W ]]>VIII part of my series about KSeF]]> I've described the fact, proven by audit, that the WAF gate sees JSON's public data, which returns the system's API. But why is this data even there if it can be extracted from an encrypted XML invoice? I answer that question in a way that the layman understands.
Imagine a simple registered letter. The envelope is sealed — no 1 reads the writing on the way. And yet outside there must be a sender, an addressee, a city, a consignment number. Without these fewer disclosures, the letter will not get anywhere. The courier sees this data not due to the fact that the state wants to uncover something to him, but due to the fact that it is impossible to build a transportation system.
With the KSeF is identical, only alternatively of the envelope we have the network protocol, and alternatively of the letter invoice. The content of the paper itself can be encrypted, signed, packaged in subsequent layers of cryptography. However, the user's accounting program must get basic information anyway: invoice number, site identifiers, amounts, dates, paper type. Without this, you can't show a list of invoices, charge a taxation or book an operation. A strategy without this data would be safe, but useless.
Similarly, it is the WAF goal. It is not a mysterious wiretap, but a defender standing in the way between the user and the server of the Ministry of Finance. Any request and consequence must pass through it, as any curious organization passes safety at the entrance to the office. So if the data are essential on the user's side of the program, they are necessarily passing through the checkpoint. The defender sees them not due to the fact that individual has decided to show them to him, but due to the fact that he stands in the place through which all communication passes.
That's not a peculiar feature of KSeF. This is how modern net works in general. Electronic banking, shops, public administration, cloud services — all over, encryption ends on a layer of protection, and inside the strategy data becomes readable due to the fact that they request to be processed. You can't number a taxation on encrypted numbers. You can't search for a paper the strategy can't see.
Therefore, the public JSON in API 2.0 KSeF is not an exception or a hole, but a consequence of the system's objective. The data is visible for the WAF gateway, due to the fact that they must be visible for the user application. And since there is simply a protective layer between 1 and the other, so can she. All this architecture is not a mistake — it is smart and sensible, it is done according to good practice of designing specified systems.
There is only 1 mistake in all this: the intermediary, the defender who watches over it, is not a strategy owned by the KSeF operator, but is an external, foreign, intelligence entity. It's like the Polish offices hired guards to defender the entrances to the rows through an intermediary who deals with intelligence and these guards would be his agents. The full plan of the entrance gate and the full infrastructure is related to this is correct, good, wise. The only flaw is that abroad intelligence agents are in charge.
Grzegorz GPS Swiderski
]]>t.me/CanalBlogeraGPS]]>
]]>Twitter.com/gps65]]>
PS. Part VIII. What else does Imperva see? More metadata: ]]>x.com/gps65/status/2023001255132434749]]>
Tags: GPS65, finance, economy, taxes, business, intelligence
