Hacker News: bsysop

New comment by bsysop in "Mitigating a DDoS on Mastodon"

bsysop — Fri, 06 Dec 2019 15:22:05 +0000

This is huge. There are a ton of mis-configured Apache and nginx reverse proxies out there that expose the primary domain name of the site being served. You can quickly test this for yourself by running "curl -vk https://your.ip.address" and see what pops up for the CN field or Location header.

Even worse is the pattern of requesting LetsEncrypt certificates for multiple domains on one certificate. Now all of a sudden you're leaking development server hostnames, peeling off the white label of multi-tenant, and making things easier for automated scanners.

I get it that security by hostname obscurity is a poor practice on its own, but there's also something to be said for cutting down a large amount of malicious traffic with some common best practices.

New comment by bsysop in "Cname cloaking, a disguise of third-party trackers"

bsysop — Sat, 23 Nov 2019 21:04:23 +0000

Do you think ad companies will really trust reverse-proxied ad traffic? Seems like a tremendous opportunity for fraud. Right now with user agents hitting ad servers directly, there's much less opportunity for content publishers to fake impressions and clicks.

New comment by bsysop in "The Maturing of QUIC"

bsysop — Mon, 11 Nov 2019 20:58:34 +0000

What developer out there reads "The spin bit is an OPTIONAL feature of QUIC", then sees "Implementations MUST allow administrators of clients and servers to disable the spin bit either globally or on a per-connection basis" and thinks "Yes, this is definitely something I will implement and test out all the edge cases." Especially stuff like "The random selection process SHOULD be designed such that on average the spin bit is disabled for at least one eighth of network paths."

This whole thing is going to be a congestion control arms race. With TCP out the window this is going to be an epic battle of network operators trying to heuristically classify important vs. bulk traffic any way they can, content servers trying every trick in the book to get their traffic prioritized ahead of competitors, and savvy users running tweaked router firmware to jump the Fair Share queue.