Not only does Cloudflair ruin Tor access. https://www.lowendtalk.com/discussion/106740/serious-security-issue-at-cloudflare-change-all-your-passwords-now
[00:20] <joepie91> cloudflare severely fucked up [00:20] <joepie91> .t https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 [00:20] <EmmyNoether> 1139 - cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory - project-zero - Monorail [00:21] <joepie91> choice quotes: "I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident." [00:21] <joepie91> "Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. Needless to say, this did not convey to me that they take the program seriously." [00:21] <joepie91> "Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers. They've left it too late to negotiate on the content of the notification." [00:22] <joepie91> "The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup." Freenet: > An anonymous FMS user raised this point. > > freenet:USK@KOn1onAO97w3RNzAgcTsqSW6WAliG4EgevONnn4-qMs,k5~fkfH1PYnPABwkLAQSXUoeoX1Gh3fTXxk-pC2ujRM,AQACAAE/maybe-the-new-freenetproject.org-website/0/ > > Ian: >> Re: deployment, I think the ideal would be automatic deployment from the >> github repo on a merge to a production branch. I assume we can do that via >> an >> AWS Lambda? >> >> >> >> >> >> On Thu, Feb 23, 2017 12:40 AM, Dan Roberts [email protected] wrote: >> The website is fully static and should be fine with s3 + cloudflare. I don't >> think it makes much sense to use github for any of this hosting, we already >> threw out all of the advantages we'd get from it back in october or november >> for >> the translation support, and switching to pelican didn't change the >> situation. >> The pending question for me is how to handle deployment, I figure I'll end up >> working with Florent to develop a lambda job, it should be pretty straight >> forward. >> Thanks,Dan >> >> On Wed, Feb 22, 2017 at 1:03 PM, Ian <[email protected]> wrote: >> Dan, can you clarify the current plan for website hosting per Nextgens' >> questions below? >> Ian. >> >> >> >> >> >> On Wed, Feb 22, 2017 2:29 AM, Florent Daigniere [email protected] >> wrote: >> We need to know what we are hosting before we can make any determination >> >> here... Last I've heard, the plan was to start with github's hosting >> >> facility and to put either cloudflare or cloudfront in front (since >> >> github doesn't do SSL). If it turns out that we have a fully static >> >> website, I suggest we do s3 + cloudfront (SSL all the way instead). I >> >> have said that I would take care of it and I will, provided the new >> >> website materialises. >> >> >> >> >> There are numerous related quirks that need ironing out; Fred pins the >> >> certificate authority FPI uses to securely fetch plugins and last-resort >> >> updates... this means that changing the CA we use will take a mandatory >> >> release (which obviously involves some planning). >> >> >> >> >> By the way, we need to plan for the mailserver / mailman too (this is >> >> also reliant on having a valid certificate as currently configured). >> >> >> >> >> Florent >> >> >> >> >> On Tue, 2017-02-21 at 14:26 -0500, Steve Dougherty wrote: >> >>> Sure, I'll discuss this with nextgens. >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> -------- Original Message -------- >> >>> On Feb 21, 2017, 11:42 AM, Ian wrote: >> >>> >> >>> >> >>> >> >>> Steve, are you in a position to take ownership of this task (renewing >> >>> our cert and migrating to Let's Encrypt)? >> >>> >> >>> What about using AWS, don't they do free certs now? It seems like >> >>> Florent is keen on migrating everything to AWS (except for what's on >> >>> Github), if so it might be nice to have the cert through AWS too (and >> >>> AWS has good multi-user functionality). >> >>> >> >>> Ian. >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> On Tue, Feb 21, 2017 9:31 AM, Steve [email protected] >> >>> wrote: >> >>> >> >>> -------- Original Message -------- >> >>> >> >>> >> >>> >> >>> >> >>> Subject: Re: [freenet-dev] 5 weeks till our SSL certificate expires >> >>> >> >>> Local Time: February 21, 2017 8:07 AM >> >>> >> >>> UTC Time: February 21, 2017 1:07 PM >> >>> >> >>> From: [email protected] >> >>> >> >>> To: Discussion of development issues <[email protected]>, >> >>> Florent Daignière <[email protected]> >> >>> >> >>> >> >>> >> >>> >> >>> Did we migrate over to AWS for SSL? I'm not at all familiar with how >> >>> this is >> >>> >> >>> set up - who is? Florent? >> >>> >> >>> >> >>> >> >>> >> >>> We bought an SSL cert from Alpha SSL and use it with Apache on osprey. >> >>> My inclination would be to move to Let's Encrypt. >> >>> >> >>> _______________________________________________ >> >>> >> >>> Devl mailing list >> >>> >> >>> [email protected] >> >>> >> >>> https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >> >>> _______________________________________________ >> >>> Devl mailing list >> >>> [email protected] >> >>> https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >> _______________________________________________ >> Devl mailing list >> [email protected] >> https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >> > _______________________________________________ > Devl mailing list > [email protected] > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > _______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
