Troy Hunt

JULY 20, 2018

The most unexpected outcome of those discussions was a real flat-earther chiming into the Twitter discussion after someone made the innocent mistake of using the #FlatEarth hash tag to describe people decrying HTTPS. Plus there's my post on a whole bunch of nifty Azure Function and Cloudflare Workers bits. Enjoy: References.

116

116

Troy Hunt

FEBRUARY 1, 2018

I also can't add custom headers via Cloudflare at "the edge"; I'm serving the HSTS header from there because there's first class support for that in the GUI , but not for CSP either specifically in the GUI or via custom response headers. Another reoccurring issue was the presence of onClick events on some tags.

117

117

Security Affairs

DECEMBER 10, 2021

IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue. Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library.

Data breaches 144

Data breaches Marketing Hacking Information Security 144

Malwarebytes

JUNE 1, 2022

But here’s something to consider: According to research by Cloudflare , 20 percent of websites that serve ads receive visits almost exclusively by fraudulent click bots, and that bots comprise roughly 50 percent of all Internet traffic. Plus, that sounds a lot better than tagging another tracker on us. Hiding consent.

Advertising 106

Advertising Internet Internet Mobile 106

Kali Linux

FEBRUARY 27, 2024

For Kali Linux we use a mixed approach: it is distributed in part thanks to 50+ mirrors across the world, and in part thanks to the Cloudflare CDN that acts as a ubiquitous mirror. We are lucky to benefit from a very generous sponsorship from Cloudflare since 2019. Your browser does not support the video tag.

Software 145

Software Firmware VPN Internet 145

Troy Hunt

SEPTEMBER 26, 2018

No HTML tags. I set my desktop to manually resolve through Cloudflare's 1.1.1.1 Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters and a link. That is all. No tracking.

DNS 274

DNS Risk 274

Malwarebytes

MAY 13, 2021

The way it is injected in compromised sites is by editing the shortcut icon tags with a path to the fake PNG file. There is a lot of publicly documented material on the activities of Group 1 also known for their ‘ ant and cockroach ‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.

Malware 108

Malware Hacking Software Cybercrime 108

Troy Hunt

AUGUST 21, 2023

There had to be a better way, which brings us to Cloudflare's Turnstile : With Turnstile, we adapt the actual challenge outcome to the individual visitor or browser. The final step is to validate the token and for this I'm using a Cloudflare worker. Here's how it works: Get it?

Firewall 199

Firewall Authentication Internet Internet 199

Kali Linux

DECEMBER 8, 2021

But did you know that it’s also possible to configure Kali to get its package from the Cloudflare CDN ? But what’s new is that you can now use kali-tweaks to quickly configure whether APT should use community mirrors or the Cloudflare CDN. So which one is best, community mirrors or Cloudflare CDN?

Social Engineering 52

Social Engineering VPN Architecture Engineering 52

SiteLock

DECEMBER 9, 2021

Trying to manually browse to the site also yields the same results, however it is a Cloudflare error 1020, meaning that the request to the website was blocked. This can be done using regular expressions to look for opening php tags or other strings that could alert to a malicious upload.

Malware 52

Malware Engineering Information Security Hacking 52

SC Magazine

APRIL 22, 2021

At a glance, you can see how many IP-based assets the organization has connected to CloudFlare, hosted by AWS, running on Linode or hiding on DigitalOcean (that’s where we all run our Shadow IT stuff, right?). While the labels seem accurate, there is no reason listed as to why each domain has been tagged as abandoned.

Penetration Testing 87

Penetration Testing Technology Marketing Engineering 87

Troy Hunt

JUNE 30, 2022

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature used by Mozilla, 1Password and a handful of other paying subscribers.

Passwords 307

Passwords Identity Theft Consumer Services Password Management 307

Troy Hunt

AUGUST 7, 2020

Many of the services that HIBP runs on are provided free by the likes of Cloudflare. For free, because he's a good bloke and Cloudflare supported him. The very second blog post on that tag was about how I used Azure Table Storage to make it so fast and so cheap.

Passwords 364

Passwords Architecture Data breaches Internet 364

Troy Hunt

JULY 23, 2018

Cloudflare makes it easy! SecureOnChrome [link] pic.twitter.com/r2HWkfRofW — Cloudflare (@Cloudflare) July 23, 2018. Continuing that growth rate would take the number to something similar to Cloudflare's above as of now. Make sure your site redirects to #HTTPS , so you don’t have the same problem.

Government 165

Government VPN Banking 165

Troy Hunt

NOVEMBER 5, 2018

Getting back to the Cloudflare error, a cursory review of the service didn't show any obvious issues. Besides, the ASafaWeb tag on my blog contains many posts that do a great job of explaining the rationale behind the scans.

Technology 193

Technology Architecture Marketing Internet 193

Troy Hunt

NOVEMBER 14, 2018

Some brief background first as I'll be sharing this post with a bunch of folks for which this may be new: A CSP is a response header or meta tag that allows you to declare a policy for your website declaring what sorts of content can be loaded from where.

Media 213

Media Accountability Technology 213

Troy Hunt

DECEMBER 3, 2023

And that's precisely what this 185th blog post tagging HIBP is - the noteworthy things of the years past, including a few things I've never discussed publicly before. And now, a 10th birthday blog post about what really sticks out a decade later. You know why it's called "Have I Been Pwned"? requests in a single day.

Data breaches 363

Data breaches Passwords Internet Internet 363

Troy Hunt

JUNE 15, 2023

We can't add a meta tag. Something else I've been working away on in the background is to better leverage Cloudflare's WAF to minimise the impact on the origin services. We don't have any of those 4 aliases on our domain. We can't upload a file. We can't touch DNS.

Accountability 231

Accountability Small Business InfoSec DNS 231

Security Boulevard

JUNE 15, 2023

Data stolen from the infected system is labeled with specific binary tags that identify the type of information when it is sent to the C2 server. After the new DNS registration by the Grand persona, the domain was initially live via authoritative DNS in regway.com on 2023-10-08, and then migrated to Cloudflare DNS on 2023-10-11.

Cryptocurrency 52

Cryptocurrency Password Management Malware DNS 52

Troy Hunt

MARCH 21, 2018

Transparency has been a huge part of that effort and I've always written and spoken candidly about my thought processes, how I handle data and very often, the mechanics of how I've built the service (have a scroll through the HIBP tag on this blog for many examples of each).

Data breaches 181

Data breaches Government Passwords Media 181

Troy Hunt

FEBRUARY 11, 2018

This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. You can safely use an integrity attribute on your script tag because if ever we want to change the implementation, we'll simply rev the version. from its current state.

Government 244

Government Risk Software Technology 244