nixCraft 🐧Jul 20, 2025

Why your website should be under 14kB in size

Having a smaller website makes it load faster — that's not surprising.

What is surprising is that a 14kB page can load much faster than a 15kB page — maybe 612ms faster — while the difference between a 15kB and a 16kB page is trivial.

Read more https://endtimes.dev/why-your-website-should-be-under-14kb-in-size/

Why your website should be under 14kB in size | endtimes.dev

Show threadkasperdJul 20, 2025

I noticed this paragraph:

Each TCP packet uses 40 bytes in its header — 16 bytes for IP and an additional 24 bytes for TCP

Now I am no longer sure whether to trust the other technical details in that article.

The size of an IP header can range from 20 to 60 bytes. It can never be as short as 16 bytes. The most common sizes are 20 and 40.

A TCP header can also range from 20 to 60 bytes. The most common size is 32 bytes. Though 24 bytes is possible, you are unlikely to see a TCP packet of that exact size.

Show threadCody Boone FergusonJul 20, 2025
@kasperd @nixCraft today I saw an article on OWASP talking about C’s printf format specifiers wrt security. They got basic information wrong and they have serious memory errors waiting to happen in the code they claim is ‘safe’. They even claimed that %x reads data off the stack. It doesn’t. You’re also right. If you want to claim something is important you should get your facts straight first.
Show threadCody Boone FergusonJul 20, 2025
@kasperd @nixCraft they got other things wrong too. For posterity: https://owasp.org/www-community/attacks/Format_string_attack. The authors shouldn’t be writing the respective articles.
Format string attack | OWASP Foundation

Format string attack on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

Show threadkasperdJul 20, 2025

They are not checking the return value of snprintf which you usually need to do. However since they are not using the resulting buffer, I don’t see a vulnerability in that code as is.

The same snprintf call in a larger context might be vulnerable.

Did you find any other vulnerabilities in their safe examples?

Show threadCody Boone FergusonJul 20, 2025
@kasperd @nixCraft yes. They didn’t even bother checking argc! And they didn’t 0 initialise the buffer and then used snprintf. These are amateur mistakes.
Show threadCody Boone FergusonJul 20, 2025
@kasperd @nixCraft … that can lead to UB. Also their claim that the code in particular will crash: not guaranteed. And they clearly are not in a freestanding environment and they use void for main. Also amateur mistakes.
Show threadCody Boone Ferguson
@kasperd @nixCraft I will add more. The suggestion that printf reads data is ridiculous. It WRITES data. The description of %n is not very good either. It writes the number of bytes that have been written so far into the memory not just any int. Basically there are a lot of problems with their supposed safe code and the article is ironic and inaccurate. The point might be intended well but if you can’t get basic things right why trust them? (Had more time now.)
Jul 22, 2025 at 4:59pmWeb
Show threadCody Boone FergusonJul 22, 2025
@kasperd @nixCraft fun fact though: one of the winning #ioccc entries of 2020 used %n in a brilliant way. I don’t remember specifics: it might have actually invoked UB but that sometimes happens with the contest. @ioccc judges were so impressed that they said it could be one of the best in a future list. It won Best of Show. We (all the winners in the preview) were all also very impressed. But there are legitimate uses for %n too and a blanket ban is bad.