HackerTrans
TopNewTrendsCommentsPastAskShowJobs

David_Osipov

17 karmajoined vor 3 Jahren
$argon2id$v=19$m=64,t=512,p=2$2H5KsmnN3t/C21JEx5F2AQ$9CT+hOsEQp6MWdqFx+PIDw

[ my public key: https://keybase.io/david_osipov; my proof: https://keybase.io/david_osipov/sigs/1iYa4uIxkgZAK_fJ-jJWKQKOuvQqN6bWEHxGzA_Ig2E ]

[Global profile page https://david-osipov.vision/en/about/#person]

Submissions

CVE-2026-14440: Cloudflare Universal SSL CAA records supersede user CAA

nvd.nist.gov
2 points·by David_Osipov·vor 4 Tagen·0 comments

Cloudflare CAA augmentation enables unauthorized DV certificate issuance

notcve.org
3 points·by David_Osipov·vor 6 Monaten·0 comments

Analysis: Cloudflare's permissive CAA injection nullifies RFC 8657

david-osipov.vision
3 points·by David_Osipov·vor 6 Monaten·0 comments

The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026

david-osipov.vision
5 points·by David_Osipov·vor 6 Monaten·1 comments

comments

David_Osipov
·vor 4 Tagen·discuss
[flagged]
David_Osipov
·vor 6 Monaten·discuss
Great job! I've tried to test their tool as well, but was totally paywalled.
David_Osipov
·vor 6 Monaten·discuss
Well be great if you've mitigated this as well: https://notcve.org/view.php?id=NotCVE-2026-0001
David_Osipov
·vor 6 Monaten·discuss
I can just tell you, that my whole website with the complex logic and systems (based on Astro), which produce more scientific metadata in html code than Nature journal, was spec-coded by me using Github Copilot. But this is my pet project, not an enterprise battle tested one with thousands of users, but it still works: https://david-osipov.vision/en/
David_Osipov
·vor 6 Monaten·discuss
Wait, they have been in hibernation for almost several years, why to publish it now?
David_Osipov
·vor 6 Monaten·discuss
There is a nuance here for Cloudflare users that makes this problematic.

While analyzing the Jabber.ru incident (which used this exact BGP->TLS vector), I discovered that Cloudflare's "Universal SSL" actively injects permissive CAA records that override user-defined restrictions.

If a user sets a strict accounturi CAA record (RFC 8657) to lock issuance to their specific account—specifically to prevent BGP hijackers from getting a cert—Cloudflare's system automatically appends a wildcard record alongside it to keep their automation working. Because CAs accept any valid record, this effectively nullifies the protection.

It creates a situation where you think you have mitigated the BGP risk via DNS, but the vendor has silently reopened the door.

I wrote up the technical analysis of this override behavior here: https://david-osipov.vision/en/blog/cybersecurity/cloudflare...
David_Osipov
·vor 6 Monaten·discuss
Spot on! We tried to somehow reduce the libcef size in our B2B app - barely could do that. We had to employ some fancy compression techniques, but still this thing is huge!
David_Osipov
·vor 6 Monaten·discuss
Hi, guys! As an experiment, I've created AI video and audio overview, based my article's info. If this helps at least some of you, pls let me know! If you have any questions or found any mistakes - pls let me know.
David_Osipov
·vor 6 Monaten·discuss
A product manager here. Thanks to AI, I was able to create my own website on Astro. I was so fascinated by web technologies, that I didn't realize when I created not just a website, but a blazing fast website with extensive amount of metadata generation (Json-LD, OG, microformats, Dublin Core, PRISM, RSL 1.0, Highwire Press, FAIR singposting, MODS generation) and so on. Thanks to this pet project, I'm now quite capable as a software architect of websites. And it is really fun!
David_Osipov
·vor 6 Monaten·discuss
But look, they occupied his time for 7 weeks full-time. He could have taken another project (opportunity cost) if not for this project. I mean, the inefficiencies of their business processes are not his point of concern - they occupied his time and they should pay for it.
David_Osipov
·vor 6 Monaten·discuss
No idea why have they created these MS Store versions. The same for MS Store Edge browser - it was (or is) just a downloader of an exe file from their webservers - useless piece of an app
David_Osipov
·vor 6 Monaten·discuss
I'm not a web developer, but a product manager, and recently I've created my own website using Astro. I do support the point, that its better to have a relatively simple static website - it's really fast and lightweight! An average Wordpress website would weight 1 MB+ in best case, in worst case - 4 MB+. I don't know how people think it's a good idea to have a compressed webpage to be 4 MB!! Let's KISS