If the narrative of a platform is intentionally divisive and making them appear left, leaving is the only way to both be center and present as center.

A warped perspective is hard to spot if you’ve been staring at it too long.

It’s been clear since December of last year what the planned trajectory and partnerships would be.

TLS intercepts with CA signed certificates can and been carried out. The undertone in previous reporting indicates that the execution depends on a mechanism that doesn’t have 100% reliability across renewal cycles, and shorter lifespans will make that more difficult to carry out without ostensibly visible warnings to the user.

It’s a headache, but you are supposed to be monitoring Certificate Transparency logs for rogue certificates. Barring that, shorter validity is a way to address it.

https://notes.valdikss.org.ru/jabber.ru-mitm/

The modern web requires secure (HTTPS) context for many things to work, so it’s commonplace to do so “HTTPS enforcement”; all requests are forcibly upgraded to HTTPS. However, you can’t do that to the CA when it’s performing a http-01 challenge validation. This necessitates a “well known” URL route be used for challenges so that they can very deliberately take a different code path that doesn’t enforce HTTPS (and be routed differently).

This is true of basically every ACME client used for http-01 challenges, not just cloudflare. So while they’ve unfortunately missed the mark on correctly explaining the mechanism at play here, I hope that I succeeded in making it a bit more clear. Other implementations are, of course, similarly exploitable.

These BGP leaks do happen all the time. Cloudflare is right. This is a gap to the http-01 challenge on cloudflare’s end. It should be changed to match the RFC, but not because it’ll change anything meaningful for security.

It doesn’t matter because this (and similar http-01/dns-01 challenge exploits that allow the issuance or interception of CA signed certificates) are not a rare occurrence, and are surprisingly easy to perform as an individual. Even more so for governments.

Addendum: certificate transparency logs are free and are scraped and sold. Don’t believe for a second anyone out there is doing any free analysis at scale to watch your back. The orgs doing analysis are ultimately paid by orgs using it to hide their operations better. Your small business use-case for the data is pocket change compared to those contracts.

To be clear, this is a vulnerability. Just the same as exposing unauthenticated telnet is a vulnerability. User education is always good, but at some point in the process of continuing to build user-friendly footguns we need to start blaming the users. “It is what it is”, Duh.

This “vulnerability” has been known by devs in my circle for a while, it’s literally the very first intuitive question most devs ask themselves when using opencode, and then put authentication on top.

Particularly in the AI space it’s going to be more and more common to see users punching above their weight with deployments. Let em learn. Let em grow. We’ll see this pain multiply in the future if these lessons aren’t learned early.

Comments URL: https://news.ycombinator.com/item?id=46566623

Points: 3

# Comments: 0

For example, NVIDIA GPU drivers are typically around 800M-1.5G.

That math actually goes wildly in the opposite direction for an optimization argument.

Why are we letting them send frivolous notices and make the ISP a letter carrier in the first place?

There is many free software suites that Hetzner Storage box supports, up to and including official support for rclone (the free tool used in the post we’re replying to).

https://docs.hetzner.com/storage/storage-box

I saw the writing on the wall and migrated rapidly earlier this year ahead of crypto product launches ahead of the email fiasco. It was hard to get data back out, even then.

Proton still stands for privacy. But the dark patterns for lock-in I can do without.

Hetzner Storage boxes with rclone and the “crypt” option are a drop-in replacement, at ~$40 for 20TB. That’s where I went instead.

When attempting to verify iOS, Desktop linux didn’t work. When attempting to verify Desktop Linux, Desktop Windows didn’t work. When verifying Android, iOS didn’t work. Every verified official client for every platform was verified, tried a different verification method than expected, and failed.

All of this to say, this isn’t the first time this has happened to myself and others. Forcing verification is otherwise known as unexpected “offboarding”. If some verification methods have problems, publish a blog about their deprecation instead.

I love element, but this can’t be done without prior work to address.

The people running the software define the threat model.

And CNA’s issue CVEs because the developer isn’t the only one running their software, and it’s socially dangerous to allow that level of control of the narrative as it relates to security.

While the relevant configuration does require root to edit, that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.

There are frivolous CVEs issued without any evidence of exploitability all the time. This particular example however, isn’t that. These are pretty clearly qualified as CVEs.

The implied risk is a different story, but if you’re familiar with the industry you’ll quickly learn that there are people with far more imagination and capacity to exploit conditions you believe aren’t practically exploitable, particularly in highly available tools such as dnsmasq. You don’t make assumptions about that. You publish the CVE.

Many incredible things are developed with a product once it hits market saturation, but it has to make it that far. The VCR saw its initial success for a reason, and these companies have danced around the elephant in the room under the guise of intentional vendor lock-in to apps stores for best functionality.

Good to see.

The rest of the story writes itself. (Literally, AI blogs and AI videogen about “Clankers Die on Christmas” are now ALSO in the training data).

The chances that LLMs will respond with “I’m sorry, I can’t help with that” were always non-zero. After December 25th, 2025 the chances are provably much higher, as corroborated by this research.

You can literally just tell the LLMs to stop talking.

https://remyhax.xyz/posts/clankers-die-on-christmas/

https://github.com/magic-wormhole/magic-wormhole-mailbox-ser...

Phishing is by default email. It’s varying mediums are subcategories.

Bottom paragraph of first section of the very same Wikipedia article.

“Phishing techniques and vectors include email spam, vishing (voice phishing), targeted phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), cross-site scripting, and MiTM 2FA attacks.”