB.However, even if they did support authenticating the fully qualified path to a field in the AAD for their encryption, their AEAD construction is vulnerable to the kind of canonicalization attack I wrote about previously.
First, observe this code which assembles the multi-part inputs into HMAC.
/* Construct the input to the HMAC */uint32_t num_intermediates = 0;_mongocrypt_buffer_t intermediates[3];// -- snip --if (!_mongocrypt_buffer_concat ( &to_hmac, intermediates, num_intermediates)) { CLIENT_ERR ("failed to allocate buffer"); goto done;}if (hmac == HMAC_SHA_512_256) { uint8_t storage[64]; _mongocrypt_buffer_t tag = {.data = storage, .len = sizeof (storage)}; if (!_crypto_hmac_sha_512 (crypto, Km, &to_hmac, &tag, status)) { goto done; } // Truncate sha512 to first 256 bits. memcpy (out->data, tag.data, MONGOCRYPT_HMAC_LEN);} else { BSON_ASSERT (hmac == HMAC_SHA_256); if (!_mongocrypt_hmac_sha_256 (crypto, Km, &to_hmac, out, status)) { goto done; }}The implementation of
_mongocrypt_buffer_concat()can be found here.If either the implementation of that function, or the code I snipped from my excerpt, had contained code that prefixed every segment of the AAD with the length of the segment (represented as a
uint64_tto make overflow infeasible), then their AEAD mode would not be vulnerable to canonicalization issues.Using TupleHash would also have prevented this issue.
Silver lining for MongoDB developers: Because the AAD is either a key ID or NULL, this isn’t exploitable in practice.
The first cryptographic flaw sort of cancels the second out.
If the libmongocrypt developers ever want to mitigate Confused Deputy attacks, they’ll need to address this canonicalization issue too.
MongoCrypt: The Ugly
MongoCrypt supports deterministic encryption.
If you specify deterministic encryption for a field, your application passes a deterministic initialization vector to AEAD.
We already discussed why this is bad above.
Wrapping Up
This was not a comprehensive treatment of the field of database cryptography. There are many areas of this field that I did not cover, nor do I feel qualified to discuss.
However, I hope anyone who takes the time to read this finds themselves more familiar with the subject.
Additionally, I hope any developers who think “encrypting data in a database is [easy, trivial] (select appropriate)” will find this broad introduction a humbling experience.
Art: CMYKathttps://soatok.blog/2023/03/01/database-cryptography-fur-the-rest-of-us/
#appliedCryptography #blockCipherModes #cryptography #databaseCryptography #databases #encryptedSearch #HMAC #MongoCrypt #MongoDB #QueryableEncryption #realWorldCryptography #security #SecurityGuidance #SQL #SSE #symmetricCryptography #symmetricSearchableEncryption
-
Earlier this year, Cendyne wrote a blog post covering the use of HKDF, building partially upon my own blog post about HKDF and the KDF security definition, but moreso inspired by a cryptographic issue they identified in another company’s product (dubbed AnonCo).
At the bottom they teased:
Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.
Cendyne
If you read Cendyne’s post, you may have nodded along with that remark and not appreciate the degree to which our naga friend was putting it mildly. So I thought I’d share some of my knowledge about real-world database cryptography in an accessible and fun format in the hopes that it might serve as an introduction to the specialization.
Note: I’m also not going to fix Cendyne’s sketch of AnonCo’s software here–partly because I don’t want to get in the habit of assigning homework or required reading, but mostly because it’s kind of obvious once you’ve learned the basics.
I’m including art of my fursona in this post… as is tradition for furry blogs.If you don’t like furries, please feel free to leave this blog and read about this topic elsewhere.
Thanks to CMYKat for the awesome stickers.
Contents
- Database Cryptography?
- Cryptography for Relational Databases
- The Perils of Built-in Encryption Functions
- Application-Layer Relational Database Cryptography
- Confused Deputies
- Canonicalization Attacks
- Multi-Tenancy
- Cryptography for NoSQL Databases
- NoSQL is Built Different
- Record Authentication
- Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
- Searchable Encryption
- Order-{Preserving, Revealing} Encryption
- Deterministic Encryption
- Homomorphic Encryption
- Searchable Symmetric Encryption (SSE)
- You Can Have Little a HMAC, As a Treat
- Intermission
- Case Study: MongoDB Client-Side Encryption
- MongoCrypt: The Good
- How is Queryable Encryption Implemented?
- MongoCrypt: The Bad
- MongoCrypt: The Ugly
- MongoCrypt: The Good
- Wrapping Up
Database Cryptography?
The premise of database cryptography is deceptively simple: You have a database, of some sort, and you want to store sensitive data in said database.
The consequences of this simple premise are anything but simple. Let me explain.
Art: ScruffKerfluffThe sensitive data you want to store may need to remain confidential, or you may need to provide some sort of integrity guarantees throughout your entire system, or sometimes both. Sometimes all of your data is sensitive, sometimes only some of it is. Sometimes the confidentiality requirements of your data extends to where within a dataset the record you want actually lives. Sometimes that’s true of some data, but not others, so your cryptography has to be flexible to support multiple types of workloads.
Other times, you just want your disks encrypted at rest so if they grow legs and walk out of the data center, the data cannot be comprehended by an attacker. And you can’t be bothered to work on this problem any deeper. This is usually what compliance requirements cover. Boxes get checked, executives feel safer about their operation, and the whole time nobody has really analyzed the risks they’re facing.
But we’re not settling for mere compliance on this blog. Furries have standards, after all.
So the first thing you need to do before diving into database cryptography is threat modelling. The first step in any good threat model is taking inventory; especially of assumptions, requirements, and desired outcomes. A few good starter questions:
- What database software is being used? Is it up to date?
- What data is being stored in which database software?
- How are databases oriented in the network of the overall system?
- Is your database properly firewalled from the public Internet?
- How does data flow throughout the network, and when do these data flows intersect with the database?
- Which applications talk to the database? What languages are they written in? Which APIs do they use?
- How will cryptography secrets be managed?
- Is there one key for everyone, one key per tenant, etc.?
- How are keys rotated?
- Do you use envelope encryption with an HSM, or vend the raw materials to your end devices?
The first two questions are paramount for deciding how to write software for database cryptography, before you even get to thinking about the cryptography itself.
(This is not a comprehensive set of questions to ask, either. A formal threat model is much deeper in the weeds.)
The kind of cryptography protocol you need for, say, storing encrypted CSV files an S3 bucket is vastly different from relational (SQL) databases, which in turn will be significantly different from schema-free (NoSQL) databases.
Furthermore, when you get to the point that you can start to think about the cryptography, you’ll often need to tackle confidentiality and integrity separately.
If that’s unclear, think of a scenario like, “I need to encrypt PII, but I also need to digitally sign the lab results so I know it wasn’t tampered with at rest.”
My point is, right off the bat, we’ve got a three-dimensional matrix of complexity to contend with:
- On one axis, we have the type of database.
- Flat-file
- Relational
- Schema-free
- On another, we have the basic confidentiality requirements of the data.
- Field encryption
- Row encryption
- Column encryption
- Unstructured record encryption
- Encrypting entire collections of records
- Finally, we have the integrity requirements of the data.
- Field authentication
- Row/column authentication
- Unstructured record authentication
- Collection authentication (based on e.g. Sparse Merkle Trees)
And then you have a fourth dimension that often falls out of operational requirements for databases: Searchability.
Why store data in a database if you have no way to index or search the data for fast retrieval?
Credit: HarubakiIf you’re starting to feel overwhelmed, you’re not alone. A lot of developers drastically underestimate the difficulty of the undertaking, until they run head-first into the complexity.
Some just phone it in with
AES_Encrypt()calls in their MySQL queries. (Too bad ECB mode doesn’t provide semantic security!)Which brings us to the meat of this blog post: The actual cryptography part.
Cryptography is the art of transforming information security problems into key management problems.
Former coworker
Note: In the interest of time, I’m skipping over flat files and focusing instead on actual database technologies.
Cryptography for Relational Databases
Encrypting data in an SQL database seems simple enough, even if you’ve managed to shake off the complexity I teased from the introduction.
You’ve got data, you’ve got a column on a table. Just encrypt the data and shove it in a cell on that column and call it a day, right?
But, alas, this is a trap. There are so many gotchas that I can’t weave a coherent, easy-to-follow narrative between them all.
So let’s start with a simple question: where and how are you performing your encryption?
The Perils of Built-in Encryption Functions
MySQL provides functions called AES_Encrypt and AES_Decrypt, which many developers have unfortunately decided to rely on in the past.
It’s unfortunate because these functions implement ECB mode. To illustrate why ECB mode is bad, I encrypted one of my art commissions with AES in ECB mode:
Art by Riley, encrypted with AES-ECBThe problems with ECB mode aren’t exactly “you can see the image through it,” because ECB-encrypting a compressed image won’t have redundancy (and thus can make you feel safer than you are).
ECB art is a good visual for the actual issue you should care about, however: A lack of semantic security.
A cryptosystem is considered semantically secure if observing the ciphertext doesn’t reveal information about the plaintext (except, perhaps, the length; which all cryptosystems leak to some extent). More information here.
ECB art isn’t to be confused with ECB poetry, which looks like this:
Oh little one, you’re growing up
You’ll soon be writing C
You’ll treat your ints as pointers
You’ll nest the ternary
You’ll cut and paste from github
And try cryptography
But even in your darkest hour
Do not use ECBCBC’s BEASTly when padding’s abused
And CTR’s fine til a nonce is reused
Some say it’s a CRIME to compress then encrypt
Or store keys in the browser (or use javascript)
Diffie Hellman will collapse if hackers choose your g
And RSA is full of traps when e is set to 3
Whiten! Blind! In constant time! Don’t write an RNG!
But failing all, and listen well: Do not use ECBThey’ll say “It’s like a one-time-pad!
The data’s short, it’s not so bad
the keys are long–they’re iron clad
I have a PhD!”
And then you’re front page Hacker News
Your passwords cracked–Adobe Blues.
Don’t leave your penguins showing through,
Do not use ECB— Ben Nagy, PoC||GTFO 0x04:13
Most people reading this probably know better than to use ECB mode already, and don’t need any of these reminders, but there is still a lot of code that inadvertently uses ECB mode to encrypt data in the database.
Also,
Credit: CMYKattSHOW processlist;leaks your encryption keys. Oops.Application-layer Relational Database Cryptography
Whether burned by ECB or just cautious about not giving your secrets to the system that stores all the ciphertext protected by said secret, a common next step for developers is to simply encrypt in their server-side application code.
And, yes, that’s part of the answer. But how you encrypt is important.
Credit: Harubaki“I’ll encrypt with CBC mode.”
If you don’t authenticate your ciphertext, you’ll be sorry. Maybe try again?“Okay, fine, I’ll use an authenticated mode like GCM.”
Did you remember to make the table and column name part of your AAD? What about the primary key of the record?“What on Earth are you talking about, Soatok?”
Welcome to the first footgun of database cryptography!Confused Deputies
Encrypting your sensitive data is necessary, but not sufficient. You need to also bind your ciphertexts to the specific context in which they are stored.
To understand why, let’s take a step back: What specific threat does encrypting your database records protect against?
We’ve already established that “your disks walk out of the datacenter” is a “full disk encryption” problem, so if you’re using application-layer cryptography to encrypt data in a relational database, your threat model probably involves unauthorized access to the database server.
What, then, stops an attacker from copying ciphertexts around?
Credit: CMYKattLet’s say I have a legitimate user account with an ID 12345, and I want to read your street address, but it’s encrypted in the database. But because I’m a clever hacker, I have unfettered access to your relational database server.
All I would need to do is simply…
UPDATE table SET addr_encrypted = 'your-ciphertext' WHERE id = 12345…and then access the application through my legitimate access. Bam, data leaked. As an attacker, I can probably even copy fields from other columns and it will just decrypt. Even if you’re using an authenticated mode.
We call this a confused deputy attack, because the deputy (the component of the system that has been delegated some authority or privilege) has become confused by the attacker, and thus undermined an intended security goal.
The fix is to use the AAD parameter from the authenticated mode to bind the data to a given context. (AAD = Additional Authenticated Data.)
- $addr = aes_gcm_encrypt($addr, $key);+ $addr = aes_gcm_encrypt($addr, $key, canonicalize([+ $tableName,+ $columnName,+ $primaryKey+ ]);
Now if I start cutting and pasting ciphertexts around, I get a decryption failure instead of silently decrypting plaintext.
This may sound like a specific vulnerability, but it’s more of a failure to understand an important general lesson with database cryptography:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
Canonicalization Attacks
In the previous section, I introduced a pseudocode called
canonicalize(). This isn’t a pasto from some reference code; it’s an important design detail that I will elaborate on now.First, consider you didn’t do anything to canonicalize your data, and you just joined strings together and called it a day…
function dumbCanonicalize( string $tableName, string $columnName, string|int $primaryKey): string { return $tableName . '_' . $columnName . '#' . $primaryKey;}Consider these two inputs to this function:
dumbCanonicalize('customers', 'last_order_uuid', 123);dumbCanonicalize('customers_last_order', 'uuid', 123);
In this case, your AAD would be the same, and therefore, your deputy can still be confused (albeit in a narrower use case).
In Cendyne’s article, AnonCo did something more subtle: The canonicalization bug created a collision on the inputs to HKDF, which resulted in an unintentional key reuse.
Up until this point, their mistake isn’t relevant to us, because we haven’t even explored key management at all. But the same design flaw can re-emerge in multiple locations, with drastically different consequence.
Multi-Tenancy
Once you’ve implemented a mitigation against Confused Deputies, you may think your job is done. And it very well could be.
Often times, however, software developers are tasked with building support for Bring Your Own Key (BYOK).
This is often spawned from a specific compliance requirement (such as cryptographic shredding; i.e. if you erase the key, you can no longer recover the plaintext, so it may as well be deleted).
