SQLServer: Why is a Shared lock blocking on an IX lock when Read Committed Snapshot is enabled?

Our system has randomly started deadlocking in areas where it previously had not, and an analysis of the deadlock graph looks like it should not even be happening to begin with. Here is a screenshot of the deadlock graph.

enter image description here

For reference: The left node is a basic insert into the sync_entities table, where the right node is "update sync_entities set A=B, C=D from sync_entities e join sync_revisions r on e.id=r.entity_id where r.id in ()"

Based on my understanding of lock compatibility, an Requesting an S lock when an IX lock exists would block only if Read Committed Snapshot is off, but it is turned on for this database, and has been for a very long time. Am I missing something?

HTTP2 is enabled and working, but PHP $_SERVER[‘SERVER_PROTOCOL’] still says “HTTP/1.1”

I’ve been migrating to a new host (AWS Lightsail with a Ubuntu instance) and while everything is working just fine I’m running into a quirk that I can’t quite figure out.

I’ve enabled HTTP2 on my virtual server and confirmed that files are using that protocol (via DevTools and http2.pro):

HTTP2 working in DevTools

HTTP2 working per http2.pro

For reference, here is my server showing the Apache HTTP2 mod is enabled (and I did restart apache afterwords)

http2 mod already enabled

However, in PHP when I output $ _SERVER['SERVER_PROTOCOL'] on my server it is still showing "HTTP/1.1":

http1.1

php code

But this same exact software (WordPress theme) on other servers is showing "HTTP/2.0" correctly:

http2 detected with same exact code

I believe I have my Apache2 conf files setup correctly:

Port 443:

<VirtualHost *:443>     Protocols h2 h2c http/1.1 

and just to be thorough I did Port 80 as well:

<VirtualHost *:80>     Protocols h2 h2c http/1.1 

Unfortunately I do not have access to the conf files (or ssh) on the server that is working, so I can’t cross-reference those files.

I’ve been reading a bunch of tutorials on HTTP2 to see if there is any additional setting or configuration that I may have missed, but most are showing the same instructions that I’ve implemented.

Can anyone point me in the right direction as to why this PHP "detection" is incorrectly displaying the protocol, or if there is something I missed that is preventing PHP from using HTTP2 in this one situation?

Why are DNS prefetch requests sent in clear text with DNS over HTTPS enabled?

I am trying to understand how DNS-over-HTTPS (DoH) works in both Chrome and Firefox browsers.

To do so, I have enabled DoH on each browser and set the DNS provider to Cloudflare DNS servers (1.1.1.1 and 1.0.0.1), at both browser and operating system level (Windows 10 in my case).

However, the traffic captured by Wireshark shows that there are still multiple DNS request that are made in clear text:

clear text DNS requests

While some of those requests are probably issued by other desktop applications that do not implement DoH, there is one request pattern which seems strange to me:

DNS Prefetch request

Everytime I search some text (say foo for example) in the URL search bar and press Enter, a DNS request is made to the Cloudflare resolver with the domain name foo.lan. Unsurprisingly, the server answers with a No such name DNS response.

After doing some research, this behaviour actually appears to be linked with DNS prefetching.

To make sure of that, I disabled the DNS prefetch flags in both Firefox (network.dns.disablePrefetch) and Chrome (Use a prediction service to load pages more quickly option toggled off), but the prefetch requests are still being sent as before.

This raises three questions to me:

  • Why DNS prefetch requests still occur when the feature is disabled ?
  • Why are those requests made with the .lan suffix ?
  • Why DNS prefetch requests are sent in clear text even though DoH is enabled ?

Please note that I have also tried to change the default search engine from Google to Bing, but the results are unchanged.

Any help would be very appreciated.

How does password reset work if 2FA is enabled?

(There is a highly related question, however I believe mine is not a duplicate, since it deals with resetting a password without access to the account, not changing it while being logged in.)

Say someone has gained access to my email that I used to register some accounts with. Assume also that these accounts all have some kind of 2FA, be it a 30-second code generated by an app, a U2F key – the type doesn’t matter for my question.

In my understanding, in order for the attacker to change the password of an account, there are two ways:

  • Log into the account and change the password in the internal settings, without using the associated email. Even if we leave our computer/phone unattended with an active session of the relevant account, therefore bypassing the need for the hacker to also guess the account password, the change is still impossible. This is because, as explained in the question linked above, this would require at least 2FA verification, possibly 2FA + the original account password.

  • On the log-in screen for the account, use the ‘reset password’ option to send a reset email to the email account that we assumed the hacker had access to. I am confused as to what happens then:

    1. is the 2FA needed to send the reset email in the first place? If not,
    2. is the attacker able to reset the password, but not to actually log in, since the 2FA is still in place? This essentially means that they can’t access the account, but nor can we.
    3. is the attacker able to reset the password and log into the account, since the 2FA somehow becomes void?

Of course, scenario 1) is the most desirable from the perspective of the legitimate user, 2) is significantly worse, 3) is tragic. But which one actually happens when someone tries to reset a password for an account with 2FA enabled?

Is CSRF protection required for sensitive GET requests with CORS enabled?

Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix

I have a server domain server.com and a UI app at client.com. The server.com domain handles user auth and sets a session cookie under the server.com domain. It also has a rest-like endpoint that serves GET requests at /user_data and returns sensitive user data to users with a valid session. The 3rd party UI at client.com needs access to the user_data in an AJAX call, so CORS is enabled at the /user_data endpoint for the origin domain client.com via Access-Control-Allow-Origin.

The endpoint in question has no side effects, although it serves sensitive data to a 3rd party. Do I need to implement some CSRF token protection for the endpoint? Could the user_data be read by a compromised client.com webpage (via persistent XSS)? If so, can I use a query param mechanism of CSRF token exchange? The way I understand it, it’s the only option, because the client.com cannot read csrf tokens stored in a server.com cookies. However OWASP guidelines state that:

Make sure that the token is not leaked in the server logs, or in the URL.

If that’s also a problem, how can I secure my application?

Why would my ISP have SSLv3 enabled and support insecure suites? SSLLAB rates them an F

A few days ago I tried to log in and pay my bill and their HTTPS was disabled. I questioned it and they enabled it and said they were doing upgrades. Curious, I tested the site with SSL LAB and they received an F because they also support insecure suites.

I asked them about disabling SSLv3 to mitigate POODLE and was told I needed to do that on my end.

I am confused because every other ISP and site with SSL I test receives a B or A score, why would my ISP rest at an F and no one seems to care except me.