Privacy Gateway: a privacy preserving proxy built on Internet standards

Privacy Gateway: a privacy preserving proxy built on Internet standards
Privacy Gateway: a privacy preserving proxy built on Internet standards

If you’re running a privacy-oriented application or service on the Internet, your options to provably protect users’ privacy are limited. You can minimize logs and data collection but even then, at a network level, every HTTP request needs to come from somewhere. Information generated by HTTP requests, like users’ IP addresses and TLS fingerprints, can be sensitive especially when combined with application data.

Meaningful improvements to your users’ privacy require a change in how HTTP requests are sent from client devices to the server that runs your application logic. This was the motivation for Privacy Gateway: a service that relays encrypted HTTP requests and responses between a client and application server. With Privacy Gateway, Cloudflare knows where the request is coming from, but not what it contains, and applications can see what the request contains, but not where it comes from. Neither Cloudflare nor the application server has the full picture, improving end-user privacy.

We recently deployed Privacy Gateway for Flo Health Inc., a leading female health app, for the launch of their Anonymous Mode. With Privacy Gateway in place, all request data for Anonymous Mode users is encrypted between the app user and Flo, which prevents Flo Continue reading

Stronger than a promise: proving Oblivious HTTP privacy properties

Stronger than a promise: proving Oblivious HTTP privacy properties
Stronger than a promise: proving Oblivious HTTP privacy properties

We recently announced Privacy Gateway, a fully managed, scalable, and performant Oblivious HTTP (OHTTP) relay. Conceptually, OHTTP is a simple protocol: end-to-end encrypted requests and responses are forwarded between client and server through a relay, decoupling who from what was sent. This is a common pattern, as evidenced by deployed technologies like Oblivious DoH and Apple Private Relay. Nevertheless, OHTTP is still new, and as a new protocol it’s imperative that we analyze the protocol carefully.

To that end, we conducted a formal, computer-aided security analysis to complement the ongoing standardization process and deployment of this protocol. In this post, we describe this analysis in more depth, digging deeper into the cryptographic details of the protocol and the model we developed to analyze it. If you’re already familiar with the OHTTP protocol, feel free to skip ahead to the analysis to dive right in. Otherwise, let’s first review what OHTTP sets out to achieve and how the protocol is designed to meet those goals.

Decoupling who from what was sent

OHTTP is a protocol that combines public key encryption with a proxy to separate the contents of an HTTP request (and response) from the sender of an HTTP request. Continue reading

Leave BGP Next Hops Unchanged on Reflected Routes

Here’s the last question I’ll answer from that long list Daniel Dib posted weeks ago (answer to Q1, answer to Q2).

I am trying to understand what made the BGP designers decide that RR should not change the BGP Next Hop for IBGP-learned routes.

If anyone wants to have the answer to the very last question in Daniel’s list, they’re free to search for “BGP Next Hops” on my blog and start exploring. Studying OSPF Forwarding Address might provide additional clues.
Read more …

Leave BGP Next Hops Unchanged on Reflected Routes

Here’s the last question I’ll answer from that long list Daniel Dib posted weeks ago (answer to Q1, answer to Q2).

I am trying to understand what made the BGP designers decide that RR should not change the BGP Next Hop for IBGP-learned routes.

If anyone wants to have the answer to the very last question in Daniel’s list, they’re free to search for “BGP Next Hops” on my blog and start exploring. Studying OSPF Forwarding Address might provide additional clues.
Read more …

Broadcom CEO: What the VMware merger will look like

There has been much teeth-gnashing, mixed with a little obfuscation and concern, about what the merged VMware and Broadcom might look like and what it will mean to customers.   Broadcom President and CEO Hock Tan has taken to his blog to offer some details about what he expects the deal will mean to Broadcom and try to ease some customer concerns.One worry: cost of products going forward. “Following the purchases of CA and Symantec, Broadcom raised prices, decreased support, and stopped investing in innovation,” Tracy Woo, senior analyst for Forrester told Network World in a recent article. “VMware customers would be wise to have an exit plan,” she cautioned.To read this article in full, please click here

Broadcom CEO: What the VMware merger will look like

There has been much teeth-gnashing, mixed with a little obfuscation and concern, about what the merged VMware and Broadcom might look like and what it will mean to customers.   Broadcom President and CEO Hock Tan has taken to his blog to offer some details about what he expects the deal will mean to Broadcom and try to ease some customer concerns.One worry: cost of products going forward. “Following the purchases of CA and Symantec, Broadcom raised prices, decreased support, and stopped investing in innovation,” Tracy Woo, senior analyst for Forrester told Network World in a recent article. “VMware customers would be wise to have an exit plan,” she cautioned.To read this article in full, please click here

Broadcom CEO outlines what combined Broadcom and VMware might look like

There has been much teeth-gnashing, mixed with a little obfuscation and concern, about what the merged VMware and Broadcom might look like and what it will mean to customers.   On Thursday, Broadcom President and CEO Hock Tan took to his blog to offer some details about what he expects the VMware buy will mean to Broadcom and try to ease some of the concerns customers are having.One of the apprehensions for all customers is cost of products going forward. “Following the purchases of CA and Symantec, Broadcom raised prices, decreased support, and stopped investing in innovation,” Tracy Woo, senior analyst for Forrester told Network World in a recent article. “VMware customers would be wise to have an exit plan,” she cautioned.To read this article in full, please click here