Other times, this is driven by a need to cut costs: Storing different users’ data in the same database server, but encrypting it such that they can only encrypt their own records.
Two things can happen when you introduce multi-tenancy into your database cryptography designs:
- Invisible Salamanders becomes a risk, due to multiple keys being possible for any given encrypted record.
- Failure to address the risk of Invisible Salamanders can undermine your protection against Confused Deputies, thereby returning you to a state before you properly used the AAD.
So now you have to revisit your designs and ensure you’re using a key-committing authenticated mode, rather than just a regular authenticated mode.
Isn’t cryptography fun?
“What Are Invisible Salamanders?”
This refers to a fun property of AEAD modes based on Polynomical MACs. Basically, if you:
- Encrypt one message under a specific key and nonce.
- Encrypt another message under a separate key and nonce.
…Then you can get the same exact ciphertext and authentication tag. Performing this attack requires you to control the keys for both encryption operations.
This was first demonstrated in an attack against encrypted messaging applications, where a picture of a salamander was hidden from the abuse reporting feature because another attached file had the same authentication tag and ciphertext, and you could trick the system if you disclosed the second key instead of the first. Thus, the salamander is invisible to attackers.
Art: CMYKatWe’re not quite done with relational databases yet, but we should talk about NoSQL databases for a bit. The final topic in scope applies equally to both, after all.
Cryptography for NoSQL Databases
Most of the topics from relational databases also apply to NoSQL databases, so I shall refrain from duplicating them here. This article is already sufficiently long to read, after all, and I dislike redundancy.
NoSQL is Built Different
The main thing that NoSQL databases offer in the service of making cryptographers lose sleep at night is the schema-free nature of NoSQL designs.
What this means is that, if you’re using a client-side encryption library for a NoSQL database, the previous concerns about confused deputy attacks are amplified by the malleability of the document structure.
Additionally, the previously discussed cryptographic attacks against the encryption mode may be less expensive for an attacker to pull off.
Consider the following record structure, which stores a bunch of data stored with AES in CBC mode:
{ "encrypted-data-key": "<blob>", "name": "<ciphertext>", "address": [ "<ciphertext>", "<ciphertext>" ], "social-security": "<ciphertext>", "zip-code": "<ciphertext>"}If this record is decrypted with code that looks something like this:
$decrypted = [];// ... snip ...foreach ($record['address'] as $i => $addrLine) { try { $decrypted['address'][$i] = $this->decrypt($addrLine); } catch (Throwable $ex) { // You'd never deliberately do this, but it's for illustration $this->doSomethingAnOracleCanObserve($i); // This is more believable, of course: $this->logDecryptionError($ex, $addrLine); $decrypted['address'][$i] = ''; }}Then you can keep appending rows to the
Art: Harubaki"address"field to reduce the number of writes needed to exploit a padding oracle attack against any of the<ciphertext>fields.This isn’t to say that NoSQL is less secure than SQL, from the context of client-side encryption. However, the powerful feature sets that NoSQL users are accustomed to may also give attackers a more versatile toolkit to work with.
Record Authentication
A pedant may point out that record authentication applies to both SQL and NoSQL. However, I mostly only observe this feature in NoSQL databases and document storage systems in the wild, so I’m shoving it in here.
Encrypting fields is nice and all, but sometimes what you want to know is that your unencrypted data hasn’t been tampered with as it flows through your system.
The trivial way this is done is by using a digital signature algorithm over the whole record, and then appending the signature to the end. When you go to verify the record, all of the information you need is right there.
This works well enough for most use cases, and everyone can pack up and go home. Nothing more to see here.
Except…
When you’re working with NoSQL databases, you often want systems to be able to write to additional fields, and since you’re working with schema-free blobs of data rather than a normalized set of relatable tables, the most sensible thing to do is to is to append this data to the same record.
Except, oops! You can’t do that if you’re shoving a digital signature over the record. So now you need to specify which fields are to be included in the signature.
And you need to think about how to model that in a way that doesn’t prohibit schema upgrades nor allow attackers to perform downgrade attacks. (See below.)
I don’t have any specific real-world examples here that I can point to of this problem being solved well.Art: CMYKat
Furthermore, as with preventing confused deputy and/or canonicalization attacks above, you must also include the fully qualified path of each field in the data that gets signed.
As I said with encryption before, but also true here:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
This requirement holds true whether you’re using symmetric-key authentication (i.e. HMAC) or asymmetric-key digital signatures (e.g. EdDSA).
Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
Art: HarubakiOkay, how do you solve this problem so that you can perform updates and upgrades to your schema but without enabling attackers to downgrade the security? Here’s one possible design.
Let’s say you have two metadata fields on each record:
- A compressed binary string representing which fields should be authenticated. This field is, itself, not authenticated. Let’s call this
meta-auth. - A compressed binary string representing which of the authenticated fields should also be encrypted. This field is also authenticated. This is at most the same length as the first metadata field. Let’s call this
meta-enc.
Furthermore, you will specify a canonical field ordering for both how data is fed into the signature algorithm as well as the field mappings in
meta-authandmeta-enc.{ "example": { "credit-card": { "number": /* encrypted */, "expiration": /* encrypted */, "ccv": /* encrypted */ }, "superfluous": { "rewards-member": null } }, "meta-auth": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true /* meta-enc */ ]), "meta-enc": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false /* example.superfluous.rewards-member */ ]), "signature": /* -- snip -- */}When you go to append data to an existing record, you’ll need to update
meta-authto include the mapping of fields based on this canonical ordering to ensure only the intended fields get validated.When you update your code to add an additional field that is intended to be signed, you can roll that out for new records and the record will continue to be self-describing:
- New records will have the additional field flagged as authenticated in
meta-auth(andmeta-encwill grow) - Old records will not, but your code will still sign them successfully
- To prevent downgrade attacks, simply include a schema version ID as an additional plaintext field that gets authenticated. An attacker who tries to downgrade will need to be able to produce a valid signature too.
You might think
meta-authgives an attacker some advantage, but this only includes which fields are included in the security boundary of the signature or MAC, which allows unauthenticated data to be appended for whatever operational purpose without having to update signatures or expose signing keys to a wider part of the network.{ "example": { "credit-card": { "number": /* encrypted */, "expiration": /* encrypted */, "ccv": /* encrypted */ }, "superfluous": { "rewards-member": null } }, "meta-auth": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true, /* meta-enc */ true /* meta-version */ ]), "meta-enc": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true /* meta-version */ ]), "meta-version": 0x01000000, "signature": /* -- snip -- */}If an attacker tries to use the
meta-authfield to mess with a record, the best they can hope for is an Invalid Signature exception (assuming the signature algorithm is secure to begin with).Even if they keep all of the fields the same, but play around with the structure of the record (e.g. changing the XPath or equivalent), so long as the path is authenticated with each field, breaking this is computationally infeasible.
Searchable Encryption
If you’ve managed to make it through the previous sections, congratulations, you now know enough to build a secure but completely useless database.
Art: CMYKatOkay, put away the pitchforks; I will explain.
Part of the reason why we store data in a database, rather than a flat file, is because we want to do more than just read and write. Sometimes computer scientists want to compute. Almost always, you want to be able to query your database for a subset of records based on your specific business logic needs.
And so, a database which doesn’t do anything more than store ciphertext and maybe signatures is pretty useless to most people. You’d have better luck selling Monkey JPEGs to furries than convincing most businesses to part with their precious database-driven report generators.
Art: SophieSo whenever one of your users wants to actually use their data, rather than just store it, they’re forced to decide between two mutually exclusive options:
- Encrypting the data, to protect it from unauthorized disclosure, but render it useless
- Doing anything useful with the data, but leaving it unencrypted in the database
This is especially annoying for business types that are all in on the Zero Trust buzzword.
Fortunately, the cryptographers are at it again, and boy howdy do they have a lot of solutions for this problem.
Order-{Preserving, Revealing} Encryption
On the fun side of things, you have things like Order-Preserving and Order-Revealing Encryption, which Matthew Green wrote about at length.
[D]atabase encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.
Attack of the week: searchable encryption and the ever-expanding leakage function
The problem with these designs is that they have a significant enough leakage that it no longer provides semantic security.
From Grubbs, et al. (GLMP, 2019.)
Colors inverted to fit my blog’s theme better.To put it in other words: These designs are only marginally better than ECB mode, and probably deserve their own poems too.
Order revealing
Reveals much more than order
Softcore ECBOrder preserving
Semantic security?
Only in your dreamsHaiku for your consideration
Deterministic Encryption
Here’s a simpler, but also terrible, idea for searchable encryption: Simply give up on semantic security entirely.
If you recall the
AES_{De,En}crypt()functions built into MySQL I mentioned at the start of this article, those are the most common form of deterministic encryption I’ve seen in use.SELECT * FROM foo WHERE bar = AES_Encrypt('query', 'key');However, there are slightly less bad variants. If you use AES-GCM-SIV with a static nonce, your ciphertexts are fully deterministic, and you can encrypt a small number of distinct records safely before you’re no longer secure.
From Page 14 of the linked paper. Full view.That’s certainly better than nothing, but you also can’t mitigate confused deputy attacks. But we can do better than this.
Homomorphic Encryption
In a safer plane of academia, you’ll find homomorphic encryption, which researchers recently demonstrated with serving Wikipedia pages in a reasonable amount of time.
Homomorphic encryption allows computations over the ciphertext, which will be reflected in the plaintext, without ever revealing the key to the entity performing the computation.
If this sounds vaguely similar to the conditions that enable chosen-ciphertext attacks, you probably have a good intuition for how it works: RSA is homomorphic to multiplication, AES-CTR is homomorphic to XOR. Fully homomorphic encryption uses lattices, which enables multiple operations but carries a relatively enormous performance cost.
Art: HarubakiHomomorphic encryption sometimes intersects with machine learning, because the notion of training an encrypted model by feeding it encrypted data, then decrypting it after-the-fact is desirable for certain business verticals. Your data scientists never see your data, and you have some plausible deniability about the final ML model this work produces. This is like a Siren song for Venture Capitalist-backed medical technology companies. Tech journalists love writing about it.
However, a less-explored use case is the ability to encrypt your programs but still get the correct behavior and outputs. Although this sounds like a DRM technology, it’s actually something that individuals could one day use to prevent their ISPs or cloud providers from knowing what software is being executed on the customer’s leased hardware. The potential for a privacy win here is certainly worth pondering, even if you’re a tried and true Pirate Party member.
Just say “NO” to the copyright cartels.Art: CMYKat
Searchable Symmetric Encryption (SSE)
Forget about working at the level of fields and rows or individual records. What if we, instead, worked over collections of documents, where each document is viewed as a set of keywords from a keyword space?
Art: CMYKatThat’s the basic premise of SSE: Encrypting collections of documents rather than individual records.
The actual implementation details differ greatly between designs. They also differ greatly in their leakage profiles and susceptibility to side-channel attacks.
Some schemes use a so-called trapdoor permutation, such as RSA, as one of their building blocks.
Some schemes only allow for searching a static set of records, while others can accommodate new data over time (with the trade-off between more leakage or worse performance).
If you’re curious, you can learn more about SSE here, and see some open source SEE implementations online here.
You’re probably wondering, “If SSE is this well-studied and there are open source implementations available, why isn’t it more widely used?”
Your guess is as good as mine, but I can think of a few reasons:
- The protocols can be a little complicated to implement, and aren’t shipped by default in cryptography libraries (i.e. OpenSSL’s libcrypto or libsodium).
- Every known security risk in SSE is the product of a trade-offs, rather than there being a single winner for all use cases that developers can feel comfortable picking.
- Insufficient marketing and developer advocacy.
SSE schemes are mostly of interest to academics, although Seny Kamara (Brown Univeristy professior and one of the luminaries of searchable encryption) did try to develop an app called Pixek which used SSE to encrypt photos.
Maybe there’s room for a cryptography competition on searchable encryption schemes in the future.
You Can Have Little a HMAC, As a Treat
Finally, I can’t talk about searchable encryption without discussing a technique that’s older than dirt by Internet standards, that has been independently reinvented by countless software developers tasked with encrypting database records.
The oldest version I’ve been able to track down dates to 2006 by Raul Garcia at Microsoft, but I’m not confident that it didn’t exist before.
The idea I’m alluding to goes like this:
- Encrypt your data, securely, using symmetric cryptography.
(Hopefully your encryption addresses the considerations outlined in the relevant sections above.) - Separately, calculate an HMAC over the unencrypted data with a separate key used exclusively for indexing.
When you need to query your data, you can just recalculate the HMAC of your challenge and fetch the records that match it. Easy, right?
Even if you rotate your keys for encryption, you keep your indexing keys static across your entire data set. This lets you have durable indexes for encrypted data, which gives you the ability to do literal lookups for the performance hit of a hash function.
Additionally, everyone has HMAC in their toolkit, so you don’t have to move around implementations of complex cryptographic building blocks. You can live off the land. What’s not to love?
Hooray!However, if you stopped here, we regret to inform you that your data is no longer indistinguishable from random, which probably undermines the security proof for your encryption scheme.
How annoying!Of course, you don’t have to stop with the addition of plain HMAC to your database encryption software.
Take a page from Troy Hunt: Truncate the output to provide k-anonymity rather than a direct literal look-up.
“K-What Now?”
Imagine you have a full HMAC-SHA256 of the plaintext next to every ciphertext record with a static key, for searchability.
Each HMAC output corresponds 1:1 with a unique plaintext.
Because you’re using HMAC with a secret key, an attacker can’t just build a rainbow table like they would when attempting password cracking, but it still leaks duplicate plaintexts.
For example, an HMAC-SHA256 output might look like this:
Art: CMYKat\04a74e4c0158e34a566785d1a5e1167c4e3455c42aea173104e48ca810a8b1aeIf you were to slice off most of those bytes (e.g. leaving only the last 3, which in the previous example yields
a8b1ae), then with sufficient records, multiple plaintexts will now map to the same truncated HMAC tag.Which means if you’re only revealing a truncated HMAC tag to the database server (both when storing records or retrieving them), you can now expect false positives due to collisions in your truncated HMAC tag.
