1. 42

  2. 12

    But most importantly, by telling people to put sensitive data (such as credentials, configuration files, etc) it’s a really dangerous lesson for our teams. We’re teaching people to blindly trust arbitrary websites that they don’t have any relationship with, nor have fully audited the source code, when posting potentially sensitive data.

    I strongly agree with this. No sensitive data should touch the network. However, for anonymized, fake, or non-PII data, I have used a JSON validator online and don’t see any issue with it!

    1. 10

      However, for anonymized, fake, or non-PII data, I have used a JSON validator online and don’t see any issue with it!

      I feel like the entire thrust of the piece is saying that you shouldn’t do that explicitly because it encourages a bad habit that could later bite you.

      1. 8

        Which is easier to enforce?

        • Carefully track whether a token grants access to real resources or contains PII.
        • Don’t do anything with any token that you wouldn’t do with one that granted access to real resources or contained PII

        The second is a simple global rule that you can apply without thinking. The first depends on carefully tracking state and requires a single accidental paste or copy of the wrong thing to be a security breach.

        1. 2

          Yeah, I wouldn’t use jwt.io, myself. Note that I was specifically talking about JSON validation.

      2. 5

        Jq can parse the jwt payload for you if you just need to look inside. No need to reach for jwt.io or anything else, in that case

        1. 3

          Yes that’s true. A few of my colleagues use that, but as mentioned in a linked post, I use python -mjson.tool as it doesn’t need jq installed

        2. 10

          What’s with this assumption of being a worldwide authority or known entity that’s so popular in blog posts or internet comments?

          My thoughts on…

          I’ve always maintained that…

          Like many people know…

          People who know me know that…

          I’m infamous for…

          Nobody knows who you are - just write your content without the preamble.

          1. 58

            I don’t think a blogger owes anyone being overly modest on their own blog. They can write however they like. I’m going to read it as long as it’s useful and/or entertaining.

            1. 28

              I thought it was perfectly fine? They have discouraged and discussed this kind of online tooling, and eventually decided to write it up as a blog post. It’s perfectly reasonable to frame this article as the author’s reasoning behind doing what they’re doing.

              In fact, I’d argue it’s more modest than something like “why online tooling is bad”. With the author’s framing as it is, they’re not pretending to have the objectively correct view; they’re upfront about how this is their opinion on the matter.

              1. 2

                That’s true as well. “JWT.io considered harmful” would be a worse post, and the personalisms clearly draw the line between “this is my opinion” and “I speak for everybody”.

                My original post probably crossed wires between “authority” vs. “familiarity”

              2. 16

                You seem like you must be a worldwide authority on how to write preambles for blogs. ;)

                1. 1

                  Why would he need to be?

                  1. 4

                    He wouldn’t, but as others have cited, being overly critical of someone’s writing because of their particular language choices and not commenting at all on the content being presented is A) Of questionable constructive value and B) Potentially not in the spirit of this very technology oriented forum.

                2. 13

                  I’m sorry that you read it like so - would you mind explaining what wording made me sound like I think I’m a worldwide authority on the matter?

                  1. 9

                    You’re all good, you have your own voice. It’s some BS that this is the feedback you’re getting unsolicited instead of talking about the actual topic.

                    1. 3

                      Given the reaction, I’m probably in the wrong here. It’s a minor nit that I magnified into a big deal.

                      Buuut, to explain my rationale, it’s specifically your first paragraph. The content was fine (and I use jwt.io often).

                      Something my colleagues know well is how little I trust online tools like jwt.io, online JSON validators or online tooling in general, but it also bleeds into comments I make online and in my blog posts, too, and I thought I’d share a little bit of a reason as to why.

                      I’m not familiar with your coworkers, your online comments, or your blog posts. And I don’t mean that offensively, like “you’re a nobody” - it’s just that in this case I would rather tailor the article for what’s probably the larger group (people who don’t know you) vs. the smaller group (people who know you).

                      My reaction was overblown, and contained more of a general rant towards every instance of this I’ve seen, not your specific violation.

                      To be frank I’m surprised that others disagree (although it’s probably more about me sounding like a dick than my opinion). I genuinely find it strange to read public content that’s written as if I’m this person’s best friend and remember the thing they said in the kitchen last Tuesday.

                    2. 5

                      On the other hand, I dislike when people speak for me on my behalf with phrases like “the python community agrees that” or “all java developers think that”.

                      I also think it’s important to separate things that are factual from opinions. It’s not that my opinion is important but that it’s just an opinion, and everyone can have one. Disagreeing does not necessarily make you wrong when it comes to opinions, but more so when it comes to facts.

                      1. 1

                        “Or, as I’ve lately taken to calling it, …”

                        It’s weird though — these phrases didn’t start out as imitation of people with actual authority, as far as I can tell. A lot of fake authority starts as imitatiion (e.g. dressing like the king/CEO/next-rung manager), but I can’t recall widely respected people like DHH (recently) or JKH (decades ago) ever using phrases like “Like many people know”. These phrases were always fake.

