HackerTrans
TopNewTrendsCommentsPastAskShowJobs

David_Osipov

17 karmajoined 3 tahun yang lalu
$argon2id$v=19$m=64,t=512,p=2$2H5KsmnN3t/C21JEx5F2AQ$9CT+hOsEQp6MWdqFx+PIDw

[ my public key: https://keybase.io/david_osipov; my proof: https://keybase.io/david_osipov/sigs/1iYa4uIxkgZAK_fJ-jJWKQKOuvQqN6bWEHxGzA_Ig2E ]

[Global profile page https://david-osipov.vision/en/about/#person]

Submissions

CVE-2026-14440: Cloudflare Universal SSL CAA records supersede user CAA

nvd.nist.gov
2 points·by David_Osipov·4 hari yang lalu·0 comments

Cloudflare CAA augmentation enables unauthorized DV certificate issuance

notcve.org
3 points·by David_Osipov·6 bulan yang lalu·0 comments

Analysis: Cloudflare's permissive CAA injection nullifies RFC 8657

david-osipov.vision
3 points·by David_Osipov·6 bulan yang lalu·0 comments

The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026

david-osipov.vision
5 points·by David_Osipov·6 bulan yang lalu·1 comments

comments

David_Osipov
·4 hari yang lalu·discuss
[flagged]
David_Osipov
·6 bulan yang lalu·discuss
Great job! I've tried to test their tool as well, but was totally paywalled.
David_Osipov
·6 bulan yang lalu·discuss
Well be great if you've mitigated this as well: https://notcve.org/view.php?id=NotCVE-2026-0001
David_Osipov
·6 bulan yang lalu·discuss
I can just tell you, that my whole website with the complex logic and systems (based on Astro), which produce more scientific metadata in html code than Nature journal, was spec-coded by me using Github Copilot. But this is my pet project, not an enterprise battle tested one with thousands of users, but it still works: https://david-osipov.vision/en/
David_Osipov
·6 bulan yang lalu·discuss
Wait, they have been in hibernation for almost several years, why to publish it now?
David_Osipov
·6 bulan yang lalu·discuss
There is a nuance here for Cloudflare users that makes this problematic.

While analyzing the Jabber.ru incident (which used this exact BGP->TLS vector), I discovered that Cloudflare's "Universal SSL" actively injects permissive CAA records that override user-defined restrictions.

If a user sets a strict accounturi CAA record (RFC 8657) to lock issuance to their specific account—specifically to prevent BGP hijackers from getting a cert—Cloudflare's system automatically appends a wildcard record alongside it to keep their automation working. Because CAs accept any valid record, this effectively nullifies the protection.

It creates a situation where you think you have mitigated the BGP risk via DNS, but the vendor has silently reopened the door.

I wrote up the technical analysis of this override behavior here: https://david-osipov.vision/en/blog/cybersecurity/cloudflare...
David_Osipov
·6 bulan yang lalu·discuss
Spot on! We tried to somehow reduce the libcef size in our B2B app - barely could do that. We had to employ some fancy compression techniques, but still this thing is huge!
David_Osipov
·6 bulan yang lalu·discuss
Hi, guys! As an experiment, I've created AI video and audio overview, based my article's info. If this helps at least some of you, pls let me know! If you have any questions or found any mistakes - pls let me know.
David_Osipov
·6 bulan yang lalu·discuss
A product manager here. Thanks to AI, I was able to create my own website on Astro. I was so fascinated by web technologies, that I didn't realize when I created not just a website, but a blazing fast website with extensive amount of metadata generation (Json-LD, OG, microformats, Dublin Core, PRISM, RSL 1.0, Highwire Press, FAIR singposting, MODS generation) and so on. Thanks to this pet project, I'm now quite capable as a software architect of websites. And it is really fun!
David_Osipov
·6 bulan yang lalu·discuss
But look, they occupied his time for 7 weeks full-time. He could have taken another project (opportunity cost) if not for this project. I mean, the inefficiencies of their business processes are not his point of concern - they occupied his time and they should pay for it.
David_Osipov
·6 bulan yang lalu·discuss
No idea why have they created these MS Store versions. The same for MS Store Edge browser - it was (or is) just a downloader of an exe file from their webservers - useless piece of an app
David_Osipov
·6 bulan yang lalu·discuss
I'm not a web developer, but a product manager, and recently I've created my own website using Astro. I do support the point, that its better to have a relatively simple static website - it's really fast and lightweight! An average Wordpress website would weight 1 MB+ in best case, in worst case - 4 MB+. I don't know how people think it's a good idea to have a compressed webpage to be 4 MB!! Let's KISS