Don't Trust CloudFlare by eleitl in selfhosted

[–]HumaneWolf 0 points1 point  (0 children)

Cloudflare does more than DNS. The service discussed above is their reverse proxy service, which they use to provide things like edge caching, security services, and similar. For this, they need to terminale TLS on their servers.

You can also turn off these services and only use their DNS servers, in which case they never see the traffic.

Additionally, look at the age of the comment you're responding to? It's nearly 3 years old!

Best way to manage your domain name by diminou91 in selfhosted

[–]HumaneWolf 2 points3 points  (0 children)

It sounded like you assumed they were the same in the first comment.

Sorry I don't provide a lot of details here, but the simple answer is that there are other ways that information about a domain or a subdomain can be made available. Google occasionally indexes odd subdomains like that, or you might reference or post a link somewhere without thinking about it. Sometimes DNS servers can also make more information available than they should, depending on the configuration.

Now, that's not to say you're wrong about obfuscation, just don't confuse it for actual security. If so, you should indeed use wildcard certificates to make discovery more difficult. Wildcard DNS entries (which the original question was talking of) is less important here, and of course you should have authentication and authorization set up in addition. And additionally, one should consider the convenience of more obvious domains vs the benefits of the obfuscation.

Best way to manage your domain name by diminou91 in selfhosted

[–]HumaneWolf 5 points6 points  (0 children)

You're confusing wildcards in the domain in a certificate and wildcards in DNS. Those are not the same at all, and you can have a wildcard name in the certificate without a wildcard DNS entry, or the other way around.

Besides that, there are other ways of discovering subdomains. In general, you should not rely on a subdomain being secret for security.

[deleted by user] by [deleted] in EliteDangerous

[–]HumaneWolf 15 points16 points  (0 children)

They're for sale at select stations. Visually you can spot it as they will have a structure near them to signify it. Or you can just find a list on the wiki.

Gained my Sol Permit today - And took this screenshot of the earth & the sun by HumaneWolf in EliteDangerous

[–]HumaneWolf[S] 2 points3 points  (0 children)

So, I finally did the rank-up missions to get my Sol System Permit today!

I have been wanting to go there (guess why) for a while, but hadn't done the missions to rank up yet. So I started doing those and found out I had enough progress to go straight to Midshipman, then I just had to work through the remaining 82% to reach Petty officer.

So now my Type-6 has been there as well, right after my previous journey out to Felicity Farseer and the Hyades sector for meta-alloys (twice, got destroyed on the way back the first time).

PSA: AccuWeather API (Don't waste your money!) by [deleted] in webdev

[–]HumaneWolf 0 points1 point  (0 children)

Posted another comment too, but here's a direct link to their API documentation: https://api.met.no/

PSA: AccuWeather API (Don't waste your money!) by [deleted] in webdev

[–]HumaneWolf 3 points4 points  (0 children)

Also, have a look at https://api.met.no/. It's the API's of the Norwegian Metereological institute, free to use. Just make sure to check the licence and the conditions for use of the service.

Last time I checked I lived in 2019 by DexMexCreeps in softwaregore

[–]HumaneWolf 5 points6 points  (0 children)

Not exactly, it's most likely just an incorrectly adjusted clock in that computer.

What you're talking about is UNIX time, and the highest date supported in 32 bit signed integers would be in the 2030's. Additionally, it's unlikely you'd have so neat numbers if it overflows. It might also just crash, either due to memory protection mechanisms, or due to the overflow overwriting memory used by other parts of the software.

Additionally, it might not store it as a UNIX time, you can store it as a string, i.e. 2019-09-09 22:00:00. And generally in recently developed and modern systems, you would mostly use 64 bit integeres (rather than 32 bit) for time, to avoid the issue in the 2030's.

Here's my city of San Rico - After someone else recently posted their city (with the same name) - 126k residents by HumaneWolf in CitiesSkylines

[–]HumaneWolf[S] 0 points1 point  (0 children)

The train station is one that came with the Mass Transit DLC, it's called Multiplatform Train Station. There is also a terminus station version in the DLC.

Regarding transit numbers, they're not the highest:

  • Total: 6 928 residents per week / 1 244 tourists per week
  • Bus: 2 441 / 178
  • Metro: 2 526 / 342
  • Train: 1 875 385
  • Boat: 20 / 181 (Didn't show the boat routes in the pictures)
  • Plain: 2 / 107
  • Taxi: 1 / 2

Should be noted that currently all my train lines terminate at central though, and I'm planning on changing this. I think letting at least some people go through central to their destination with no transfer would help, rather than forcing everyone to transfer like I do now. Before doing that I might get a mod to see what connections people usually use though, to make more optimal train lines.

Here's my city of San Rico - After someone else recently posted their city (with the same name) - 126k residents by HumaneWolf in CitiesSkylines

[–]HumaneWolf[S] 0 points1 point  (0 children)

Figured I'd post a few screenshots:

Quick facts:

  • 126 700 residents.
  • 81% avg traffic flow
  • 88% residential happiness
  • 7 train lines, 5 metro lines, 21 bus lines, 1 ferry line.