These false positives give your data a discrete set of anonymity (called k-anonymity), which means an attacker with access to your database cannot:
- Distinguish between two encrypted records with the same short HMAC tag.
- Reverse engineer the short HMAC tag into a single possible plaintext value, even if they can supply candidate queries and study the tags sent to the database.
As with SSE above, this short HMAC technique exposes a trade-off to users.
- Too much k-anonymity (i.e. too many false positives), and you will have to decrypt-then-discard multiple mismatching records. This can make queries slow.
- Not enough k-anonymity (i.e. insufficient false positives), and you’re no better off than a full HMAC.
Even more troublesome, the right amount to truncate is expressed in bits (not bytes), and calculating this value depends on the number of unique plaintext values you anticipate in your dataset. (Fortunately, it grows logarithmically, so you’ll rarely if ever have to tune this.)
If you’d like to play with this idea, here’s a quick and dirty demo script.
Intermission
If you started reading this post with any doubts about Cendyne’s statement that “Database cryptography is hard”, by making it to this point, they’ve probably been long since put to rest.
Art: HarubakiConversely, anyone that specializes in this topic is probably waiting for me to say anything novel or interesting; their patience wearing thin as I continue to rehash a surface-level introduction of their field without really diving deep into anything.
Thus, if you’ve read this far, I’d like to demonstrate the application of what I’ve covered thus far into a real-world case study into an database cryptography product.
Case Study: MongoDB Client-Side Encryption
MongoDB is an open source schema-free NoSQL database. Last year, MongoDB made waves when they announced Queryable Encryption in their upcoming client-side encryption release.
Taken from the press release, but adapted for dark themes.A statement at the bottom of their press release indicates that this isn’t clown-shoes:
Queryable Encryption was designed by MongoDB’s Advanced Cryptography Research Group, headed by Seny Kamara and Tarik Moataz, who are pioneers in the field of encrypted search. The Group conducts cutting-edge peer-reviewed research in cryptography and works with MongoDB engineering teams to transfer and deploy the latest innovations in cryptography and privacy to the MongoDB data platform.
If you recall, I mentioned Seny Kamara in the SSE section of this post. They certainly aren’t wrong about Kamara and Moataz being pioneers in this field.
So with that in mind, let’s explore the implementation in libmongocrypt and see how it stands up to scrutiny.
MongoCrypt: The Good
MongoDB’s encryption library takes key management seriously: They provide a KMS integration for cloud users by default (supporting both AWS and Azure).
MongoDB uses Encrypt-then-MAC with AES-CBC and HMAC-SHA256, which is congruent to what Signal does for message encryption.
How Is Queryable Encryption Implemented?
From the current source code, we can see that MongoCrypt generates several different types of tokens, using HMAC (calculation defined here).
According to their press release:
The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
Which means that most of the juicy details probably aren’t public yet.
These HMAC-derived tokens are stored wholesale in the data structure, but most are encrypted before storage using AES-CTR.
There are more layers of encryption (using AEAD), server-side token processing, and more AES-CTR-encrypted edge tokens. All of this is finally serialized (implementation) as one blob for storage.
Since only the equality operation is currently supported (which is the same feature you’d get from HMAC), it’s difficult to speculate what the full feature set looks like.
However, since Kamara and Moataz are leading its development, it’s likely that this feature set will be excellent.
MongoCrypt: The Bad
Every call to
do_encrypt()includes at most the Key ID (but typicallyNULL) as the AAD. This means that the concerns over Confused Deputies (and NoSQL specifically) are relevant to MongoDB.However, even if they did support authenticating the fully qualified path to a field in the AAD for their encryption, their AEAD construction is vulnerable to the kind of canonicalization attack I wrote about previously.
First, observe this code which assembles the multi-part inputs into HMAC.
/* Construct the input to the HMAC */uint32_t num_intermediates = 0;_mongocrypt_buffer_t intermediates[3];// -- snip --if (!_mongocrypt_buffer_concat ( &to_hmac, intermediates, num_intermediates)) { CLIENT_ERR ("failed to allocate buffer"); goto done;}if (hmac == HMAC_SHA_512_256) { uint8_t storage[64]; _mongocrypt_buffer_t tag = {.data = storage, .len = sizeof (storage)}; if (!_crypto_hmac_sha_512 (crypto, Km, &to_hmac, &tag, status)) { goto done; } // Truncate sha512 to first 256 bits. memcpy (out->data, tag.data, MONGOCRYPT_HMAC_LEN);} else { BSON_ASSERT (hmac == HMAC_SHA_256); if (!_mongocrypt_hmac_sha_256 (crypto, Km, &to_hmac, out, status)) { goto done; }}The implementation of
_mongocrypt_buffer_concat()can be found here.If either the implementation of that function, or the code I snipped from my excerpt, had contained code that prefixed every segment of the AAD with the length of the segment (represented as a
uint64_tto make overflow infeasible), then their AEAD mode would not be vulnerable to canonicalization issues.Using TupleHash would also have prevented this issue.
Silver lining for MongoDB developers: Because the AAD is either a key ID or NULL, this isn’t exploitable in practice.
The first cryptographic flaw sort of cancels the second out.
If the libmongocrypt developers ever want to mitigate Confused Deputy attacks, they’ll need to address this canonicalization issue too.
MongoCrypt: The Ugly
MongoCrypt supports deterministic encryption.
If you specify deterministic encryption for a field, your application passes a deterministic initialization vector to AEAD.
We already discussed why this is bad above.
Wrapping Up
This was not a comprehensive treatment of the field of database cryptography. There are many areas of this field that I did not cover, nor do I feel qualified to discuss.
However, I hope anyone who takes the time to read this finds themselves more familiar with the subject.
Additionally, I hope any developers who think “encrypting data in a database is [easy, trivial] (select appropriate)” will find this broad introduction a humbling experience.
Art: CMYKathttps://soatok.blog/2023/03/01/database-cryptography-fur-the-rest-of-us/
#appliedCryptography #blockCipherModes #cryptography #databaseCryptography #databases #encryptedSearch #HMAC #MongoCrypt #MongoDB #QueryableEncryption #realWorldCryptography #security #SecurityGuidance #SQL #SSE #symmetricCryptography #symmetricSearchableEncryption
-
Earlier this year, Cendyne wrote a blog post covering the use of HKDF, building partially upon my own blog post about HKDF and the KDF security definition, but moreso inspired by a cryptographic issue they identified in another company’s product (dubbed AnonCo).
At the bottom they teased:
Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.
Cendyne
If you read Cendyne’s post, you may have nodded along with that remark and not appreciate the degree to which our naga friend was putting it mildly. So I thought I’d share some of my knowledge about real-world database cryptography in an accessible and fun format in the hopes that it might serve as an introduction to the specialization.
Note: I’m also not going to fix Cendyne’s sketch of AnonCo’s software here–partly because I don’t want to get in the habit of assigning homework or required reading, but mostly because it’s kind of obvious once you’ve learned the basics.
I’m including art of my fursona in this post… as is tradition for furry blogs.If you don’t like furries, please feel free to leave this blog and read about this topic elsewhere.
Thanks to CMYKat for the awesome stickers.
Contents
- Database Cryptography?
- Cryptography for Relational Databases
- The Perils of Built-in Encryption Functions
- Application-Layer Relational Database Cryptography
- Confused Deputies
- Canonicalization Attacks
- Multi-Tenancy
- Cryptography for NoSQL Databases
- NoSQL is Built Different
- Record Authentication
- Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
- Searchable Encryption
- Order-{Preserving, Revealing} Encryption
- Deterministic Encryption
- Homomorphic Encryption
- Searchable Symmetric Encryption (SSE)
- You Can Have Little a HMAC, As a Treat
- Intermission
- Case Study: MongoDB Client-Side Encryption
- MongoCrypt: The Good
- How is Queryable Encryption Implemented?
- MongoCrypt: The Bad
- MongoCrypt: The Ugly
- MongoCrypt: The Good
- Wrapping Up
Database Cryptography?
The premise of database cryptography is deceptively simple: You have a database, of some sort, and you want to store sensitive data in said database.
The consequences of this simple premise are anything but simple. Let me explain.
Art: ScruffKerfluffThe sensitive data you want to store may need to remain confidential, or you may need to provide some sort of integrity guarantees throughout your entire system, or sometimes both. Sometimes all of your data is sensitive, sometimes only some of it is. Sometimes the confidentiality requirements of your data extends to where within a dataset the record you want actually lives. Sometimes that’s true of some data, but not others, so your cryptography has to be flexible to support multiple types of workloads.
Other times, you just want your disks encrypted at rest so if they grow legs and walk out of the data center, the data cannot be comprehended by an attacker. And you can’t be bothered to work on this problem any deeper. This is usually what compliance requirements cover. Boxes get checked, executives feel safer about their operation, and the whole time nobody has really analyzed the risks they’re facing.
But we’re not settling for mere compliance on this blog. Furries have standards, after all.
So the first thing you need to do before diving into database cryptography is threat modelling. The first step in any good threat model is taking inventory; especially of assumptions, requirements, and desired outcomes. A few good starter questions:
- What database software is being used? Is it up to date?
- What data is being stored in which database software?
- How are databases oriented in the network of the overall system?
- Is your database properly firewalled from the public Internet?
- How does data flow throughout the network, and when do these data flows intersect with the database?
- Which applications talk to the database? What languages are they written in? Which APIs do they use?
- How will cryptography secrets be managed?
- Is there one key for everyone, one key per tenant, etc.?
- How are keys rotated?
- Do you use envelope encryption with an HSM, or vend the raw materials to your end devices?
The first two questions are paramount for deciding how to write software for database cryptography, before you even get to thinking about the cryptography itself.
(This is not a comprehensive set of questions to ask, either. A formal threat model is much deeper in the weeds.)
The kind of cryptography protocol you need for, say, storing encrypted CSV files an S3 bucket is vastly different from relational (SQL) databases, which in turn will be significantly different from schema-free (NoSQL) databases.
Furthermore, when you get to the point that you can start to think about the cryptography, you’ll often need to tackle confidentiality and integrity separately.
If that’s unclear, think of a scenario like, “I need to encrypt PII, but I also need to digitally sign the lab results so I know it wasn’t tampered with at rest.”
My point is, right off the bat, we’ve got a three-dimensional matrix of complexity to contend with:
- On one axis, we have the type of database.
- Flat-file
- Relational
- Schema-free
- On another, we have the basic confidentiality requirements of the data.
- Field encryption
- Row encryption
- Column encryption
- Unstructured record encryption
- Encrypting entire collections of records
- Finally, we have the integrity requirements of the data.
- Field authentication
- Row/column authentication
- Unstructured record authentication
- Collection authentication (based on e.g. Sparse Merkle Trees)
And then you have a fourth dimension that often falls out of operational requirements for databases: Searchability.
Why store data in a database if you have no way to index or search the data for fast retrieval?
Credit: HarubakiIf you’re starting to feel overwhelmed, you’re not alone. A lot of developers drastically underestimate the difficulty of the undertaking, until they run head-first into the complexity.
Some just phone it in with
AES_Encrypt()calls in their MySQL queries. (Too bad ECB mode doesn’t provide semantic security!)Which brings us to the meat of this blog post: The actual cryptography part.
Cryptography is the art of transforming information security problems into key management problems.
Former coworker
Note: In the interest of time, I’m skipping over flat files and focusing instead on actual database technologies.
Cryptography for Relational Databases
Encrypting data in an SQL database seems simple enough, even if you’ve managed to shake off the complexity I teased from the introduction.
You’ve got data, you’ve got a column on a table. Just encrypt the data and shove it in a cell on that column and call it a day, right?
But, alas, this is a trap. There are so many gotchas that I can’t weave a coherent, easy-to-follow narrative between them all.
So let’s start with a simple question: where and how are you performing your encryption?
The Perils of Built-in Encryption Functions
MySQL provides functions called AES_Encrypt and AES_Decrypt, which many developers have unfortunately decided to rely on in the past.
It’s unfortunate because these functions implement ECB mode. To illustrate why ECB mode is bad, I encrypted one of my art commissions with AES in ECB mode:
Art by Riley, encrypted with AES-ECBThe problems with ECB mode aren’t exactly “you can see the image through it,” because ECB-encrypting a compressed image won’t have redundancy (and thus can make you feel safer than you are).
ECB art is a good visual for the actual issue you should care about, however: A lack of semantic security.
A cryptosystem is considered semantically secure if observing the ciphertext doesn’t reveal information about the plaintext (except, perhaps, the length; which all cryptosystems leak to some extent). More information here.
ECB art isn’t to be confused with ECB poetry, which looks like this:
Oh little one, you’re growing up
You’ll soon be writing C
You’ll treat your ints as pointers
You’ll nest the ternary
You’ll cut and paste from github
And try cryptography
But even in your darkest hour
Do not use ECBCBC’s BEASTly when padding’s abused
And CTR’s fine til a nonce is reused
Some say it’s a CRIME to compress then encrypt
Or store keys in the browser (or use javascript)
Diffie Hellman will collapse if hackers choose your g
And RSA is full of traps when e is set to 3
Whiten! Blind! In constant time! Don’t write an RNG!
But failing all, and listen well: Do not use ECBThey’ll say “It’s like a one-time-pad!
The data’s short, it’s not so bad
the keys are long–they’re iron clad
I have a PhD!”
And then you’re front page Hacker News
Your passwords cracked–Adobe Blues.
Don’t leave your penguins showing through,
Do not use ECB— Ben Nagy, PoC||GTFO 0x04:13
Most people reading this probably know better than to use ECB mode already, and don’t need any of these reminders, but there is still a lot of code that inadvertently uses ECB mode to encrypt data in the database.
