Understanding Our Cache and the Web Cache Deception Attack

About a month ago, security researcher Omer Gil published the details of an attack that he calls the Web Cache Deception attack. It works against sites that sit behind a reverse proxy (like Cloudflare) and are misconfigured in a particular way. Unfortunately, the definition of "misconfigured" for the purposes of this attack changes depending on how the cache works. In this post, we're going to explain the attack and then describe the algorithm that our cache uses to decide whether or not to cache a given piece of content so that customers can be sure that they are secure against this attack.

The Attack

First, we'll explain the basics of the Web Cache Deception attack. For those who want a more in-depth explanation, Omer's original post is a great resource.

CC BY-SA 2.0 image by shelleygibb

Imagine that you run the social media website example.com, and that each of your users has a newsfeed at example.com/newsfeed. When a user navigates to their newsfeed, the HTTP request generated by their browser might look something like this:

GET /newsfeed HTTP/1.1  
Host: example.com  
...

If you use Cloudflare, you don't want us to cache this request because if Continue reading

Dictionary: Temporal Factoring

Define Temporal Factoring

The post Dictionary: Temporal Factoring appeared first on EtherealMind.

24% off NETGEAR CM700 DOCSIS 3.0 Cable Modem 1.4Gbps Certified for XFINITY, Time Warner, Charter, and More – Deal Alert

The NETGEAR CM700 High Speed Cable Modem is certified to work with most major cable providers, and may save you $100 or more annually by eliminating modem rental fees you may currently be paying. It provides a connection to high-speed cable Internet with speeds up to 1.4 Gbps. It is CableLabs certified DOCSIS 3.0 that is 32X faster than 2.0 devices. A Gigabit Ethernet port provides faster access and downloads. Its typical list price of $129.99 has been reduced to $99. See this deal now on Amazon.To read this article in full or to leave a comment, please click here

24% off NETGEAR CM700 DOCSIS 3.0 Cable Modem 1.4Gbps Certified for XFINITY, Time Warner, Charter, and More – Deal Alert

Avaya’s post-bankruptcy plan should not impact customers, partners

On Good Friday 2017, the Easter Bunny dropped off Avaya’s Chapter 11 plan for reorganization at the U.S. Bankruptcy Court for the Southern District of N.Y. The plan is aimed at significantly cutting Avaya’s pre-filing debt, which had become an anchor around an otherwise healthy and profitable company. The reduction of debt will strengthen the company’s balance sheet, putting the company in a position to be successful in the future. A healthy financial position leads to M&A opportunities, funding of R&D, hiring of new sales people or any other number of options. + Also on Network World: Avaya files Chapter 11 reorg plan, reduces debt by $4 billion | 4 possible outcomes for Avaya + The proposed plan includes the following terms:To read this article in full or to leave a comment, please click here

Avaya’s post-bankruptcy plan should not impact customers, partners

How will future cars stay up-to-date? Make them open like a PC

The future seems bright for the automobile. A whole host of technologies -- including self-driving systems – is set to reinvent the auto industry, making cars more computerized than ever.But not everyone shares a rosy outlook. “I know what is going to happen in the future and I don’t like it,” said Bruce Perens, a leading open source advocate. “And I would like to guide it in a somewhat different direction.”His fear is that consumers who buy next-generation cars will face obstacles to modifying or repairing them -- like purchasing a smartphone, only far more expensive, with manufacturers in sole control over the tech upgrades.To read this article in full or to leave a comment, please click here

How will future cars stay up-to-date? Make them open like a PC

Avaya files Chapter 11 reorg plan, reduces debt by $4 billion

Avaya has filed a chapter 11 reorganization plan the company says will significantly reduce Avaya's pre-filing debt, strengthening its balance sheet and improve financial flexibility and position it for long-term success.+More on Network World: Avaya plan deploys network virtualization, segmentation to guard business jewels+Under the proposed plan, which must be approved by the United States Bankruptcy Court for the Southern District of New York a number of actions are proposed, including:To read this article in full or to leave a comment, please click here

Avaya files Chapter 11 reorg plan, reduces debt by $4 billion

Understand more, fear less: How the future of the Internet can be designed with a human face

Last week, the G20’s ministers responsible for the digital economy met in Düsseldorf to prepare this year´s G20 summit, scheduled for Hamburg, July 2017. Building on important strides initiated two years ago during the G20 summit in Antalya and based on the G20 Digital Economy Development and Cooperation Initiative (DEDCI), which was adopted last year under the Chinese G20 presidency, the Düsseldorf meeting adopted a “ G20 Digital Economy Ministerial Declaration” which includes also a “Roadmap for Digitalisation”.

