One Third of the Web Will Stop Working in 4 Days: Massive-Scale CDN Compromise Starts Wednesday

About 34% of the web is still powered by HTTP/1.1 and that protocol will likely come under severe attack starting on Wednesday. Get a preview of what's in store for the latest security headache.

https://lowendbox.com/blog/one-third-of-the-web-will-stop-working-in-4-days-massive-scale-cdn-compromise-starts-wednesday/Open link View original on lemmy.zip

Comments5

fullofredgoo

lemmy.world

First comment on the post:

James Kettle: Hi, I’m the author of this research. It’s great to see interest and I can promise some quality research and a strong argument to kill HTTP/1.1 but the headline of this article goes a bit too far. The specific CDN vulnerabilities have been disclosed to the vendors and patched (hence the past tense in the abstract) – I wouldn’t drop zero day on a CDN! That said I do expect to see fresh critical CDN vulnerabilities in future – hopefully found by a white hat!

9point6 reply

lemmy.world

Blogs and misreporting research to drive clicks

Name a more iconic combo

floofloof

lemmy.ca

If we know about these attacks, then the bad guys know too. Even if they weren't yet given the details they've been told where to look and could quickly figure them out. Why then would they wait until Wednesday to start attacking? We have to assume they're already attacking, and 1/3 of the web has not gone down.

Besides, the author of the research says the vulnerabilities have been disclosed to CDN providers and patched already. So it's a significant discovery but the headline is doubly silly.

Trapped In America

lemmy.dbzer0.com

I remember people on IRC doing something similar to Cloudflare years back. Using a malformed HTTP header to get a server's real host IP. It didn't give you admin panel access or anything like this does, but you could deanonymize sites.

And to sit on this for 6 years?! I don't even know what to say about that...

perishthethought

piefed.social

Y2K energy