Also,
Credit: CMYKattSHOW processlist;leaks your encryption keys. Oops.Application-layer Relational Database Cryptography
Whether burned by ECB or just cautious about not giving your secrets to the system that stores all the ciphertext protected by said secret, a common next step for developers is to simply encrypt in their server-side application code.
And, yes, that’s part of the answer. But how you encrypt is important.
Credit: Harubaki“I’ll encrypt with CBC mode.”
If you don’t authenticate your ciphertext, you’ll be sorry. Maybe try again?“Okay, fine, I’ll use an authenticated mode like GCM.”
Did you remember to make the table and column name part of your AAD? What about the primary key of the record?“What on Earth are you talking about, Soatok?”
Welcome to the first footgun of database cryptography!Confused Deputies
Encrypting your sensitive data is necessary, but not sufficient. You need to also bind your ciphertexts to the specific context in which they are stored.
To understand why, let’s take a step back: What specific threat does encrypting your database records protect against?
We’ve already established that “your disks walk out of the datacenter” is a “full disk encryption” problem, so if you’re using application-layer cryptography to encrypt data in a relational database, your threat model probably involves unauthorized access to the database server.
What, then, stops an attacker from copying ciphertexts around?
Credit: CMYKattLet’s say I have a legitimate user account with an ID 12345, and I want to read your street address, but it’s encrypted in the database. But because I’m a clever hacker, I have unfettered access to your relational database server.
All I would need to do is simply…
UPDATE table SET addr_encrypted = 'your-ciphertext' WHERE id = 12345…and then access the application through my legitimate access. Bam, data leaked. As an attacker, I can probably even copy fields from other columns and it will just decrypt. Even if you’re using an authenticated mode.
We call this a confused deputy attack, because the deputy (the component of the system that has been delegated some authority or privilege) has become confused by the attacker, and thus undermined an intended security goal.
The fix is to use the AAD parameter from the authenticated mode to bind the data to a given context. (AAD = Additional Authenticated Data.)
- $addr = aes_gcm_encrypt($addr, $key);+ $addr = aes_gcm_encrypt($addr, $key, canonicalize([+ $tableName,+ $columnName,+ $primaryKey+ ]);
Now if I start cutting and pasting ciphertexts around, I get a decryption failure instead of silently decrypting plaintext.
This may sound like a specific vulnerability, but it’s more of a failure to understand an important general lesson with database cryptography:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
Canonicalization Attacks
In the previous section, I introduced a pseudocode called
canonicalize(). This isn’t a pasto from some reference code; it’s an important design detail that I will elaborate on now.First, consider you didn’t do anything to canonicalize your data, and you just joined strings together and called it a day…
function dumbCanonicalize( string $tableName, string $columnName, string|int $primaryKey): string { return $tableName . '_' . $columnName . '#' . $primaryKey;}Consider these two inputs to this function:
dumbCanonicalize('customers', 'last_order_uuid', 123);dumbCanonicalize('customers_last_order', 'uuid', 123);
In this case, your AAD would be the same, and therefore, your deputy can still be confused (albeit in a narrower use case).
In Cendyne’s article, AnonCo did something more subtle: The canonicalization bug created a collision on the inputs to HKDF, which resulted in an unintentional key reuse.
Up until this point, their mistake isn’t relevant to us, because we haven’t even explored key management at all. But the same design flaw can re-emerge in multiple locations, with drastically different consequence.
Multi-Tenancy
Once you’ve implemented a mitigation against Confused Deputies, you may think your job is done. And it very well could be.
Often times, however, software developers are tasked with building support for Bring Your Own Key (BYOK).
This is often spawned from a specific compliance requirement (such as cryptographic shredding; i.e. if you erase the key, you can no longer recover the plaintext, so it may as well be deleted).
Other times, this is driven by a need to cut costs: Storing different users’ data in the same database server, but encrypting it such that they can only encrypt their own records.
Two things can happen when you introduce multi-tenancy into your database cryptography designs:
- Invisible Salamanders becomes a risk, due to multiple keys being possible for any given encrypted record.
- Failure to address the risk of Invisible Salamanders can undermine your protection against Confused Deputies, thereby returning you to a state before you properly used the AAD.
So now you have to revisit your designs and ensure you’re using a key-committing authenticated mode, rather than just a regular authenticated mode.
Isn’t cryptography fun?
“What Are Invisible Salamanders?”
This refers to a fun property of AEAD modes based on Polynomical MACs. Basically, if you:
- Encrypt one message under a specific key and nonce.
- Encrypt another message under a separate key and nonce.
…Then you can get the same exact ciphertext and authentication tag. Performing this attack requires you to control the keys for both encryption operations.
This was first demonstrated in an attack against encrypted messaging applications, where a picture of a salamander was hidden from the abuse reporting feature because another attached file had the same authentication tag and ciphertext, and you could trick the system if you disclosed the second key instead of the first. Thus, the salamander is invisible to attackers.
Art: CMYKatWe’re not quite done with relational databases yet, but we should talk about NoSQL databases for a bit. The final topic in scope applies equally to both, after all.
Cryptography for NoSQL Databases
Most of the topics from relational databases also apply to NoSQL databases, so I shall refrain from duplicating them here. This article is already sufficiently long to read, after all, and I dislike redundancy.
NoSQL is Built Different
The main thing that NoSQL databases offer in the service of making cryptographers lose sleep at night is the schema-free nature of NoSQL designs.
What this means is that, if you’re using a client-side encryption library for a NoSQL database, the previous concerns about confused deputy attacks are amplified by the malleability of the document structure.
Additionally, the previously discussed cryptographic attacks against the encryption mode may be less expensive for an attacker to pull off.
Consider the following record structure, which stores a bunch of data stored with AES in CBC mode:
{ "encrypted-data-key": "<blob>", "name": "<ciphertext>", "address": [ "<ciphertext>", "<ciphertext>" ], "social-security": "<ciphertext>", "zip-code": "<ciphertext>"}If this record is decrypted with code that looks something like this:
$decrypted = [];// ... snip ...foreach ($record['address'] as $i => $addrLine) { try { $decrypted['address'][$i] = $this->decrypt($addrLine); } catch (Throwable $ex) { // You'd never deliberately do this, but it's for illustration $this->doSomethingAnOracleCanObserve($i); // This is more believable, of course: $this->logDecryptionError($ex, $addrLine); $decrypted['address'][$i] = ''; }}Then you can keep appending rows to the
Art: Harubaki"address"field to reduce the number of writes needed to exploit a padding oracle attack against any of the<ciphertext>fields.This isn’t to say that NoSQL is less secure than SQL, from the context of client-side encryption. However, the powerful feature sets that NoSQL users are accustomed to may also give attackers a more versatile toolkit to work with.
Record Authentication
A pedant may point out that record authentication applies to both SQL and NoSQL. However, I mostly only observe this feature in NoSQL databases and document storage systems in the wild, so I’m shoving it in here.
Encrypting fields is nice and all, but sometimes what you want to know is that your unencrypted data hasn’t been tampered with as it flows through your system.
The trivial way this is done is by using a digital signature algorithm over the whole record, and then appending the signature to the end. When you go to verify the record, all of the information you need is right there.
This works well enough for most use cases, and everyone can pack up and go home. Nothing more to see here.
Except…
When you’re working with NoSQL databases, you often want systems to be able to write to additional fields, and since you’re working with schema-free blobs of data rather than a normalized set of relatable tables, the most sensible thing to do is to is to append this data to the same record.
Except, oops! You can’t do that if you’re shoving a digital signature over the record. So now you need to specify which fields are to be included in the signature.
And you need to think about how to model that in a way that doesn’t prohibit schema upgrades nor allow attackers to perform downgrade attacks. (See below.)
I don’t have any specific real-world examples here that I can point to of this problem being solved well.Art: CMYKat
Furthermore, as with preventing confused deputy and/or canonicalization attacks above, you must also include the fully qualified path of each field in the data that gets signed.
As I said with encryption before, but also true here:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
This requirement holds true whether you’re using symmetric-key authentication (i.e. HMAC) or asymmetric-key digital signatures (e.g. EdDSA).
Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
Art: HarubakiOkay, how do you solve this problem so that you can perform updates and upgrades to your schema but without enabling attackers to downgrade the security? Here’s one possible design.
Let’s say you have two metadata fields on each record:
- A compressed binary string representing which fields should be authenticated. This field is, itself, not authenticated. Let’s call this
meta-auth. - A compressed binary string representing which of the authenticated fields should also be encrypted. This field is also authenticated. This is at most the same length as the first metadata field. Let’s call this
meta-enc.
Furthermore, you will specify a canonical field ordering for both how data is fed into the signature algorithm as well as the field mappings in
meta-authandmeta-enc.{ "example": { "credit-card": { "number": /* encrypted */, "expiration": /* encrypted */, "ccv": /* encrypted */ }, "superfluous": { "rewards-member": null } }, "meta-auth": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true /* meta-enc */ ]), "meta-enc": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false /* example.superfluous.rewards-member */ ]), "signature": /* -- snip -- */}When you go to append data to an existing record, you’ll need to update
meta-authto include the mapping of fields based on this canonical ordering to ensure only the intended fields get validated.When you update your code to add an additional field that is intended to be signed, you can roll that out for new records and the record will continue to be self-describing:
- New records will have the additional field flagged as authenticated in
meta-auth(andmeta-encwill grow) - Old records will not, but your code will still sign them successfully
- To prevent downgrade attacks, simply include a schema version ID as an additional plaintext field that gets authenticated. An attacker who tries to downgrade will need to be able to produce a valid signature too.
You might think
meta-authgives an attacker some advantage, but this only includes which fields are included in the security boundary of the signature or MAC, which allows unauthenticated data to be appended for whatever operational purpose without having to update signatures or expose signing keys to a wider part of the network.{ "example": { "credit-card": { "number": /* encrypted */, "expiration": /* encrypted */, "ccv": /* encrypted */ }, "superfluous": { "rewards-member": null } }, "meta-auth": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true, /* meta-enc */ true /* meta-version */ ]), "meta-enc": compress_bools([ true, /* example.credit-card.number */ true, /* example.credit-card.expiration */ true, /* example.credit-card.ccv */ false, /* example.superfluous.rewards-member */ true /* meta-version */ ]), "meta-version": 0x01000000, "signature": /* -- snip -- */}If an attacker tries to use the
meta-authfield to mess with a record, the best they can hope for is an Invalid Signature exception (assuming the signature algorithm is secure to begin with).Even if they keep all of the fields the same, but play around with the structure of the record (e.g. changing the XPath or equivalent), so long as the path is authenticated with each field, breaking this is computationally infeasible.
Searchable Encryption
If you’ve managed to make it through the previous sections, congratulations, you now know enough to build a secure but completely useless database.
Art: CMYKatOkay, put away the pitchforks; I will explain.
Part of the reason why we store data in a database, rather than a flat file, is because we want to do more than just read and write. Sometimes computer scientists want to compute. Almost always, you want to be able to query your database for a subset of records based on your specific business logic needs.
And so, a database which doesn’t do anything more than store ciphertext and maybe signatures is pretty useless to most people. You’d have better luck selling Monkey JPEGs to furries than convincing most businesses to part with their precious database-driven report generators.
Art: SophieSo whenever one of your users wants to actually use their data, rather than just store it, they’re forced to decide between two mutually exclusive options:
- Encrypting the data, to protect it from unauthorized disclosure, but render it useless
- Doing anything useful with the data, but leaving it unencrypted in the database
This is especially annoying for business types that are all in on the Zero Trust buzzword.
Fortunately, the cryptographers are at it again, and boy howdy do they have a lot of solutions for this problem.
Order-{Preserving, Revealing} Encryption
On the fun side of things, you have things like Order-Preserving and Order-Revealing Encryption, which Matthew Green wrote about at length.
[D]atabase encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.
Attack of the week: searchable encryption and the ever-expanding leakage function
The problem with these designs is that they have a significant enough leakage that it no longer provides semantic security.
From Grubbs, et al. (GLMP, 2019.)
Colors inverted to fit my blog’s theme better.To put it in other words: These designs are only marginally better than ECB mode, and probably deserve their own poems too.
Order revealing
Reveals much more than order
Softcore ECBOrder preserving
Semantic security?
Only in your dreamsHaiku for your consideration
Deterministic Encryption
Here’s a simpler, but also terrible, idea for searchable encryption: Simply give up on semantic security entirely.
If you recall the
AES_{De,En}crypt()functions built into MySQL I mentioned at the start of this article, those are the most common form of deterministic encryption I’ve seen in use.SELECT * FROM foo WHERE bar = AES_Encrypt('query', 'key');However, there are slightly less bad variants. If you use AES-GCM-SIV with a static nonce, your ciphertexts are fully deterministic, and you can encrypt a small number of distinct records safely before you’re no longer secure.
From Page 14 of the linked paper. Full view.That’s certainly better than nothing, but you also can’t mitigate confused deputy attacks. But we can do better than this.
Homomorphic Encryption
In a safer plane of academia, you’ll find homomorphic encryption, which researchers recently demonstrated with serving Wikipedia pages in a reasonable amount of time.
Homomorphic encryption allows computations over the ciphertext, which will be reflected in the plaintext, without ever revealing the key to the entity performing the computation.
If this sounds vaguely similar to the conditions that enable chosen-ciphertext attacks, you probably have a good intuition for how it works: RSA is homomorphic to multiplication, AES-CTR is homomorphic to XOR. Fully homomorphic encryption uses lattices, which enables multiple operations but carries a relatively enormous performance cost.
Art: HarubakiHomomorphic encryption sometimes intersects with machine learning, because the notion of training an encrypted model by feeding it encrypted data, then decrypting it after-the-fact is desirable for certain business verticals. Your data scientists never see your data, and you have some plausible deniability about the final ML model this work produces. This is like a Siren song for Venture Capitalist-backed medical technology companies. Tech journalists love writing about it.