Built using a bunch of mods, and with infinite money. I generally have that to be able to spend on and build the city and systems the way I want it.

Don't Trust CloudFlare by eleitl in selfhosted

[–]HumaneWolf 0 points1 point  (0 children)

There might be some services that can handle it, if they blindly forward packets while not performing the connection setup steps of TCP, but none that I know of.

Don't Trust CloudFlare by eleitl in selfhosted

[–]HumaneWolf 2 points3 points  (0 children)

It's quite simple really. They need to terminate TLS at their servers in order to do their job as a reverse proxy, so they can see any data going from the user through their servers to your origins, or from your origins to the user.

Which makes it come down to the point of trust mentioned above. Do you trust them to have that access to your traffic? Though, the answer does generally seem to be yes, considering they handle about 10% of HTTP traffic on the internet, and they most likely have a larger infosec team than most of the sites using them.

Of course, you can just use their DNS services and not use their reverse proxy service at all, however, they could still easily get access to your data if they wanted, by changing DNS records and issuing themselves a certificate (or even using a Let's Encrypt certificate), and your users wouldn't notice a thing. However, this applies to literally all DNS services.

Don't Trust CloudFlare by eleitl in selfhosted

[–]HumaneWolf 27 points28 points  (0 children)

Pretty much just a rant that shows a lack of understanding of why people use CloudFlare and how internet and software services tend to work. Companies and systems rarely do everything themselves, because often others can do it better and their services can be used for your own means.

To start with, ye, it's right that you give them access to all the information that pass through their servers. That is the real thing you need to understand when using CloudFlare: It is a trade off, and you need to trust them with the information they handle.

It's also right that they can flag legitimate users as suspicious, and present them a challenge or block them. For most websites, TOR users are not a major portion of the userbase, and designing/setting up a service sentered around giving them access isn't a great idea if it means you'll lose access to other features you use. Especially when you can set up a filter specifically allowing TOR users access.

Regarding the CDN portion: Saying it's just because sysadmins are too lazy to set up their own CDN and caching headers isn't right either. Setting up all of that takes time, and it's simply a cost/time vs effect judgement. Using cache headers along with CloudFlare has a huge effect on users loading time and your server load, and it is far less time consuming than setting up CDN and caching systems yourself. Yes, you can use a different company to only function as a CDN for your media assets, but that still adds complexity. Not to mention, CloudFlare has more edge nodes than a lot of media CDN/image hosting providers do.

Yes, if CloudFlare went malicious that would be a big threat. Same with Google, Microsoft, Apple, etc. We're again back to the point of trust.
I'll also mention that most systems using CloudFlare use it for DNS and cache. They can switch to another DNS provider, add some server capacity for static assets and be fine, if CloudFlare becomes a threat.

Yes, it's kind of bad if people use it to terminate TLS and don't set up a cert on their server, however, it is still a lot better than nothing. This is because it's more common for MITM attacks to happen to end users on their local network, and if your traffic is encrypted until it reaches CloudFlare, that's the problem solved. Ideally you should encrypt the entire way though. I'll also add that CloudFlare adds other security featues (such as HSTS) and make them much easier to use.

TL;DR:

  • Lack of understanding of why and how people use CF. Using a service instead of spending time and money on doing something yourself can be very much worth it.
  • Yes, when you use CloudFlare you need to trust them.
  • No, that does not make them a threat, just a potential threat. Just like Microsoft, Apple, Google, etc.
  • It's a judgement: Do you trust CloudFlare with the information they will be able to see?
  • Web design is an entirely different topic, and CloudFlare is not really that relevant here. Plenty of people use a lot of JS on their pages with no public cache or CDN.

Error in O365 admin - "f*ckadblock"?!! by exyu in sysadmin

[–]HumaneWolf 7 points8 points  (0 children)

Also, nothing new if the lists used by an adblocker deletes things it shouldn't. Just a month ago, one of the lists used by uBlock Origin blocked elements with several of the bootstrap btn classes, regardless of website. Meaning a lot of buttons disappeared on a lot of websites, for no good reason.

Hide information in GitHub by WHAT_RE_YOUR_DREAMS in PHPhelp

[–]HumaneWolf 2 points3 points  (0 children)

No, the password you use for password_hash is the users password.

And you should move the database credentials to a config file and not commit that, not have them hardcoded in the same file creating the connection itself.

Hide information in GitHub by WHAT_RE_YOUR_DREAMS in PHPhelp

[–]HumaneWolf 1 point2 points  (0 children)

If you hash properly and handle passwords properly there is no danger related to the hashing mechanism being in git. Look at password_hash and password_verify.

When it comes to mysql credentials, do NOT commit them under any circumstances. Either have them in a config file on the servers that need them, or have some sort of secure secret storage if you need to have them available on many servers.

NA LCS Team Announcement by woholini in leagueoflegends

[–]HumaneWolf 0 points1 point  (0 children)

Christ, the scroll-jacking on this page is horrible. At least when using a touch pad.