I recommend Weekend Reading by Assaf Arkin to everyone, covers several topics from design and front-end to security, tooling and peopleware. More than just a collection of links, includes a bit of commentary which makes it feel much more personal.

https://labnotes.org/

Yes, self-signed certificates without a CA is MitM-prone, but that's the only thing Heroku enables. You're only given a username and password and have to do with whatever configuration they've done, thus the problems.

Thanks, glad you liked it!

OP here. That's entirely correct, Postgres deployed correctly is secure against a MitM, but since Heroku has not issued a trust root, they are not.

Edited to add: As a user of Heroku Postgres you can't configure Postgres correctly, Heroku is supposed to do that for you.

I think the word you're looking for is key stretching.

https://en.wikipedia.org/wiki/Key_stretching

This close enough? https://teespring.com/human-chaos-monkey

For anyone that feel they might fall under the same category (I do!), represent: https://teespring.com/human-chaos-monkey

Sadly, it doesn't. I was hoping for this as well, so I tested it, and it turns out that the user agent of the two browsers are identical.

  EME:      Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0  
  EME-free: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

But wouldn't the server logs show that the browser loaded the page but failed to set up the video stream because it didn't support EME?

I would guess so, yes. You can never prove that something is random, merely that it behaves randomly "enough". There are lots of testsuites[1][2] you can run that will test that a generator is uniform and doesn't follow any patterns or has any other statistical weaknesses, but you can never prove that something is fully random without knowing the process that generates those numbers. A statistically sound RNG might just output the digits of pi, which would be non-repeating, uniform and pass any randomness test, but if you knew which digit the RNG started from and how many it has output so far you can easily predict the next one. Likewise if you're given a large enough sample you can search the digits to figure out the state of the RNG.

[1]: dieharder: http://www.phy.duke.edu/~rgb/General/dieharder.php

[2]: http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP80...

The easiest version is the most portable and easy to read in this case:

os.urandom(20)

Saves you from having to manage files at all, and works cross-platform.

Huh, I never knew that was there; thanks!

In production code I would probably use Crypto.Random.get_random_bytes().