Constance Bommelaer de Leusse

Wolfgang Kleinwächter

IoT device sales set to surge in next decade

The number of Internet of Things devices used to spark the "smart" in smart cities is projected to surge six-fold in the next decade, according to a new forecast from market research firm IHS Markit.Shipments of devices like sensors and nodes that detect pedestrians and traffic and measure water and air pollution are expected to hit 202 million devices globally this year, then grow to 1.4 billion by 2026, IHS Markit said in a report released Thursday.[ Further reading: Dead men may tell no tales, but IoT devices do ] "The smart city market continues to grow, presenting great opportunities for all players, despite its current fragmented state," said the report's author, Pablo Tomasi, a senior analyst in smart cities and IoT at IHS Markit.To read this article in full or to leave a comment, please click here

Microsoft sets May 9 as original Windows 10’s retirement date

As expected, Microsoft named May 9 as the date it will issue the final updates for the debut edition of Windows 10 that launched in 2015.Two months ago, Microsoft had extended support for Windows 10 version 1507 -- Microsoft labels feature upgrades by year and month -- from March to May, but did not specify the date in the latter month. Computerworld anticipated May 9 as the end-of-support because that is the date for the month's Patch Tuesday.[ Further reading: Support family and friends with Windows 10’s new Quick Assist app ] The May 9 retirement was quietly announced on several support documents, including the "Windows lifecycle fact sheet," which lists several kinds of deadlines for various versions of the operating system.To read this article in full or to leave a comment, please click here

Microsoft Edge gets 5 key improvements with the Creators Update

Microsoft Edge’s improvements with the Windows 10 Creators Update may finally make it a browser worth talking about. It debuted to shrugs with the original Windows 10 and saw incremental improvements with the Anniversary Update.Edge is still catching up to Google Chrome and Mozilla Firefox, but the browser now offers a few welcome new additions, as well as one significant change that can’t be beat on Windows 10, at least not yet. Here are the five key improvements you should check out.To read this article in full or to leave a comment, please click here

Is San Francisco becoming the new Silicon Valley?

SAN FRANCISCO -- Silicon Valley is having growing pains.Stanford and Palo Alto, where Bill Hewlett and David Packard formed Hewlett Packard, were long considered the birthplace of Silicon Valley. But as chip and other hardware firms grew up further south, San Jose declared itself the "Capital of Silicon Valley." The area is littered with tech giants, from Apple and HP to Intel, Cisco and eBay."In a 15-mile radius you have six of the top 10 technology companies in the world and the largest body of highly successful talent pools," said Jed Yueh, chairman and founder of Delphix, a data virtualization company based in Redwood City -- just south of Belmont, Calif.-based Oracle.To read this article in full or to leave a comment, please click here

In India, people can now use their thumbs to pay at stores

In its bid to boost digital payments, India introduced Bhim, a smartphone app that lets users make cashless payments and transfer funds.But the Android and iOS versions of Bhim, which stands for Bharat Interface for Money, ran into two roadblocks – many Indians don’t have smartphones and those who have phones cannot afford data connections.On Friday, India's Prime Minister Narendra Modi launched Bhim-Aadhaar, a merchant interface for the Bhim app that allows Indians to pay digitally at stores using their thumb imprint through a merchants’ biometric-enabled device, which could be a smartphone having a reader and running the Bhim app.To read this article in full or to leave a comment, please click here

Packet Blast: Top Tech Blogs, April 14

We collect the top expert content in the infrastructure community and fire it along the priority queue.

Programmable ASICs on Software Gone Wild

During Cisco Live Europe 2017 (where I got thanks to the Tech Field Day crew kindly inviting me) I had a nice chat with Peter Jones, principal engineer @ Cisco Systems. We started with a totally tangential discussion on why startups fail, and quickly got back to flexible hardware and why one would want to have it in a switch.