HackerTrans
TopNewTrendsCommentsPastAskShowJobs

David_Osipov

17 karmajoined 3 jaar geleden
$argon2id$v=19$m=64,t=512,p=2$2H5KsmnN3t/C21JEx5F2AQ$9CT+hOsEQp6MWdqFx+PIDw

[ my public key: https://keybase.io/david_osipov; my proof: https://keybase.io/david_osipov/sigs/1iYa4uIxkgZAK_fJ-jJWKQKOuvQqN6bWEHxGzA_Ig2E ]

[Global profile page https://david-osipov.vision/en/about/#person]

Submissions

CVE-2026-14440: Cloudflare Universal SSL CAA records supersede user CAA

nvd.nist.gov
2 points·by David_Osipov·4 dagen geleden·0 comments

Cloudflare CAA augmentation enables unauthorized DV certificate issuance

notcve.org
3 points·by David_Osipov·6 maanden geleden·0 comments

Analysis: Cloudflare's permissive CAA injection nullifies RFC 8657

david-osipov.vision
3 points·by David_Osipov·6 maanden geleden·0 comments

The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026

david-osipov.vision
5 points·by David_Osipov·6 maanden geleden·1 comments

comments

David_Osipov
·4 dagen geleden·discuss
[flagged]
David_Osipov
·6 maanden geleden·discuss
Great job! I've tried to test their tool as well, but was totally paywalled.
David_Osipov
·6 maanden geleden·discuss
Well be great if you've mitigated this as well: https://notcve.org/view.php?id=NotCVE-2026-0001
David_Osipov
·6 maanden geleden·discuss
I can just tell you, that my whole website with the complex logic and systems (based on Astro), which produce more scientific metadata in html code than Nature journal, was spec-coded by me using Github Copilot. But this is my pet project, not an enterprise battle tested one with thousands of users, but it still works: https://david-osipov.vision/en/
David_Osipov
·6 maanden geleden·discuss
Wait, they have been in hibernation for almost several years, why to publish it now?
David_Osipov
·6 maanden geleden·discuss
There is a nuance here for Cloudflare users that makes this problematic.

While analyzing the Jabber.ru incident (which used this exact BGP->TLS vector), I discovered that Cloudflare's "Universal SSL" actively injects permissive CAA records that override user-defined restrictions.

If a user sets a strict accounturi CAA record (RFC 8657) to lock issuance to their specific account—specifically to prevent BGP hijackers from getting a cert—Cloudflare's system automatically appends a wildcard record alongside it to keep their automation working. Because CAs accept any valid record, this effectively nullifies the protection.

It creates a situation where you think you have mitigated the BGP risk via DNS, but the vendor has silently reopened the door.

I wrote up the technical analysis of this override behavior here: https://david-osipov.vision/en/blog/cybersecurity/cloudflare...
David_Osipov
·6 maanden geleden·discuss
Spot on! We tried to somehow reduce the libcef size in our B2B app - barely could do that. We had to employ some fancy compression techniques, but still this thing is huge!
David_Osipov
·6 maanden geleden·discuss
Hi, guys! As an experiment, I've created AI video and audio overview, based my article's info. If this helps at least some of you, pls let me know! If you have any questions or found any mistakes - pls let me know.
David_Osipov
·6 maanden geleden·discuss
A product manager here. Thanks to AI, I was able to create my own website on Astro. I was so fascinated by web technologies, that I didn't realize when I created not just a website, but a blazing fast website with extensive amount of metadata generation (Json-LD, OG, microformats, Dublin Core, PRISM, RSL 1.0, Highwire Press, FAIR singposting, MODS generation) and so on. Thanks to this pet project, I'm now quite capable as a software architect of websites. And it is really fun!
David_Osipov
·6 maanden geleden·discuss
But look, they occupied his time for 7 weeks full-time. He could have taken another project (opportunity cost) if not for this project. I mean, the inefficiencies of their business processes are not his point of concern - they occupied his time and they should pay for it.
David_Osipov
·6 maanden geleden·discuss
No idea why have they created these MS Store versions. The same for MS Store Edge browser - it was (or is) just a downloader of an exe file from their webservers - useless piece of an app
David_Osipov
·6 maanden geleden·discuss
I'm not a web developer, but a product manager, and recently I've created my own website using Astro. I do support the point, that its better to have a relatively simple static website - it's really fast and lightweight! An average Wordpress website would weight 1 MB+ in best case, in worst case - 4 MB+. I don't know how people think it's a good idea to have a compressed webpage to be 4 MB!! Let's KISS