However, a less-explored use case is the ability to encrypt your programs but still get the correct behavior and outputs. Although this sounds like a DRM technology, it’s actually something that individuals could one day use to prevent their ISPs or cloud providers from knowing what software is being executed on the customer’s leased hardware. The potential for a privacy win here is certainly worth pondering, even if you’re a tried and true Pirate Party member.
Just say “NO” to the copyright cartels.Art: CMYKat
Searchable Symmetric Encryption (SSE)
Forget about working at the level of fields and rows or individual records. What if we, instead, worked over collections of documents, where each document is viewed as a set of keywords from a keyword space?
Art: CMYKatThat’s the basic premise of SSE: Encrypting collections of documents rather than individual records.
The actual implementation details differ greatly between designs. They also differ greatly in their leakage profiles and susceptibility to side-channel attacks.
Some schemes use a so-called trapdoor permutation, such as RSA, as one of their building blocks.
Some schemes only allow for searching a static set of records, while others can accommodate new data over time (with the trade-off between more leakage or worse performance).
If you’re curious, you can learn more about SSE here, and see some open source SEE implementations online here.
You’re probably wondering, “If SSE is this well-studied and there are open source implementations available, why isn’t it more widely used?”
Your guess is as good as mine, but I can think of a few reasons:
- The protocols can be a little complicated to implement, and aren’t shipped by default in cryptography libraries (i.e. OpenSSL’s libcrypto or libsodium).
- Every known security risk in SSE is the product of a trade-offs, rather than there being a single winner for all use cases that developers can feel comfortable picking.
- Insufficient marketing and developer advocacy.
SSE schemes are mostly of interest to academics, although Seny Kamara (Brown Univeristy professior and one of the luminaries of searchable encryption) did try to develop an app called Pixek which used SSE to encrypt photos.
Maybe there’s room for a cryptography competition on searchable encryption schemes in the future.
You Can Have Little a HMAC, As a Treat
Finally, I can’t talk about searchable encryption without discussing a technique that’s older than dirt by Internet standards, that has been independently reinvented by countless software developers tasked with encrypting database records.
The oldest version I’ve been able to track down dates to 2006 by Raul Garcia at Microsoft, but I’m not confident that it didn’t exist before.
The idea I’m alluding to goes like this:
- Encrypt your data, securely, using symmetric cryptography.
(Hopefully your encryption addresses the considerations outlined in the relevant sections above.) - Separately, calculate an HMAC over the unencrypted data with a separate key used exclusively for indexing.
When you need to query your data, you can just recalculate the HMAC of your challenge and fetch the records that match it. Easy, right?
Even if you rotate your keys for encryption, you keep your indexing keys static across your entire data set. This lets you have durable indexes for encrypted data, which gives you the ability to do literal lookups for the performance hit of a hash function.
Additionally, everyone has HMAC in their toolkit, so you don’t have to move around implementations of complex cryptographic building blocks. You can live off the land. What’s not to love?
Hooray!However, if you stopped here, we regret to inform you that your data is no longer indistinguishable from random, which probably undermines the security proof for your encryption scheme.
How annoying!Of course, you don’t have to stop with the addition of plain HMAC to your database encryption software.
Take a page from Troy Hunt: Truncate the output to provide k-anonymity rather than a direct literal look-up.
“K-What Now?”
Imagine you have a full HMAC-SHA256 of the plaintext next to every ciphertext record with a static key, for searchability.
Each HMAC output corresponds 1:1 with a unique plaintext.
Because you’re using HMAC with a secret key, an attacker can’t just build a rainbow table like they would when attempting password cracking, but it still leaks duplicate plaintexts.
For example, an HMAC-SHA256 output might look like this:
Art: CMYKat\04a74e4c0158e34a566785d1a5e1167c4e3455c42aea173104e48ca810a8b1aeIf you were to slice off most of those bytes (e.g. leaving only the last 3, which in the previous example yields
a8b1ae), then with sufficient records, multiple plaintexts will now map to the same truncated HMAC tag.Which means if you’re only revealing a truncated HMAC tag to the database server (both when storing records or retrieving them), you can now expect false positives due to collisions in your truncated HMAC tag.
These false positives give your data a discrete set of anonymity (called k-anonymity), which means an attacker with access to your database cannot:
- Distinguish between two encrypted records with the same short HMAC tag.
- Reverse engineer the short HMAC tag into a single possible plaintext value, even if they can supply candidate queries and study the tags sent to the database.
As with SSE above, this short HMAC technique exposes a trade-off to users.
- Too much k-anonymity (i.e. too many false positives), and you will have to decrypt-then-discard multiple mismatching records. This can make queries slow.
- Not enough k-anonymity (i.e. insufficient false positives), and you’re no better off than a full HMAC.
Even more troublesome, the right amount to truncate is expressed in bits (not bytes), and calculating this value depends on the number of unique plaintext values you anticipate in your dataset. (Fortunately, it grows logarithmically, so you’ll rarely if ever have to tune this.)
If you’d like to play with this idea, here’s a quick and dirty demo script.
Intermission
If you started reading this post with any doubts about Cendyne’s statement that “Database cryptography is hard”, by making it to this point, they’ve probably been long since put to rest.
Art: HarubakiConversely, anyone that specializes in this topic is probably waiting for me to say anything novel or interesting; their patience wearing thin as I continue to rehash a surface-level introduction of their field without really diving deep into anything.
Thus, if you’ve read this far, I’d like to demonstrate the application of what I’ve covered thus far into a real-world case study into an database cryptography product.
Case Study: MongoDB Client-Side Encryption
MongoDB is an open source schema-free NoSQL database. Last year, MongoDB made waves when they announced Queryable Encryption in their upcoming client-side encryption release.
Taken from the press release, but adapted for dark themes.A statement at the bottom of their press release indicates that this isn’t clown-shoes:
Queryable Encryption was designed by MongoDB’s Advanced Cryptography Research Group, headed by Seny Kamara and Tarik Moataz, who are pioneers in the field of encrypted search. The Group conducts cutting-edge peer-reviewed research in cryptography and works with MongoDB engineering teams to transfer and deploy the latest innovations in cryptography and privacy to the MongoDB data platform.
If you recall, I mentioned Seny Kamara in the SSE section of this post. They certainly aren’t wrong about Kamara and Moataz being pioneers in this field.
So with that in mind, let’s explore the implementation in libmongocrypt and see how it stands up to scrutiny.
MongoCrypt: The Good
MongoDB’s encryption library takes key management seriously: They provide a KMS integration for cloud users by default (supporting both AWS and Azure).
MongoDB uses Encrypt-then-MAC with AES-CBC and HMAC-SHA256, which is congruent to what Signal does for message encryption.
How Is Queryable Encryption Implemented?
From the current source code, we can see that MongoCrypt generates several different types of tokens, using HMAC (calculation defined here).
According to their press release:
The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
Which means that most of the juicy details probably aren’t public yet.
These HMAC-derived tokens are stored wholesale in the data structure, but most are encrypted before storage using AES-CTR.
There are more layers of encryption (using AEAD), server-side token processing, and more AES-CTR-encrypted edge tokens. All of this is finally serialized (implementation) as one blob for storage.
Since only the equality operation is currently supported (which is the same feature you’d get from HMAC), it’s difficult to speculate what the full feature set looks like.
However, since Kamara and Moataz are leading its development, it’s likely that this feature set will be excellent.
MongoCrypt: The Bad
Every call to
do_encrypt()includes at most the Key ID (but typicallyNULL) as the AAD. This means that the concerns over Confused Deputies (and NoSQL specifically) are relevant to MongoDB.However, even if they did support authenticating the fully qualified path to a field in the AAD for their encryption, their AEAD construction is vulnerable to the kind of canonicalization attack I wrote about previously.
First, observe this code which assembles the multi-part inputs into HMAC.
/* Construct the input to the HMAC */uint32_t num_intermediates = 0;_mongocrypt_buffer_t intermediates[3];// -- snip --if (!_mongocrypt_buffer_concat ( &to_hmac, intermediates, num_intermediates)) { CLIENT_ERR ("failed to allocate buffer"); goto done;}if (hmac == HMAC_SHA_512_256) { uint8_t storage[64]; _mongocrypt_buffer_t tag = {.data = storage, .len = sizeof (storage)}; if (!_crypto_hmac_sha_512 (crypto, Km, &to_hmac, &tag, status)) { goto done; } // Truncate sha512 to first 256 bits. memcpy (out->data, tag.data, MONGOCRYPT_HMAC_LEN);} else { BSON_ASSERT (hmac == HMAC_SHA_256); if (!_mongocrypt_hmac_sha_256 (crypto, Km, &to_hmac, out, status)) { goto done; }}The implementation of
_mongocrypt_buffer_concat()can be found here.If either the implementation of that function, or the code I snipped from my excerpt, had contained code that prefixed every segment of the AAD with the length of the segment (represented as a
uint64_tto make overflow infeasible), then their AEAD mode would not be vulnerable to canonicalization issues.Using TupleHash would also have prevented this issue.
Silver lining for MongoDB developers: Because the AAD is either a key ID or NULL, this isn’t exploitable in practice.
The first cryptographic flaw sort of cancels the second out.
If the libmongocrypt developers ever want to mitigate Confused Deputy attacks, they’ll need to address this canonicalization issue too.
MongoCrypt: The Ugly
MongoCrypt supports deterministic encryption.
If you specify deterministic encryption for a field, your application passes a deterministic initialization vector to AEAD.
We already discussed why this is bad above.
Wrapping Up
This was not a comprehensive treatment of the field of database cryptography. There are many areas of this field that I did not cover, nor do I feel qualified to discuss.
However, I hope anyone who takes the time to read this finds themselves more familiar with the subject.
Additionally, I hope any developers who think “encrypting data in a database is [easy, trivial] (select appropriate)” will find this broad introduction a humbling experience.
Art: CMYKathttps://soatok.blog/2023/03/01/database-cryptography-fur-the-rest-of-us/
#appliedCryptography #blockCipherModes #cryptography #databaseCryptography #databases #encryptedSearch #HMAC #MongoCrypt #MongoDB #QueryableEncryption #realWorldCryptography #security #SecurityGuidance #SQL #SSE #symmetricCryptography #symmetricSearchableEncryption
-
In Praise of Friction and Compromise
Compromise: Kindle
The room is pitch black. The clock reads 6:15am. The sun won’t be up for another two hours and I’m lying in bed under a thick quilt, lightly touching the edge of my Kindle to flip to the next page of the novel I’m reading (Emily St. John Mandel’s Station 11, if you are curious). I’m rediscovering the pleasure of reading, of being fully immersed for an hour or more in a fictional tale, while my toddler is asleep in the next room.
I used to be an avid reader but the first year of parenthood – especially the light / broken sleep – meant I had no mental capacity or energy to read a book. Then my daughter turned 11 months old, started sleeping a solid 12-hour stretch in her own room every night, and I began picking up books again. 2022 was all about non-fiction, but for the first book of 2023 I wanted to dive back into fictional worlds again. Thus Station 11.
I think of my new reading habits as a compromise – and in a way a metaphor of how I am approaching my relationship to technology. Harnessing the power of technological progress, using modern tools, but not being used by them.
By being fully immersed in a book for an hour or more, I am retraining my brain to pay attention, to really focus. I do not feel compelled to grab my phone to check social media or fire up a website. It feels like a small act of rebellion, of reclaiming my humanity in a world – an online world – that reaps enormous profits from people’s scattered attention.
Since 2012, I have been doing most of my reading on a Kindle.
Yes, Amazon’s Kindle.
I love the ability to carry with me – in a tiny purse – all my favorite books. As I mentioned, 99% of books I read are non-fiction and as soon as I’m done with a book, I immediately export the passages I highlighted, I format them nicely and print them out… so I can have a physical copy of a book’s most memorable concepts.
Now that I’m a parent – days are busier and leisure time scarce – I try to seize any opportunity to pick up reading. If the Kindle is in the living room and I’m afraid the creaky wooden floors may wake up my daughter, well… I resume reading the book on the Kindle app of my iPhone. Something I would have never imagined doing.
I used to be an absolutist but the older I get, the more I appreciate nuance and compromise.
If you are wondering, I suppose the downside of buying and reading books on a Kindle is that technically you do not own them, but are simply “leasing” them from Amazon.
And if the company so chooses, they could deactivate your account, making you lose access to all your e-books… or simply pull a book from your device, unbeknownst to you, like they did – ironically – with an edition of Orwell’s 1984.
Amazon also knows what you are reading and your pace… if that is the sort of thing that bothers you.
I own two Kindle devices – the oldest one is offline, which gives me some peace of mind regarding the contents it is holding. And for recent e-books on my newer Kindle, like I mentioned, I typically create a physical copy of the passages that meant the most to me, so I feel at peace with physical “backups” should the unimaginable happen.
Friction: one sec
A while back, I have written about how I “resist time thieves” through friction:
Unpopular opinion: I love friction. While tech platforms, app developers and countless companies are attempting to create a friction-less world, adding voice commands and face recognition to everyday objects to allow us to do things faster, and more effortlessly, I say: not for me. I don’t mind the extra steps. Why? My power of concentration and privacy depend on it.
I continued:
Setting aside the argument that “smart objects” are a Trojan horse for the surveillance capitalism industrial complex, I find friction to be essential in order to maintain focus and concentration.
My main advice back then was to delete all social media and distracting apps from one’s phone.
Three years later, in this post-pandemic brave new world, I understand the importance of compromise and nuance. And since writing that post, a new app came out that perfectly helps in this respect, creating friction for the apps that you wish to use less.
An app to curb app use. Again, something I had never imagined would be a thing, but here we are.
The app is called one sec. It was created by 27-year-old German developer Frederik Riedel. The free version allows you to focus on one app, while the premium version is unlimited.
