> You're supposed to concatenate all the input numbers, to create a message that has hundreds or thousands of digits; then RSA-encrypt that number.
That's not how it works...
In modern protocols, you don't encrypt at all with RSA. You use a key exchange, and if you use RSA, you only use it as a signature algorithm to initiate the key exchange.
If you happen to want to encrypt with RSA, which you usually shouldn't, you first use a padding algorithm (the modern variant of that is called RSA-OAEP) with which you prepare and then encrypt a random key. That key you then use for symmetric encryption.
Everyone, including every professional network engineer, does this regularly. I've never seen a TLS error message that actually reflected a security issue, as opposed to a configuration problem.
There's a long history of people trying to build software that detects bad software. It's known as Antivirus software. It doesn't work very well, because you're up against fundamental truths of computational theory (the halting problem).
that framing is too broad for what npm supply chain attacks actually look like.
Antivirus deals with arbitrary binaries on a general purpose OS. npm attacks are much more constrained. The code has to run during install or import, steal credentials, send them over the network, and hide inside a package that claims to do something ordinary. That narrows the space.
I am not solving “is this code malicious?” in the abstract. I am checking concrete violations of behavioral invariants. A CSS library importing child_process. A utility suddenly adding obfuscated network calls in a patch release. A package reading .ssh keys during postinstall. Those patterns are not theoretical edge cases. They are how real attacks work.
No, you cannot catch everything. But every major npm supply chain incident in 2025 used the same playbook: install script abuse, credential theft, network exfiltration. That is highly detectable. The goal is not perfection. It is raising the cost of attack in a space where most attackers are currently not even trying to evade detection.
If the rest of the world wants to still have an industry once we finally decide to seriously use green technology, they should quickly catch up to China - if that's still possible.
While China is still very reliant on fossil-fuels, and particularly dirty coal, they're at the same time working on dominating the post-fossil age at astonishing speed. After they already dominate solar and batteries, they're working on doing the same for a number of other future green industries. They are already dominating future technologies like Green Methanol that most people in Europe or the US have never heard of.
That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.
So it's completely impossible that such malicious extensions still exist.
I used to create a number of simple web pages in XHTML back in the days when we believed XHTML was the future. Recently, while going through and restructuring some of my old "online stuff", I learned that XHTML really isn't in a state that I'd want to use it any more:
* XHTML 1.0 and 1.1 are officially deprecated by the W3C.
* XHTML5 exists as a variant of HTML5. However, it's very clear that it's absolutely not a priority for the HTML5 working groups, and there's a statement that future features will not necessarily be supported by the XHTML5 variant.
* XHTML5 does not have a DTD, so one of the main advantages of XHTML - that you can validate its correctness with pure XML functionality - isn't there.
* If you do a 'view source' in Firefox on a completely valid XHTML 1.0/1.1 page, it'll redline the XML declaration like it's something wrong. Not sure if this is intended or possibly even a bug, but it certainly gives me a 'browser tells me this is not supposed to be there' feeling.
It pretty much seems to me XHTML has been abandoned by the web community. My personal conclusion has been that whenever I touch any of my old online things still written in XHTML, I'll convert them to HTML5.
> If you do a 'view source' in Firefox on a completely valid XHTML 1.0/1.1 page, it'll redline the XML declaration like it's something wrong
Is the page actually being served as "application/xhtml+xml"? Most xhtml sites aren't, in which case the browser is indeed interpreting those as invalid declarations in a regular old html document
Those red squiggles on view-source: pages in Gecko all have title text with diagnostics. The message (errProcessingInstruction) in recent-ish releases is given as:
> Saw “<?”. Probable cause: Attempt to use an XML processing instruction in HTML. (XML processing instructions are not supported in HTML.)
Okay, story time: back in 2018, the German government's foreign ministry was hacked.
At the time, a colleague of mine (we were both working for the German IT news magazine Golem) found a web page by a government-associated university that was offline with a message that it's been taken down due to a security issue.
Putting a few hints together, we figured out that Ilias was hosted therer, and that this was how the attack on the government initially started.
We weren't able to figure out which vulnerability was used, but had some ideas what it might've been. (Older versions had a default password for the admin account.)
One wonders: there's an Open Source software that's widely used by universities, even by government-associated universities. It's been the cause of a high-profile attack on a government before. One wonders why that doesn't trigger sufficient funding for regular, high-quality security audits of that software.
That's not how it works...
In modern protocols, you don't encrypt at all with RSA. You use a key exchange, and if you use RSA, you only use it as a signature algorithm to initiate the key exchange.
If you happen to want to encrypt with RSA, which you usually shouldn't, you first use a padding algorithm (the modern variant of that is called RSA-OAEP) with which you prepare and then encrypt a random key. That key you then use for symmetric encryption.
reply