                      2. 2

                        One of such useful tool is CyberChef, it has all kinds of encoding/decoding tools one would Google for in need, all built in. Even validation tools for JWT, so you can keep your secrets local, not paste them to public website.

                        There’s an online version of this, but it is also downloadable (just HTML and bunch of JS). I run my offline copy as a “native app” under macOS with FluidApp.

                        1. 2

                          Web services really are quite comfortable to use though, and definitely easier than remembering how to use a shell script for rare one-off tasks.

                          So another option is to host your own version on the company intranet — at my previous company we had lots of internal tools for debugging and productivity, like an internal pastebin clone for sharing snippets, locked behind SSO.

                          1. 1

                            Typographical point: I don’t think backticks (`) should be used as quotation marks, rather the dedicated open and close quote characters ( and , these are option+] and option+shift+] on a mac keyboard) or maybe the prime sign (', next to the return button) should be used?

                            1. 2

                              That ship has sailed, thanks to the various text markup languages that are the height of current fads.

                              1. 1

                                On IRC I surround quotes with double backticks followed by double primes. This is the style used by GNU Info I believe, and is supposed to approximate the opening and closing double quotes.

                                1. 7

                                  I’ve seen that too, and it bugs me a little bit. It’s not a big deal with monospace fonts, but when you’re using proportional fonts, the kerning of the backtick is usually such that there is a lot of space around it (because it’s supposed to be the accent grave without an actual letter underneath it) unlike an apostrophe or quote mark, so it looks awkward. But it might just be personal preference, and plus the article is set in a monospaced font too. #EmbraceUnicode

                                  1. 4

                                    Yeah, in a proportional font I just use double quotes (in Markdown) and let the SmartyPants filter translate them into HTML entities.

                                  2. 4

                                    On IRC I surround quotes with double backticks followed by double primes. This is the style used by GNU Info I believe, and is supposed to approximate the opening and closing double quotes.

                                    This is inherited from TeX, which jumped through a lot of hoops to make it possible to represent complex typography in 7-bit ASCII typeable on a ‘70s US keyboard. It’s worth noting that the single and double back ticks in TeX are source code, not output. They render as open single or double quotes in the generated output and so are seen only by people editing the TeX source. As I recall (and it’s been over 15 years since I read the TeX papers, so I may be imagining it) they found smart quotes had too many false positives with the kind of read-ahead it was feasible to implement at the time and so needed an annotation to turn them off, and when a rendering pass took several minutes / hours it was more efficient to always use explicit open and close syntax than require the user to go through the typeset manuscript and check every quote mark / apostrophe was correct.

                                    1. 3

                                      I gave up doing that when more IRC clients started rendering pseudo-markdown and it people started getting code-quotes in their messages.

                                      Also, the GNU project no longer suggests that style of quoting in its standards:

                                      Although GNU programs traditionally used 0x60 (‘`’) for opening and 0x27 (‘’’) for closing quotes, nowadays quotes ‘`like this’’ are typically rendered asymmetrically, so quoting ‘“like this”’ or ‘‘like this’’ typically looks better.

                                      Aside: is it possible to write a literal backtick in a markdown inline code span?

                                      1. 3

                                        You should be allowed to use HTML <code> tags and backslash-escape the backticks. Unfortunately, lobsters silently strips code tags instead of treating them as equivalent to backtick escapes.

                                        For example <code>\`test\`</code> looks like `test`

                                        This kind of corner-case nonsense is why the Markdown format is supposed to allow HTML. Even if you use further sanitization to limit the set of available HTML tags, I still ought to be allowed to use the HTML powers that are equivalent to what Markdown already gives me.

                                        Here’s the same thing in a GitHub Gist, where it works correctly.

                                        1. 5

                                          I don’t see why lobste.rs should jump through a lot of hoops just to facilitate meta-discussion about Markdown syntax. Not allowing any extra HTML is a reasonable decision on a public forum.

                                          1. 2

                                            Funny thing, GitHub and Lobsters use the exact same Markdown parser and renderer, they just post-process it differently.

                                          2. 2

                                            I gave up doing that when more IRC clients started rendering pseudo-markdown and it people started getting code-quotes in their messages.

                                            That’s unfortunate. I use the double-backtick/double-prime quoting for “real quotes”, while I use double-quotes for commentary. I guess no-one really realizes the difference but it matter to me.

                                            I use both Windows and Macs to access IRC and I’m going to find it hard to locate the “real” quote characters - besides, I can’t be sure that they will be handled correctly by IRC clients who can’t handle Unicode! Not to mention Swedish quoting style is different from English - we don’t use opening double quotes, only closing at both ends.

                                            1. 1

                                              Is there actually a way to produce proper quote characters on Windows without using those Alt codes? I use mostly Linux these days, and I always set my keyboard layout to Macintosh to get those and composition (like using option+u U to make a Ü, or option+` a to make an à), but I’ve never figured out how to do that sensibly on Windows.