Here is its elevator pitch:
one sec forces you to take a deep breath whenever you open social media apps. It’s as simple as effective: added friction makes distracting apps less appealing.
Once you have identified an app you’d like to use less or more mindfully (it can be any app, not just social media ones), you follow the instructions clearly explained by one sec and create an automation in Apple’s Shortcuts app.
The next time you attempt to open the app you wish to use less (let’s say it’s Mastodon), here is what happens:
- an animation from one sec hijacks the screen and the following message appears: “It’s time to take a big breath”
- afterwards you see in big bold letters the number corresponding to how many times you attempted to open the app within the last 24 hours… and one sec also tells you the last use of the app (for example, 20 minutes ago)
- in order to start using Mastodon, you need to click on the text prompt at the bottom of the screen “continue to Mastodon” but here is the ingenious twist: there is a big button above it that says “I don’t want to open Mastodon”. It is easier to click on it than to actually press the prompt to open the app
- in the premium version, if you select you want to continue and open the app, you have the option of selecting an intention: “bored” or “stressed” or “tired” or “procrastinate” – amongst other options… which makes you keenly aware of your state of mind and the habit loop you may have developed that drives you to open the distracting app.
I have been using this automation for Mastodon and I’m seeing dramatic changes already. Any time I unlock my phone and I am about to click on Mastodon, I have this sense of guilt mixed with annoyance because I know the screen prompt from one sec will come up… and it will tell me how many times I have attempted to open the app in the last 24 hours. So I think about it twice before doing it. My usage has definitely gone down.
one sec is a really sophisticated app, with many more additional features – I only scratched the surface with my description. one sec also features:
- Focus sessions: users are unable to open configured apps during a particular timespan.
- Good Morning Countdown: users are unable to open configured apps for 15 minutes until one hour right after waking up (data are drawn from HealthKit)
- Visualized monitoring: one sec presents app and website usage data in diagrams.
- Healthy alternatives: users can record alternatives to app or website usage, such as doing sports, pursue a hobby, reading or meditate. These are suggested by one sec every time a configured app is opened.
I have only been using one sec for a few days but I already find it indispensable. Try it out for yourselves and let me know how you found it.
Onwards and upwards,
Elena
- The Realists website: therealists.org
- my personal website: elenarossini.com
- Mastodon: https://mastodon.social/@_elena
-
More on the #openEMS Win32 porting effort: Microsoft has download links for Visual Studio 2022 at aka.ms/vs/17, but no link for Visual Studio 2026. You only get aka.ms/vs/stable, if you use this in your documentation, all links are going to break 4 years later. :woozy_baa: Someone already reported it to Microsoft, but I'm not sure how many escalations it takes before Microsoft adds a link. https://developercommunity.visualstudio.com/t/Short-links-akams-for-VS-2026-install/11008785
-
I’m currently looking for a new job. My current one is a drain on my mental health and anxiety that it can’t keep on.
I have experience in both the social media, seo/internet marketing and IT/development sectors. If anyone knows of anyone that is hiring I would appreciate the help and connection. I would be forever grateful.
PLS boost for maximum exposure to the #Fediverse.
#NewJob #JobSearch #NeedAJob #FediJobs #IT #SocialMedia #Developer
-
Oh, right, #introduction time! i’m Christopher. i’m #agender, #poz, #polyam, and #bisexual. Something something #adhd, something something can’t make decisions something something.
i’m a #frontend developer & recently suffered a massive bout of burnout and am on sabbatical while i figure out my next move in life. i live in Oakland with my spouse Chris, our partner Taz, and our two #cats, Dante & Tybalt. i frequently travel to #NewYork to spend time with my Sir, @chimeracoder.
Say hello!
-
Speaking of not writing documentation: I also prototyped a very cool idea for how to greatly simplify the developer experience of #rules_prerender *and* make it understand even more complex dependency graphs.
Still more experimenting to be done, but I'm hopeful this is a viable strategy and will be a big improvement for developers! 😁
-
#freesoftwareadvent day 13
Yes, I've skipped a day again. 🤷♂️
Today a tiny program called #gitui
It's what you imagine, a terminal Ui for git. I use it more and more to review log history, list of changes in commits, what's in a stash, etc.
Even though I'm not a developer I keep a lot of things in git repos (some are code, some are config files or similar) and this is a nice add-on to the cli version of git. -
Having a very nice time at #LibreGraphicsMeeting :) I wonder if there's a similar event for audio? I know about #AudioDeveloperConference but I'm pretty sure it's not specific to free software. Also I like the fact that LGM is focused both on the developer- and the user-facing side (to some extent), whereas ADC is explicitly targeted towards developers
-
The 3 React Upgrades SPFx Devs Are Ignoring (And Why Your Web Parts Are Leaking Performance)
1,402 words, 7 minutes read time.
Let’s cut the fluff: if your SPFx web parts feel sluggish, your state management is spaghetti, or your page crashes under moderate load, it’s because you’re not playing with React the way it’s meant to be played in 2026. The latest version of SPFx ships with React 18 support, but most devs treat it like yesterday’s framework, dragging legacy habits into modern code. I’ve seen it countless times: web parts patched with workarounds, effects firing endlessly, unoptimized re-renders eating CPU cycles, and junior devs praying that no one notices. The hard truth? If you can’t adapt to React’s new features, your code is dying on the vine, and so is your professional credibility.
This isn’t a gentle nudge. I’m here to break down the three React upgrades SPFx developers ignore at their own peril, why they matter technically, and how they mirror discipline—or the lack thereof—in your professional and personal life. First, we tackle the core of modern React: Concurrent Rendering and Automatic Batching.
Concurrent Rendering and Automatic Batching – Your Web Parts’ Backbone
When React 18 dropped concurrent rendering and automatic batching, it wasn’t a luxury—it was a lifeline. Most SPFx devs never adjust their components for this. They cling to class components with
componentDidMounthacks or use hooks incorrectly, leaving effects firing multiple times, state updates queuing chaotically, and memory leaks piling up. In SPFx, where your web part is a node on the page with other parts loading simultaneously, this isn’t minor—it’s the difference between a smooth user experience and a browser meltdown.I’ve refactored dozens of enterprise SPFx solutions. If your
useEffectcalls aren’t guarded, or you don’t understand how React batches state updates automatically now, you’re wasting render cycles and bleeding performance. Imagine deploying a web part that triggers three API calls per keystroke in a search box because you didn’t wrap state changes in proper batching logic. That’s a professional facepalm waiting to happen.This is also about integrity. Your components are the kernel of your web part. If they panic, the whole page goes down. Every unguarded effect, every missed cleanup is like leaving a socket exposed: it’s dangerous, messy, and shows laziness. Learning concurrent rendering and embracing automatic batching isn’t optional; it’s the same principle you apply in life when you keep promises, manage your commitments, and clean up after yourself. Half measures don’t cut it in code or character.
From a pure technical perspective, understand that concurrent rendering allows React to interrupt long-running renders, prioritizing urgent updates and keeping the UI responsive. Automatic batching merges multiple state updates into a single render, reducing unnecessary DOM recalculations. In SPFx web parts, where you might be calling the SharePoint REST API or Microsoft Graph, this translates into fewer wasted renders, less flicker, and a page that doesn’t tank when multiple web parts fire simultaneously. It’s subtle, but anyone ignoring this is coding in yesterday’s world.
The takeaway is simple: refactor your legacy components, embrace hooks fully, and make React 18 work for you, not against you. Stop treating batching as magic and understand the lifecycle implications. Every clean render, every optimized state transition, is a reflection of the discipline you either bring or fail to bring to your work.
Suspense, Lazy Loading, and Code Splitting – Stop Shipping Monoliths
If you’re still bundling every component into a single SPFx web part, congratulations—you’re shipping a monolith nobody wants to wait for. React 18’s Suspense, combined with lazy loading, is your ticket to scalable, maintainable, and performant web parts. Yet most devs ignore it. They either don’t understand it or they fear breaking things, so they cling to the “just load everything upfront” mindset. That’s cowardice, plain and simple.
Suspense lets React pause rendering until a component or data is ready. Lazy loading defers non-critical components, shaving precious milliseconds off initial load time. In SPFx, where your web part might pull data from multiple lists, libraries, or Microsoft Graph endpoints, ignoring this is a performance crime. I’ve watched junior developers bake everything into
bundle.js, resulting in 3MB downloads for a single web part. Users hate that. Management hates that. And your reputation? Tanking.Implementing Suspense properly isn’t just technical. It forces discipline in planning component structure, dependencies, and render order. Every lazy-loaded component you ship cleanly mirrors your ability to compartmentalize and manage complexity in real life. A man who leaves tasks half-done, who tries to juggle everything without order, is coding like he lives: chaotic, inefficient, and fragile. You want clean SPFx web parts? Start thinking like a disciplined architect.
Technically, wrapping your web parts with
Suspenseand splitting components usingReact.lazy()reduces initial payload and allows React to prioritize urgent renders. Combined with proper error boundaries, you’re not just optimizing performance—you’re creating a resilient system. Lazy-loading non-critical components is like building load-bearing walls before the decorative trim: prioritize stability, then polish. Any SPFx dev ignoring this is playing checkers in a chess game.Strict Mode, DevTools, and Type Safety – Expose Your Weak Links
React 18’s Strict Mode is more than a debug feature—it’s a truth serum for sloppy code. When enabled, it intentionally double-invokes certain functions and effects to highlight side effects, memory leaks, and unsafe lifecycles. Most SPFx developers disable it immediately because it “spams the console.” That’s the coward’s move. You’re afraid to face your mistakes.
I run Strict Mode on every SPFx project. Every memory leak caught early saves headaches later. Every unclean effect prevented saves CPU cycles and user frustration. Pair that with TypeScript’s type enforcement and React DevTools profiling, and you’re not just coding—you’re auditing, refactoring, and hardening your web parts. Anything less is negligent.
The life lesson here is brutal but simple: discipline exposes weakness. If you’re not testing, profiling, and pushing your code to reveal flaws, you’re hiding from your own incompetence. Your character is the kernel; your habits are the state. If you panic under load, everything around you suffers. Apply Strict Mode and type safety to React in SPFx, and you build a muscle: resilience, foresight, and accountability.
Technically, the combination of Strict Mode and TypeScript ensures that your SPFx web parts are robust against async pitfalls, improper effect cleanup, and improper prop usage. Every refactor becomes a proof point that you can maintain complex systems with minimal technical debt. If you ignore it, you’re shipping spaghetti and calling it gourmet.
Conclusion: No-Excuses Mastery – Ship Like a Pro or Ship Like a Junior
Here’s the brutal truth: React 18 in SPFx is a weapon. Ignore concurrent rendering, batching, Suspense, lazy loading, Strict Mode, or TypeScript, and you’re not a developer—you’re a liability. You can’t pretend old habits will carry you; they won’t. Your web parts crash, your users suffer, and your reputation bleeds like memory leaks in an unoptimized component.
Refactor. Optimize. Audit. Stop shipping half-baked web parts. Embrace concurrent rendering to stabilize your core, implement Suspense and lazy loading to manage complexity, and enforce strict checks and type safety to expose weaknesses before they hit production. Every module you clean, every effect you guard, every render you optimize reflects the man you are—or refuse to be.
No more excuses. Ship like a professional, or get left behind. Your SPFx web parts are a reflection of your discipline, attention to detail, and mastery of modern frameworks. Treat them with respect. Treat your craft with respect. And for anyone serious about leveling up, subscribe, comment, or reach out—but only if you’re ready to put in the work. Half measures are for hobbyists.
Call to Action
If this post sparked your creativity, don’t just scroll past. Join the community of makers and tinkerers—people turning ideas into reality with 3D printing. Subscribe for more 3D printing guides and projects, drop a comment sharing what you’re printing, or reach out and tell me about your latest project. Let’s build together.D. Bryan King
Sources
- React Official Documentation
- SPFx Web Part Overview
- Concurrent UI Patterns in React
- React Suspense API
- React.lazy Documentation
- React Hooks Introduction
- SPFx Hello World Guide
- React StrictMode
- TypeScript Handbook
- Optimizing Performance in React
- SPFx Web Part Lifecycle
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#automaticBatching #componentOptimization #concurrentRendering #effectCleanup #lazyLoading #lazyLoadedComponents #modernReact #modernWebDevelopment #React18 #React18Features #React18Hooks #React18InSPFx #ReactArchitecture #reactBestPractices #ReactCodeHygiene #ReactCoding #ReactComponentDesign #ReactConcurrency #ReactDebugging #ReactDevTools #ReactErrorBoundaries #ReactHooks #ReactLazy #ReactLearning #ReactMemoryLeaks #ReactOptimizationTechniques #ReactPerformance #ReactProfiler #ReactRefactor #ReactStateManagement #ReactStrictMode #ReactSuspenseAPI #ReactTips #ReactTraining #ReactUpdates #resilientWebParts #scalableSPFx #SharePointDevelopment #SharePointFramework #SharePointOptimization #SharePointPerformance #SharePointTips #SPFx #SPFxBestPractices #SPFxCoding #SPFxDeveloperGuide #SPFxDevelopment #SPFxLifecycle #SPFxLifecycleManagement #SPFxPerformance #SPFxTips #SPFxTutorials #SPFxWebParts #StrictMode #Suspense #TypeScript #TypeScriptSPFx #webPartArchitecture #webPartOptimization #webPartPerformance -
The 3 React Upgrades SPFx Devs Are Ignoring (And Why Your Web Parts Are Leaking Performance)
1,402 words, 7 minutes read time.
Let’s cut the fluff: if your SPFx web parts feel sluggish, your state management is spaghetti, or your page crashes under moderate load, it’s because you’re not playing with React the way it’s meant to be played in 2026. The latest version of SPFx ships with React 18 support, but most devs treat it like yesterday’s framework, dragging legacy habits into modern code. I’ve seen it countless times: web parts patched with workarounds, effects firing endlessly, unoptimized re-renders eating CPU cycles, and junior devs praying that no one notices. The hard truth? If you can’t adapt to React’s new features, your code is dying on the vine, and so is your professional credibility.