Broadcom CEO outlines what combined Broadcom and VMware might look like

There has been much teeth-gnashing, mixed with a little obfuscation and concern, about what the merged VMware and Broadcom might look like and what it will mean to customers.   On Thursday, Broadcom President and CEO Hock Tan took to his blog to offer some details about what he expects the VMware buy will mean to Broadcom and try to ease some of the concerns customers are having.One of the apprehensions for all customers is cost of products going forward. “Following the purchases of CA and Symantec, Broadcom raised prices, decreased support, and stopped investing in innovation,” Tracy Woo, senior analyst for Forrester told Network World in a recent article. “VMware customers would be wise to have an exit plan,” she cautioned.To read this article in full, please click here

Network Automation with CUE – Introduction

In the past few years, network automation has made its way from a new and fancy way of configuring devices to a well-recognized industry practice. What started as a series of “hello world” examples has evolved into an entire discipline with books, professional certifications and dedicated career paths. It’s safe to say that today, most large-scale networks (>100 devices) are at least deployed (day 0) and sometimes managed (day 1+) using an automated workflow. However, at the heart of these workflows are the same exact principles and tools that were used in the early days. Of course, these tools have evolved and matured but they still have the same scope and limitations. Very often, these limitations are only becoming obvious once we hit a certain scale or complexity, which makes it even more difficult to replace them. The easiest option is to accept and work around them, forcing the square peg down the round hole. In this post, I’d like to propose an alternative approach to what I’d consider “traditional” network automation practices by shifting the focus from “driving the CLI” to the management of data. I believe that this adjustment will enable us to build automation workflows that are Continue reading

No way to parse integers in C

There are a few ways to attempt to parse a string into a number in the C standard library. They are ALL broken.

Leaving aside the wide character versions, and staying with long (skipping int, long long or intmax_t, these variants all having the same problem) there are three ways I can think of:

  1. atol()
  2. strtol() / strtoul()
  3. sscanf()

They are all broken.

What is the correct behavior, anyway?

I’ll start by claiming a common sense “I know it when I see it”. The number that I see in the string with my eyeballs must be the numerical value stored in the appropriate data type. “123” must be turned into the number 123.

Another criteria is that the WHOLE number must be parsed. It is not OK to stop at the first sign of trouble, and return whatever maybe is right. “123timmy” is not a number, nor is the empty string.

Failing to provide the above must be an error. Or at least as the user of the parser I must have the option to know if it happened.

First up: atol()

Input Output
123timmy 123
99999999999999999999999999999999 LONG_MAX
timmy 0
empty string 0
" " 0

No. All Continue reading

Counting individual characters on Linux

Determining how many characters are in a file is easy on the Linux command line: use the ls -l command.On the other hand, if you want to get a count of how many times each character appears in your file, you’re going to need a considerably more complicated command or a script. This post covers several different options.Counting how many times each character appears in a file To count how many of each character are included in a file, you need to string together a series of commands that will consider each character and use a sort command before it counts how many of each character are included.To do that, you can use a command like this one:To read this article in full, please click here

Counting individual characters on Linux

Determining how many characters are in a file is easy on the Linux command line: use the ls -l command.On the other hand, if you want to get a count of how many times each character appears in your file, you’re going to need a considerably more complicated command or a script. This post covers several different options.Counting how many times each character appears in a file To count how many of each character are included in a file, you need to string together a series of commands that will consider each character and use a sort command before it counts how many of each character are included.To do that, you can use a command like this one:To read this article in full, please click here

Day Two Cloud 169: Splitting Up Mono-Repositories In Infrastructure As Code

Today on the Day Two Cloud podcast we're going to talk with someone who was part of a DevOps teams deploying Infrastructure as Code (IaC) and applications in the public cloud. This project ran into challenges around scaling, the environments they needed to support, how to store certain artifacts, working with pipeline, and breaking up a monolithic repo into smaller repos and the repercussions of that decision.

Day Two Cloud 169: Splitting Up Mono-Repositories In Infrastructure As Code

Today on the Day Two Cloud podcast we're going to talk with someone who was part of a DevOps teams deploying Infrastructure as Code (IaC) and applications in the public cloud. This project ran into challenges around scaling, the environments they needed to support, how to store certain artifacts, working with pipeline, and breaking up a monolithic repo into smaller repos and the repercussions of that decision.

The post Day Two Cloud 169: Splitting Up Mono-Repositories In Infrastructure As Code appeared first on Packet Pushers.

Cisco issues fixes for active exploits of its Windows VPN clients

Cisco is offering software updates for two of its AnyConnect for Windows products it says are actively being exploited in the field.AnyConnect for Windows is security software package, in this case for Windows machines, that sets up VPN connectivity, provides access control and supports other endpoint security features. Cisco said AnyConnect products for MacOS, Linux are not affected.Cisco said its Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability, which is described in this advisory.To read this article in full, please click here

Cisco issues fixes for active exploits of its Windows VPN clients

Cisco is offering software updates for two of its AnyConnect for Windows products it says are actively being exploited in the field.AnyConnect for Windows is security software package, in this case for Windows machines, that sets up VPN connectivity, provides access control and supports other endpoint security features. Cisco said AnyConnect products for MacOS, Linux are not affected.Cisco said its Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability, which is described in this advisory.To read this article in full, please click here

1 446 447 448 449 450 3,875