|
TIL that people will pay Cloudflare to add a bunch of nonsense DIVs in their web pages to deter the evil threat of web scraping
|
# ? Feb 24, 2017 00:11 |
|
|
# ? May 17, 2024 06:37 |
|
Cloudflare's statement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
|
# ? Feb 24, 2017 00:14 |
|
jre posted:owns owns owns
|
# ? Feb 24, 2017 00:14 |
|
anthonypants posted:Cloudflare's statement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ quote:We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, server-side Cusexcludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage.
|
# ? Feb 24, 2017 00:15 |
|
LinYutang posted:TIL that people will pay Cloudflare to add a bunch of nonsense DIVs in their web pages to deter the evil threat of web scraping quote:Many of Cloudflare’s services rely on parsing and modifying HTML pages as they pass through our edge servers. For example, we can insert the Google Analytics tag, safely rewrite http:// links to https://, exclude parts of a page from bad bots, obfuscate email addresses, enable AMP, and more by modifying the HTML of a page.
|
# ? Feb 24, 2017 00:17 |
|
jre posted:Savage
|
# ? Feb 24, 2017 00:17 |
|
Modifying a stream of HTML text: good idea, or great idea?
|
# ? Feb 24, 2017 00:19 |
|
hoowee what a day..
|
# ? Feb 24, 2017 00:19 |
|
Cloudflare has the power to XSS half the internet. Respect.
|
# ? Feb 24, 2017 00:21 |
|
anthonypants posted:Cloudflare's statement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ While claiming a 3 month average is taking the piss a bit, they are correct that the speed with which they fixed this and deployed to massive infra is impressive.
|
# ? Feb 24, 2017 00:35 |
|
i'm also kind of impressed that they didn't leak any ssl keys, while simultaneously leaking literally everything else
|
# ? Feb 24, 2017 00:36 |
|
somebody has posted a cloudbleed logo in that report. there's someone who is really deserving of a tshirt right now.
|
# ? Feb 24, 2017 00:38 |
|
|
# ? Feb 24, 2017 00:41 |
|
crazysim posted:somebody has posted a cloudbleed logo in that report. there's someone who is really deserving of a wedgie right now.
|
# ? Feb 24, 2017 00:44 |
|
jre posted:Savage
|
# ? Feb 24, 2017 00:45 |
|
anthonypants posted:Cloudflare's statement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ lol https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 quote:Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. crazysim posted:somebody has posted a cloudbleed logo in that report. there's someone who is really deserving of a tshirt right now. Proteus Jones fucked around with this message at 00:50 on Feb 24, 2017 |
# ? Feb 24, 2017 00:46 |
|
itym SHAvage
|
# ? Feb 24, 2017 00:47 |
|
jre posted:While claiming a 3 month average is taking the piss a bit, they are correct that the speed with which they fixed this and deployed to massive infra is impressive. Deployment methodologies for these large scale infrastructure services are really impressive. A global kill switch is one thing but being able to deploy a new build to all their edge nodes as quickly and confidently as they do is awesome. Last company I worked at only managed 600 or so and working on the deployment infrastructure was some of the most illuminating work I did. Next job has more like 5 servers total. I don't even know how to work on clusters that small anymore!
|
# ? Feb 24, 2017 00:49 |
|
quick, make a bleedflare logo to compete with cloudbleed
|
# ? Feb 24, 2017 00:50 |
|
Wiggly Wayne DDS posted:itym SHAvage gently caress, outdone
|
# ? Feb 24, 2017 00:53 |
|
Wiggly Wayne DDS posted:itym SHAvage
|
# ? Feb 24, 2017 01:00 |
|
Wiggly Wayne DDS posted:itym SHAvage
|
# ? Feb 24, 2017 01:00 |
|
Wiggly Wayne DDS posted:itym SHAvage
|
# ? Feb 24, 2017 01:09 |
|
just so i'm understanding this properly, the shatter attack requires the collision to be in the first round/block of the file, correct? i've been trying for about an hour to produce a colliding git commit using the colliding block from the PDF, without luck. `shasum` says the files are identical, but `git hash-object` gives different hashes. would this be due to the git header breaking the privileged first-block part of the attack?
|
# ? Feb 24, 2017 01:37 |
|
Angela Merkle Tree posted:just so i'm understanding this properly, the shatter attack requires the collision to be in the first round/block of the file, correct? i've been trying for about an hour to produce a colliding git commit using the colliding block from the PDF, without luck. `shasum` says the files are identical, but `git hash-object` gives different hashes. would this be due to the git header breaking the privileged first-block part of the attack? ya http://alblue.bandlem.com/2011/08/git-tip-of-week-objects.html posted:Git prefixes the object with "blob ", followed by the length (as a human-readable integer), followed by a NUL character, followed by the contents.
|
# ? Feb 24, 2017 01:49 |
|
LinYutang posted:"We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!)." i wonder if this is how exmarx doxxed tb
|
# ? Feb 24, 2017 02:22 |
|
quote:I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything. :rrrrriiippppp:
|
# ? Feb 24, 2017 02:27 |
|
people could have seen my posts
|
# ? Feb 24, 2017 02:30 |
|
Well, since SA is behind buttflare it might be time to change passwords again.
|
# ? Feb 24, 2017 02:31 |
|
https://twitter.com/jcs/status/834922772606308352
|
# ? Feb 24, 2017 02:39 |
|
lol
|
# ? Feb 24, 2017 02:59 |
|
"Terminating TLS is smart and wont blow up in our face!"
|
# ? Feb 24, 2017 03:25 |
|
|
# ? Feb 24, 2017 03:31 |
|
cloumarf
|
# ? Feb 24, 2017 04:16 |
|
somebody post the cloudflare guy's hey taviso stop playing around with desktop av and come work with us and secure the internet tweet
|
# ? Feb 24, 2017 04:23 |
|
https://twitter.com/NathOnSecurity/status/834796736308793344
|
# ? Feb 24, 2017 04:39 |
|
has anyone said cloudfart yet
|
# ? Feb 24, 2017 04:55 |
|
dragon enthusiast posted:has anyone said cloudfart yet buttfart
|
# ? Feb 24, 2017 05:29 |
|
gently caress
|
# ? Feb 24, 2017 05:35 |
|
|
# ? May 17, 2024 06:37 |
|
PCjr sidecar posted:somebody post the cloudflare guy's hey taviso stop playing around with desktop av and come work with us and secure the internet tweet well i mean i guess he wasn't wrong
|
# ? Feb 24, 2017 06:01 |