This isn’t a gentle nudge. I’m here to break down the three React upgrades SPFx developers ignore at their own peril, why they matter technically, and how they mirror discipline—or the lack thereof—in your professional and personal life. First, we tackle the core of modern React: Concurrent Rendering and Automatic Batching.
Concurrent Rendering and Automatic Batching – Your Web Parts’ Backbone
When React 18 dropped concurrent rendering and automatic batching, it wasn’t a luxury—it was a lifeline. Most SPFx devs never adjust their components for this. They cling to class components with
componentDidMounthacks or use hooks incorrectly, leaving effects firing multiple times, state updates queuing chaotically, and memory leaks piling up. In SPFx, where your web part is a node on the page with other parts loading simultaneously, this isn’t minor—it’s the difference between a smooth user experience and a browser meltdown.I’ve refactored dozens of enterprise SPFx solutions. If your
useEffectcalls aren’t guarded, or you don’t understand how React batches state updates automatically now, you’re wasting render cycles and bleeding performance. Imagine deploying a web part that triggers three API calls per keystroke in a search box because you didn’t wrap state changes in proper batching logic. That’s a professional facepalm waiting to happen.This is also about integrity. Your components are the kernel of your web part. If they panic, the whole page goes down. Every unguarded effect, every missed cleanup is like leaving a socket exposed: it’s dangerous, messy, and shows laziness. Learning concurrent rendering and embracing automatic batching isn’t optional; it’s the same principle you apply in life when you keep promises, manage your commitments, and clean up after yourself. Half measures don’t cut it in code or character.
From a pure technical perspective, understand that concurrent rendering allows React to interrupt long-running renders, prioritizing urgent updates and keeping the UI responsive. Automatic batching merges multiple state updates into a single render, reducing unnecessary DOM recalculations. In SPFx web parts, where you might be calling the SharePoint REST API or Microsoft Graph, this translates into fewer wasted renders, less flicker, and a page that doesn’t tank when multiple web parts fire simultaneously. It’s subtle, but anyone ignoring this is coding in yesterday’s world.
The takeaway is simple: refactor your legacy components, embrace hooks fully, and make React 18 work for you, not against you. Stop treating batching as magic and understand the lifecycle implications. Every clean render, every optimized state transition, is a reflection of the discipline you either bring or fail to bring to your work.
Suspense, Lazy Loading, and Code Splitting – Stop Shipping Monoliths
If you’re still bundling every component into a single SPFx web part, congratulations—you’re shipping a monolith nobody wants to wait for. React 18’s Suspense, combined with lazy loading, is your ticket to scalable, maintainable, and performant web parts. Yet most devs ignore it. They either don’t understand it or they fear breaking things, so they cling to the “just load everything upfront” mindset. That’s cowardice, plain and simple.
Suspense lets React pause rendering until a component or data is ready. Lazy loading defers non-critical components, shaving precious milliseconds off initial load time. In SPFx, where your web part might pull data from multiple lists, libraries, or Microsoft Graph endpoints, ignoring this is a performance crime. I’ve watched junior developers bake everything into
bundle.js, resulting in 3MB downloads for a single web part. Users hate that. Management hates that. And your reputation? Tanking.Implementing Suspense properly isn’t just technical. It forces discipline in planning component structure, dependencies, and render order. Every lazy-loaded component you ship cleanly mirrors your ability to compartmentalize and manage complexity in real life. A man who leaves tasks half-done, who tries to juggle everything without order, is coding like he lives: chaotic, inefficient, and fragile. You want clean SPFx web parts? Start thinking like a disciplined architect.
Technically, wrapping your web parts with
Suspenseand splitting components usingReact.lazy()reduces initial payload and allows React to prioritize urgent renders. Combined with proper error boundaries, you’re not just optimizing performance—you’re creating a resilient system. Lazy-loading non-critical components is like building load-bearing walls before the decorative trim: prioritize stability, then polish. Any SPFx dev ignoring this is playing checkers in a chess game.Strict Mode, DevTools, and Type Safety – Expose Your Weak Links
React 18’s Strict Mode is more than a debug feature—it’s a truth serum for sloppy code. When enabled, it intentionally double-invokes certain functions and effects to highlight side effects, memory leaks, and unsafe lifecycles. Most SPFx developers disable it immediately because it “spams the console.” That’s the coward’s move. You’re afraid to face your mistakes.
I run Strict Mode on every SPFx project. Every memory leak caught early saves headaches later. Every unclean effect prevented saves CPU cycles and user frustration. Pair that with TypeScript’s type enforcement and React DevTools profiling, and you’re not just coding—you’re auditing, refactoring, and hardening your web parts. Anything less is negligent.
The life lesson here is brutal but simple: discipline exposes weakness. If you’re not testing, profiling, and pushing your code to reveal flaws, you’re hiding from your own incompetence. Your character is the kernel; your habits are the state. If you panic under load, everything around you suffers. Apply Strict Mode and type safety to React in SPFx, and you build a muscle: resilience, foresight, and accountability.
Technically, the combination of Strict Mode and TypeScript ensures that your SPFx web parts are robust against async pitfalls, improper effect cleanup, and improper prop usage. Every refactor becomes a proof point that you can maintain complex systems with minimal technical debt. If you ignore it, you’re shipping spaghetti and calling it gourmet.
Conclusion: No-Excuses Mastery – Ship Like a Pro or Ship Like a Junior
Here’s the brutal truth: React 18 in SPFx is a weapon. Ignore concurrent rendering, batching, Suspense, lazy loading, Strict Mode, or TypeScript, and you’re not a developer—you’re a liability. You can’t pretend old habits will carry you; they won’t. Your web parts crash, your users suffer, and your reputation bleeds like memory leaks in an unoptimized component.
Refactor. Optimize. Audit. Stop shipping half-baked web parts. Embrace concurrent rendering to stabilize your core, implement Suspense and lazy loading to manage complexity, and enforce strict checks and type safety to expose weaknesses before they hit production. Every module you clean, every effect you guard, every render you optimize reflects the man you are—or refuse to be.
No more excuses. Ship like a professional, or get left behind. Your SPFx web parts are a reflection of your discipline, attention to detail, and mastery of modern frameworks. Treat them with respect. Treat your craft with respect. And for anyone serious about leveling up, subscribe, comment, or reach out—but only if you’re ready to put in the work. Half measures are for hobbyists.
Call to Action
If this post sparked your creativity, don’t just scroll past. Join the community of makers and tinkerers—people turning ideas into reality with 3D printing. Subscribe for more 3D printing guides and projects, drop a comment sharing what you’re printing, or reach out and tell me about your latest project. Let’s build together.D. Bryan King
Sources
- React Official Documentation
- SPFx Web Part Overview
- Concurrent UI Patterns in React
- React Suspense API
- React.lazy Documentation
- React Hooks Introduction
- SPFx Hello World Guide
- React StrictMode
- TypeScript Handbook
- Optimizing Performance in React
- SPFx Web Part Lifecycle
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#automaticBatching #componentOptimization #concurrentRendering #effectCleanup #lazyLoading #lazyLoadedComponents #modernReact #modernWebDevelopment #React18 #React18Features #React18Hooks #React18InSPFx #ReactArchitecture #reactBestPractices #ReactCodeHygiene #ReactCoding #ReactComponentDesign #ReactConcurrency #ReactDebugging #ReactDevTools #ReactErrorBoundaries #ReactHooks #ReactLazy #ReactLearning #ReactMemoryLeaks #ReactOptimizationTechniques #ReactPerformance #ReactProfiler #ReactRefactor #ReactStateManagement #ReactStrictMode #ReactSuspenseAPI #ReactTips #ReactTraining #ReactUpdates #resilientWebParts #scalableSPFx #SharePointDevelopment #SharePointFramework #SharePointOptimization #SharePointPerformance #SharePointTips #SPFx #SPFxBestPractices #SPFxCoding #SPFxDeveloperGuide #SPFxDevelopment #SPFxLifecycle #SPFxLifecycleManagement #SPFxPerformance #SPFxTips #SPFxTutorials #SPFxWebParts #StrictMode #Suspense #TypeScript #TypeScriptSPFx #webPartArchitecture #webPartOptimization #webPartPerformance -
The 3 React Upgrades SPFx Devs Are Ignoring (And Why Your Web Parts Are Leaking Performance)
1,402 words, 7 minutes read time.
Let’s cut the fluff: if your SPFx web parts feel sluggish, your state management is spaghetti, or your page crashes under moderate load, it’s because you’re not playing with React the way it’s meant to be played in 2026. The latest version of SPFx ships with React 18 support, but most devs treat it like yesterday’s framework, dragging legacy habits into modern code. I’ve seen it countless times: web parts patched with workarounds, effects firing endlessly, unoptimized re-renders eating CPU cycles, and junior devs praying that no one notices. The hard truth? If you can’t adapt to React’s new features, your code is dying on the vine, and so is your professional credibility.
This isn’t a gentle nudge. I’m here to break down the three React upgrades SPFx developers ignore at their own peril, why they matter technically, and how they mirror discipline—or the lack thereof—in your professional and personal life. First, we tackle the core of modern React: Concurrent Rendering and Automatic Batching.
Concurrent Rendering and Automatic Batching – Your Web Parts’ Backbone
When React 18 dropped concurrent rendering and automatic batching, it wasn’t a luxury—it was a lifeline. Most SPFx devs never adjust their components for this. They cling to class components with
componentDidMounthacks or use hooks incorrectly, leaving effects firing multiple times, state updates queuing chaotically, and memory leaks piling up. In SPFx, where your web part is a node on the page with other parts loading simultaneously, this isn’t minor—it’s the difference between a smooth user experience and a browser meltdown.I’ve refactored dozens of enterprise SPFx solutions. If your
useEffectcalls aren’t guarded, or you don’t understand how React batches state updates automatically now, you’re wasting render cycles and bleeding performance. Imagine deploying a web part that triggers three API calls per keystroke in a search box because you didn’t wrap state changes in proper batching logic. That’s a professional facepalm waiting to happen.This is also about integrity. Your components are the kernel of your web part. If they panic, the whole page goes down. Every unguarded effect, every missed cleanup is like leaving a socket exposed: it’s dangerous, messy, and shows laziness. Learning concurrent rendering and embracing automatic batching isn’t optional; it’s the same principle you apply in life when you keep promises, manage your commitments, and clean up after yourself. Half measures don’t cut it in code or character.
From a pure technical perspective, understand that concurrent rendering allows React to interrupt long-running renders, prioritizing urgent updates and keeping the UI responsive. Automatic batching merges multiple state updates into a single render, reducing unnecessary DOM recalculations. In SPFx web parts, where you might be calling the SharePoint REST API or Microsoft Graph, this translates into fewer wasted renders, less flicker, and a page that doesn’t tank when multiple web parts fire simultaneously. It’s subtle, but anyone ignoring this is coding in yesterday’s world.
The takeaway is simple: refactor your legacy components, embrace hooks fully, and make React 18 work for you, not against you. Stop treating batching as magic and understand the lifecycle implications. Every clean render, every optimized state transition, is a reflection of the discipline you either bring or fail to bring to your work.
Suspense, Lazy Loading, and Code Splitting – Stop Shipping Monoliths
If you’re still bundling every component into a single SPFx web part, congratulations—you’re shipping a monolith nobody wants to wait for. React 18’s Suspense, combined with lazy loading, is your ticket to scalable, maintainable, and performant web parts. Yet most devs ignore it. They either don’t understand it or they fear breaking things, so they cling to the “just load everything upfront” mindset. That’s cowardice, plain and simple.
Suspense lets React pause rendering until a component or data is ready. Lazy loading defers non-critical components, shaving precious milliseconds off initial load time. In SPFx, where your web part might pull data from multiple lists, libraries, or Microsoft Graph endpoints, ignoring this is a performance crime. I’ve watched junior developers bake everything into
bundle.js, resulting in 3MB downloads for a single web part. Users hate that. Management hates that. And your reputation? Tanking.Implementing Suspense properly isn’t just technical. It forces discipline in planning component structure, dependencies, and render order. Every lazy-loaded component you ship cleanly mirrors your ability to compartmentalize and manage complexity in real life. A man who leaves tasks half-done, who tries to juggle everything without order, is coding like he lives: chaotic, inefficient, and fragile. You want clean SPFx web parts? Start thinking like a disciplined architect.
Technically, wrapping your web parts with
Suspenseand splitting components usingReact.lazy()reduces initial payload and allows React to prioritize urgent renders. Combined with proper error boundaries, you’re not just optimizing performance—you’re creating a resilient system. Lazy-loading non-critical components is like building load-bearing walls before the decorative trim: prioritize stability, then polish. Any SPFx dev ignoring this is playing checkers in a chess game.Strict Mode, DevTools, and Type Safety – Expose Your Weak Links
React 18’s Strict Mode is more than a debug feature—it’s a truth serum for sloppy code. When enabled, it intentionally double-invokes certain functions and effects to highlight side effects, memory leaks, and unsafe lifecycles. Most SPFx developers disable it immediately because it “spams the console.” That’s the coward’s move. You’re afraid to face your mistakes.
I run Strict Mode on every SPFx project. Every memory leak caught early saves headaches later. Every unclean effect prevented saves CPU cycles and user frustration. Pair that with TypeScript’s type enforcement and React DevTools profiling, and you’re not just coding—you’re auditing, refactoring, and hardening your web parts. Anything less is negligent.
The life lesson here is brutal but simple: discipline exposes weakness. If you’re not testing, profiling, and pushing your code to reveal flaws, you’re hiding from your own incompetence. Your character is the kernel; your habits are the state. If you panic under load, everything around you suffers. Apply Strict Mode and type safety to React in SPFx, and you build a muscle: resilience, foresight, and accountability.
