Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenJS Foundation / OpenJS Foundation Collaborator Summit, Berlin, May 2019 / 5 Jun 2019
OpenJS Foundation / OpenJS Foundation Collaborator Summit, Berlin, May 2019 / 5 Jun 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Inspector protocol in production

Description

OpenJS Foundation Collaborator Summit, Berlin, 2019

A

Is a special protocol and it just car sound mr. Berger use cases in production and we will discuss some issues. What we have right now so.

A

Issues the.

B

Most.

A

Exciting part, and in first issue that actually it my main main issue for me right now, just because I'm trying to go this debugger for no justice, no or production budget partial about production, but you use child processes is actually how to debug child process. The problem is that it's very critical export using WebSockets and inspector by yourself try to generate some port and by default it to use one port definitely doesn't work.

A

Do you have multiple processors, but it can automatically generate random port if you pass zero and after you pass zero, the main questions how to get this generated port back sectional connect and right now the approach that is super ugly. It's only works when you can control foul notice about them. You just parse the city error and gives us WebSocket you are out of here, but if chanters you to see the error or something like this, it will not work so have anyone debug child processes, okay,.

B

Okay,.

A

So the possible solutions here, it's the main problems, artificial- how to discover this port, how to report its part. It's probably can use some alternative transport to report. This part, for example, diagnostic, require little just introduced an experimental, and maybe, if you have some other ideas, how can report it and can be easily consumed by your tool? It will be nice.

C

So I know vias code allows to attach to um like note processes that don't even explicitly open dance back port. Yet oh maybe list them all. So maybe look through how to a did that yeah.

A

They actually use signals, they can send signal yeah.

C

And.

A

Then open a deathless socket actually the problems. It is not a sound out. Environment actually prohibit using signals, so they are not. At that point. I will take a look again. Maybe they introduced something better.

A

Okay, yes, problem.

A

The main problem, the man and biggest topic actually I, believe I of robots actually secures is how is it secure to his practical production from one point of view? As long as you are not leaking WebSocket URL, it should be fine, but at the same time I remember. The second part of security is not exposing too much information as possible, and now, if you leak for a second URL someone get for access to protocol, it come, someone can debug, it can execute remote code and anything like this.

A

We.

D

Even had a security.

D

Yeah.

A

The idea was, the problem was that Netflix for by default, exposed protocol using zero, zero, zero, zero interface or some predictable port, and was it was too much too easy to connect I actually.

E

Seen this in the world, like people exposed in the debugger ready.

E

Yeah.

A

It's very good point. First of all, there are some very simple layer of security right now that you need to get full WebSocket URL to come back textual, but unfortunately, by default note on the port on the inspector port. Not you'll, expose Jason end point where you can go and get its full website URL. So the first measure very straightforward. They actually have four requests to introduce a flag that.

A

Should be.

A

If you are not exposing any port- and you wonder on trust just cause, you don't use actually independent, so you verify all of them. Then yes, it works, but if you around on trusted code, then it can, for example, then, here on to knows is the same. My instance one not can connect to not.

A

An addressed to on strim I mean security problem is been around to know that your assignment compromise on NPM package and uses NPM package to brute force all ports and connecting as notices all the emotional.

C

Yes, because you can programmatically start yeah.

A

So, first firmly sexual licking, the staff secretary RL. If you can avoid licking, it will define, but I mean if it's final licked. Another problem is actually exposing too much information and one of the suggestion by Ally and China Yujin was that we need to whitelist the miles that actually available a lot.

A

It might work, I mean if you need to only profiler, or only if you only some part of protocol, possibly work, but at the same time, protocol by itself was not designed to be right in this environment, for example, you need travel time demand for a lot of inspection, and if you enable in profiler you cannot get it. If you enable and keep profiler it's much harder to get explicit objects. Is that sometimes I mean it's something that you can work on, but it's something question how to solve.

A

If you can find the idea by the laser it's the link- and there are a lot of discussion- happens there and please join and share any Europe committees.

E

Is.

A

Talking.

E

About make this.

A

Is not yet.

E

And it's not going to help having a flag to disable it because they're not gonna, know about it.

A

Yes, I agree, but at the same time, I'm in business to your cause, for example, I feel.

A

Like if you go to Chrome inspect to.

E

Find you know, process yeah, how that's how it goes. Yes,.

D

Yes, you can.

E

Find.

C

A second point there, but.

E

It'll.

C

Make it so that, if.

E

You general debugging.

C

With the signal it doesn't expose.

A

We can't do it, I mean yes, we definitely can right now they remove as much as possible its final time. Yes, but if, for example, visually I caused you a signal, they expect to have this parts. The.

D

Other thing is that still like security was brought up as wrongly issues, making the case that turning production security.

E

One.

D

Thing I think people like comfortable because of yes, people aren't comfortable tutorial. It's great for debugging, you don't clean. These are the solutions I.

A

Delight to say that protocol, if we instance next step from security protocol was designed to the way is a it is rated from production from performance point of view from I'm, mostly from performance point of view, and actually used to automate crump a lot and used by different companies and Thunder I mean the only aspect that was not to compliant time for a desired for security. I mean security was support for. Why not it?

A

It's not easy to get a part, it's what it's not easier to get for, WebSocket URL, and it's enough for our use case, but in production a is not an imagined, as we like most get more control over everything. So.

C

I.

A

Like to say that performance is solved and nothing is solved, I know all about its result. If you need something, you definitely need to pay for something like profiler there's some overhead, but if you don't need profiler in this, some Picasa form difficult or business unit. There's.

D

Not something like Netflix is already very are using not.

C

Yet.

A

It.

C

Was.

A

When you use some concept from Randleman example, if you capture heap snapshot.

D

And.

A

You'd like to get objects back, then the objects back rent, an immense lecture demise arts expose all objects. Instruction in bloom enter everything about this action, so you can get your profile but yeah. You can load it or automatically analyze it, but if you'd like to inspect it and get better picture of what is actually new he'll be intern time limited. That's how to practice. I mean I notice that most stop he'll work and you'll be able to get a lot of me on date out of it, but it was.

E

Never actually considered.

A

To predict or never was built, his idea that can be used with different amounts. Next.

D

We check also being true because I know.

D

You.

D

Like process manager, I.

A

Definitely need to take the work, I I, don't know what is, but as far as I know, they're very alert to soldiers how to get violent information out of not it some types that you can use their sound but used to have some Chow students to get profiling and I.

D

Mean to.

A

Get your file out of known process there's.

B

There's.

A

Some.

B

Days.

A

And.

B

If you really want to do it, you can I get some new books.

B

Yeah.

B

So.

A

Yeah they use finally, most like today, you suspect, but I need to check hidden and as a possible solution for the security problem is, do not use WebSocket and use alternative transport layer on vibes it just derailed, born in locally and inspected by production of work in progress by you. Drill I will help using to finish it and it'll solve some problems. For example, chrome, when exposing protocol is pipe. When requires mechanic security. Well again, it's it's two different problems. Access protocol and what further Cox falls problems are spread, is much easier to solve. I.

B

Need.

A

To double check how it's actually implemented, I know that chromic shall have implantation of pie for each platform and then you to actually map it to about the condition and assure but yeah. It's.

C

Possible solution.

A

And something not about dishes but fishy requests. Network inspection is a blow from dirty conference and people start to use inspector say very fast. Go to the point where they'd like to have some way to network and the main problem is cow and act not here and what we should search. I mean I took 12 and yeah. It's just if you'd like to talk about network inspection, if you need metal construction and if you like to help us there, please join hello from diagnostic issues, song right now, I'm a teacher pass against engineer.

A

That's it.