One Third of the Web Will Stop Working in 4 Days: Massive-Scale CDN Compromise Starts Wednesday

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨BrikoX@lemmy.zip⁩ to ⁨technology@lemmy.zip⁩

https://lowendbox.com/blog/one-third-of-the-web-will-stop-working-in-4-days-massive-scale-cdn-compromise-starts-wednesday/

About 34% of the web is still powered by HTTP/1.1 and that protocol will likely come under severe attack starting on Wednesday. Get a preview of what’s in store for the latest security headache.

source

Comments

Sort:hotnew top

fullofredgoo@lemmy.world ⁨1⁩ ⁨day⁩ ago
First comment on the post:

James Kettle: Hi, I’m the author of this research. It’s great to see interest and I can promise some quality research and a strong argument to kill HTTP/1.1 but the headline of this article goes a bit too far. The specific CDN vulnerabilities have been disclosed to the vendors and patched (hence the past tense in the abstract) – I wouldn’t drop zero day on a CDN! That said I do expect to see fresh critical CDN vulnerabilities in future – hopefully found by a white hat!

source
- 9point6@lemmy.world ⁨1⁩ ⁨day⁩ ago
  Blogs and misreporting research to drive clicks
  
  Name a more iconic combo
  
  source
floofloof@lemmy.ca ⁨1⁩ ⁨day⁩ ago
If we know about these attacks, then the bad guys know too. Even if they weren’t given the details they’d be able to figure them out. Why then would they wait until Wednesday to start attacking?

Besides, the author of the research says that the vulnerabilities have been disclosed to the CDN providers and patched already. So the headline is doubly silly.

source
PleaseLetMeOut@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
I remember people on IRC doing something similar to Cloudflare years back. Using a malformed HTTP header to get a servers’ real host IPs. It didn’t give you admin panel access or anything like this does, but you could deanonymize sites.

And to sit on this for 6 years?! I don’t even know what to say about that…

source
perishthethought@piefed.social ⁨1⁩ ⁨day⁩ ago
Y2K energy

source