Technically, the combination of Strict Mode and TypeScript ensures that your SPFx web parts are robust against async pitfalls, improper effect cleanup, and improper prop usage. Every refactor becomes a proof point that you can maintain complex systems with minimal technical debt. If you ignore it, you’re shipping spaghetti and calling it gourmet.
Conclusion: No-Excuses Mastery – Ship Like a Pro or Ship Like a Junior
Here’s the brutal truth: React 18 in SPFx is a weapon. Ignore concurrent rendering, batching, Suspense, lazy loading, Strict Mode, or TypeScript, and you’re not a developer—you’re a liability. You can’t pretend old habits will carry you; they won’t. Your web parts crash, your users suffer, and your reputation bleeds like memory leaks in an unoptimized component.
Refactor. Optimize. Audit. Stop shipping half-baked web parts. Embrace concurrent rendering to stabilize your core, implement Suspense and lazy loading to manage complexity, and enforce strict checks and type safety to expose weaknesses before they hit production. Every module you clean, every effect you guard, every render you optimize reflects the man you are—or refuse to be.
No more excuses. Ship like a professional, or get left behind. Your SPFx web parts are a reflection of your discipline, attention to detail, and mastery of modern frameworks. Treat them with respect. Treat your craft with respect. And for anyone serious about leveling up, subscribe, comment, or reach out—but only if you’re ready to put in the work. Half measures are for hobbyists.
Call to Action
If this post sparked your creativity, don’t just scroll past. Join the community of makers and tinkerers—people turning ideas into reality with 3D printing. Subscribe for more 3D printing guides and projects, drop a comment sharing what you’re printing, or reach out and tell me about your latest project. Let’s build together.D. Bryan King
Sources
- React Official Documentation
- SPFx Web Part Overview
- Concurrent UI Patterns in React
- React Suspense API
- React.lazy Documentation
- React Hooks Introduction
- SPFx Hello World Guide
- React StrictMode
- TypeScript Handbook
- Optimizing Performance in React
- SPFx Web Part Lifecycle
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#automaticBatching #componentOptimization #concurrentRendering #effectCleanup #lazyLoading #lazyLoadedComponents #modernReact #modernWebDevelopment #React18 #React18Features #React18Hooks #React18InSPFx #ReactArchitecture #reactBestPractices #ReactCodeHygiene #ReactCoding #ReactComponentDesign #ReactConcurrency #ReactDebugging #ReactDevTools #ReactErrorBoundaries #ReactHooks #ReactLazy #ReactLearning #ReactMemoryLeaks #ReactOptimizationTechniques #ReactPerformance #ReactProfiler #ReactRefactor #ReactStateManagement #ReactStrictMode #ReactSuspenseAPI #ReactTips #ReactTraining #ReactUpdates #resilientWebParts #scalableSPFx #SharePointDevelopment #SharePointFramework #SharePointOptimization #SharePointPerformance #SharePointTips #SPFx #SPFxBestPractices #SPFxCoding #SPFxDeveloperGuide #SPFxDevelopment #SPFxLifecycle #SPFxLifecycleManagement #SPFxPerformance #SPFxTips #SPFxTutorials #SPFxWebParts #StrictMode #Suspense #TypeScript #TypeScriptSPFx #webPartArchitecture #webPartOptimization #webPartPerformance -
The 3 React Upgrades SPFx Devs Are Ignoring (And Why Your Web Parts Are Leaking Performance)
1,402 words, 7 minutes read time.
Let’s cut the fluff: if your SPFx web parts feel sluggish, your state management is spaghetti, or your page crashes under moderate load, it’s because you’re not playing with React the way it’s meant to be played in 2026. The latest version of SPFx ships with React 18 support, but most devs treat it like yesterday’s framework, dragging legacy habits into modern code. I’ve seen it countless times: web parts patched with workarounds, effects firing endlessly, unoptimized re-renders eating CPU cycles, and junior devs praying that no one notices. The hard truth? If you can’t adapt to React’s new features, your code is dying on the vine, and so is your professional credibility.
This isn’t a gentle nudge. I’m here to break down the three React upgrades SPFx developers ignore at their own peril, why they matter technically, and how they mirror discipline—or the lack thereof—in your professional and personal life. First, we tackle the core of modern React: Concurrent Rendering and Automatic Batching.
Concurrent Rendering and Automatic Batching – Your Web Parts’ Backbone
When React 18 dropped concurrent rendering and automatic batching, it wasn’t a luxury—it was a lifeline. Most SPFx devs never adjust their components for this. They cling to class components with
componentDidMounthacks or use hooks incorrectly, leaving effects firing multiple times, state updates queuing chaotically, and memory leaks piling up. In SPFx, where your web part is a node on the page with other parts loading simultaneously, this isn’t minor—it’s the difference between a smooth user experience and a browser meltdown.I’ve refactored dozens of enterprise SPFx solutions. If your
useEffectcalls aren’t guarded, or you don’t understand how React batches state updates automatically now, you’re wasting render cycles and bleeding performance. Imagine deploying a web part that triggers three API calls per keystroke in a search box because you didn’t wrap state changes in proper batching logic. That’s a professional facepalm waiting to happen.This is also about integrity. Your components are the kernel of your web part. If they panic, the whole page goes down. Every unguarded effect, every missed cleanup is like leaving a socket exposed: it’s dangerous, messy, and shows laziness. Learning concurrent rendering and embracing automatic batching isn’t optional; it’s the same principle you apply in life when you keep promises, manage your commitments, and clean up after yourself. Half measures don’t cut it in code or character.
From a pure technical perspective, understand that concurrent rendering allows React to interrupt long-running renders, prioritizing urgent updates and keeping the UI responsive. Automatic batching merges multiple state updates into a single render, reducing unnecessary DOM recalculations. In SPFx web parts, where you might be calling the SharePoint REST API or Microsoft Graph, this translates into fewer wasted renders, less flicker, and a page that doesn’t tank when multiple web parts fire simultaneously. It’s subtle, but anyone ignoring this is coding in yesterday’s world.
The takeaway is simple: refactor your legacy components, embrace hooks fully, and make React 18 work for you, not against you. Stop treating batching as magic and understand the lifecycle implications. Every clean render, every optimized state transition, is a reflection of the discipline you either bring or fail to bring to your work.
Suspense, Lazy Loading, and Code Splitting – Stop Shipping Monoliths
If you’re still bundling every component into a single SPFx web part, congratulations—you’re shipping a monolith nobody wants to wait for. React 18’s Suspense, combined with lazy loading, is your ticket to scalable, maintainable, and performant web parts. Yet most devs ignore it. They either don’t understand it or they fear breaking things, so they cling to the “just load everything upfront” mindset. That’s cowardice, plain and simple.
Suspense lets React pause rendering until a component or data is ready. Lazy loading defers non-critical components, shaving precious milliseconds off initial load time. In SPFx, where your web part might pull data from multiple lists, libraries, or Microsoft Graph endpoints, ignoring this is a performance crime. I’ve watched junior developers bake everything into
bundle.js, resulting in 3MB downloads for a single web part. Users hate that. Management hates that. And your reputation? Tanking.Implementing Suspense properly isn’t just technical. It forces discipline in planning component structure, dependencies, and render order. Every lazy-loaded component you ship cleanly mirrors your ability to compartmentalize and manage complexity in real life. A man who leaves tasks half-done, who tries to juggle everything without order, is coding like he lives: chaotic, inefficient, and fragile. You want clean SPFx web parts? Start thinking like a disciplined architect.
Technically, wrapping your web parts with
Suspenseand splitting components usingReact.lazy()reduces initial payload and allows React to prioritize urgent renders. Combined with proper error boundaries, you’re not just optimizing performance—you’re creating a resilient system. Lazy-loading non-critical components is like building load-bearing walls before the decorative trim: prioritize stability, then polish. Any SPFx dev ignoring this is playing checkers in a chess game.Strict Mode, DevTools, and Type Safety – Expose Your Weak Links
React 18’s Strict Mode is more than a debug feature—it’s a truth serum for sloppy code. When enabled, it intentionally double-invokes certain functions and effects to highlight side effects, memory leaks, and unsafe lifecycles. Most SPFx developers disable it immediately because it “spams the console.” That’s the coward’s move. You’re afraid to face your mistakes.
I run Strict Mode on every SPFx project. Every memory leak caught early saves headaches later. Every unclean effect prevented saves CPU cycles and user frustration. Pair that with TypeScript’s type enforcement and React DevTools profiling, and you’re not just coding—you’re auditing, refactoring, and hardening your web parts. Anything less is negligent.
The life lesson here is brutal but simple: discipline exposes weakness. If you’re not testing, profiling, and pushing your code to reveal flaws, you’re hiding from your own incompetence. Your character is the kernel; your habits are the state. If you panic under load, everything around you suffers. Apply Strict Mode and type safety to React in SPFx, and you build a muscle: resilience, foresight, and accountability.
Technically, the combination of Strict Mode and TypeScript ensures that your SPFx web parts are robust against async pitfalls, improper effect cleanup, and improper prop usage. Every refactor becomes a proof point that you can maintain complex systems with minimal technical debt. If you ignore it, you’re shipping spaghetti and calling it gourmet.
Conclusion: No-Excuses Mastery – Ship Like a Pro or Ship Like a Junior
Here’s the brutal truth: React 18 in SPFx is a weapon. Ignore concurrent rendering, batching, Suspense, lazy loading, Strict Mode, or TypeScript, and you’re not a developer—you’re a liability. You can’t pretend old habits will carry you; they won’t. Your web parts crash, your users suffer, and your reputation bleeds like memory leaks in an unoptimized component.
Refactor. Optimize. Audit. Stop shipping half-baked web parts. Embrace concurrent rendering to stabilize your core, implement Suspense and lazy loading to manage complexity, and enforce strict checks and type safety to expose weaknesses before they hit production. Every module you clean, every effect you guard, every render you optimize reflects the man you are—or refuse to be.
No more excuses. Ship like a professional, or get left behind. Your SPFx web parts are a reflection of your discipline, attention to detail, and mastery of modern frameworks. Treat them with respect. Treat your craft with respect. And for anyone serious about leveling up, subscribe, comment, or reach out—but only if you’re ready to put in the work. Half measures are for hobbyists.
Call to Action
If this post sparked your creativity, don’t just scroll past. Join the community of makers and tinkerers—people turning ideas into reality with 3D printing. Subscribe for more 3D printing guides and projects, drop a comment sharing what you’re printing, or reach out and tell me about your latest project. Let’s build together.D. Bryan King
Sources
- React Official Documentation
- SPFx Web Part Overview
- Concurrent UI Patterns in React
- React Suspense API
- React.lazy Documentation
- React Hooks Introduction
- SPFx Hello World Guide
- React StrictMode
- TypeScript Handbook
- Optimizing Performance in React
- SPFx Web Part Lifecycle
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#automaticBatching #componentOptimization #concurrentRendering #effectCleanup #lazyLoading #lazyLoadedComponents #modernReact #modernWebDevelopment #React18 #React18Features #React18Hooks #React18InSPFx #ReactArchitecture #reactBestPractices #ReactCodeHygiene #ReactCoding #ReactComponentDesign #ReactConcurrency #ReactDebugging #ReactDevTools #ReactErrorBoundaries #ReactHooks #ReactLazy #ReactLearning #ReactMemoryLeaks #ReactOptimizationTechniques #ReactPerformance #ReactProfiler #ReactRefactor #ReactStateManagement #ReactStrictMode #ReactSuspenseAPI #ReactTips #ReactTraining #ReactUpdates #resilientWebParts #scalableSPFx #SharePointDevelopment #SharePointFramework #SharePointOptimization #SharePointPerformance #SharePointTips #SPFx #SPFxBestPractices #SPFxCoding #SPFxDeveloperGuide #SPFxDevelopment #SPFxLifecycle #SPFxLifecycleManagement #SPFxPerformance #SPFxTips #SPFxTutorials #SPFxWebParts #StrictMode #Suspense #TypeScript #TypeScriptSPFx #webPartArchitecture #webPartOptimization #webPartPerformance -
🚀 OMG! Bun.js finally has a built-in router for Bun.serve()! This dropped way faster than I expected, and I’m seriously impressed. 🔥
#BunJS #WebDevelopment #JavaScript #NodeJS #BunServe #BuiltInRouter #GameChanger #RequestHandling #WebServers #CodingLife #DeveloperCommunity #TechNews #Programming #SoftwareDevelopment #Innovation #OpenSource #FrontendDevelopment #BackendDevelopment #TechTrends
-
🚀 OMG! Bun.js finally has a built-in router for Bun.serve()! This dropped way faster than I expected, and I’m seriously impressed. 🔥
#BunJS #WebDevelopment #JavaScript #NodeJS #BunServe #BuiltInRouter #GameChanger #RequestHandling #WebServers #CodingLife #DeveloperCommunity #TechNews #Programming #SoftwareDevelopment #Innovation #OpenSource #FrontendDevelopment #BackendDevelopment #TechTrends
-
🚀 OMG! Bun.js finally has a built-in router for Bun.serve()! This dropped way faster than I expected, and I’m seriously impressed. 🔥
#BunJS #WebDevelopment #JavaScript #NodeJS #BunServe #BuiltInRouter #GameChanger #RequestHandling #WebServers #CodingLife #DeveloperCommunity #TechNews #Programming #SoftwareDevelopment #Innovation #OpenSource #FrontendDevelopment #BackendDevelopment #TechTrends
-
🚀 OMG! Bun.js finally has a built-in router for Bun.serve()! This dropped way faster than I expected, and I’m seriously impressed. 🔥
#BunJS #WebDevelopment #JavaScript #NodeJS #BunServe #BuiltInRouter #GameChanger #RequestHandling #WebServers #CodingLife #DeveloperCommunity #TechNews #Programming #SoftwareDevelopment #Innovation #OpenSource #FrontendDevelopment #BackendDevelopment #TechTrends