Most active commenters

    ←back to thread

    Writing "/etc/hosts" breaks the Substack editor

    (scalewithlee.substack.com)
    603 points scalewithlee | 19 comments | 25 Apr 25 13:48 UTC | HN request time: 0.001s | source | bottom
    Show context
    Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
    Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
    replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
    1. mystifyingpoi ◴[25 Apr 25 14:20 UTC] No.43793862[source]
    No one expects any WAF to be a 100% solution that catches all exfiltration attempts ever, and it should not be treated this way. But having it is generally better than not having it.
    replies(7): >>43793876 #>>43793969 #>>43794144 #>>43794428 #>>43795337 #>>43796158 #>>43796295 #
    2. paxys ◴[25 Apr 25 14:22 UTC] No.43793876[source]
    > But having it is generally better than not having it.

    So is HN and every other site in the world insecure because it allows users to post "/etc/hosts" ?

    replies(3): >>43793948 #>>43793953 #>>43794001 #
    3. mystifyingpoi ◴[25 Apr 25 14:28 UTC] No.43793948[source]
    Maybe? I don't know nor care. Assuming that HN has a vuln with path traversal, a sanely configured WAF would block the traversal attempt.
    replies(2): >>43793977 #>>43794135 #
    4. ◴[25 Apr 25 14:28 UTC] No.43793953[source]
    5. smallnix ◴[25 Apr 25 14:29 UTC] No.43793969[source]
    Dropping 0.5% of requests will prevent even the most sophisticated attacks (think APT!). Sometimes.
    replies(1): >>43794512 #
    6. smallnix ◴[25 Apr 25 14:30 UTC] No.43793977{3}[source]
    *some traversal attempts
    7. ◴[25 Apr 25 14:32 UTC] No.43794001[source]
    8. latexr ◴[25 Apr 25 14:45 UTC] No.43794135{3}[source]
    I propose someone who doesn’t know or care how a system works shouldn’t be prescribing what to do to make it secure. Otherwise this is like suggesting every gate must have a lock to be secure, even those which aren’t connected to any walls.

    https://i.imgur.com/ntYUQB1.jpeg

    replies(1): >>43797156 #
    9. simonw ◴[25 Apr 25 14:45 UTC] No.43794144[source]
    "But having it is generally better than not having it."

    I believe the exact opposite.

    One (of many) reasons is that it can make your code less secure, by hiding your security mistakes from you.

    If your WAF obscures escaping issues during your own testing and usage you could very easily let those escaping issues go unresolved - leaving you vulnerable to any creative attacker who can outsmart your WAF.

    replies(1): >>43794869 #
    10. wyager ◴[25 Apr 25 15:14 UTC] No.43794428[source]
    > But having it is generally better than not having it.

    Why? It obviously has an annoying cost and equally obviously won't stop any hacker with a lukewarm IQ

    11. pyrale ◴[25 Apr 25 15:20 UTC] No.43794512[source]
    Dropping 95% is even more secure, plus it lives the lucky few that get past it a sense of pride and exclusivity.
    replies(1): >>43794827 #
    12. Y_Y ◴[25 Apr 25 15:43 UTC] No.43794827{3}[source]
    Is that like a "sense of pride and accomplishment"?

    https://knowyourmeme.com/memes/events/star-wars-battlefront-...

    13. RamRodification ◴[25 Apr 25 15:46 UTC] No.43794869[source]
    If you are in charge of testing code for escaping issues, and you do that through a WAF, you might not be very good at your job.
    14. rcxdude ◴[25 Apr 25 16:16 UTC] No.43795337[source]
    Is it? The WAF is also now an attack surface itself, and I don't think WAFs have exactly proven themselves as something that meaningfully increases security. They certainly break things unpredictably, though.
    15. Macha ◴[25 Apr 25 17:14 UTC] No.43796158[source]
    > But having it is generally better than not having it.

    The problem is that generally you're breaking actual valid use cases as the tradeoff to being another layer of defense against hypothetical vulnerabilities.

    Yes, discussing the hosts file is a valid use case.

    Yes putting angle brackets in the title of your message is valid use case your users are going to want.

    Yes putting "mismatched" single quotes inside double quotes is a thing users will do.

    Yes your users are going to use backslashes and omit spaces in a way that looks like attempts at escaping characters.

    (All real problems I've seen caused by overzealous security products)

    16. wavemode ◴[25 Apr 25 17:25 UTC] No.43796295[source]
    No, that logic doesn't follow. If your application is so hopelessly vulnerable as to benefit from such naive filtering of the text "/etc/hosts, then your application is still going to be vulnerable in precisely the same ways, with just slightly modified inputs.

    It is net zero for security and net negative for user experience, so having it is worse than not having it.

    replies(1): >>43797432 #
    17. MatthiasPortzel ◴[25 Apr 25 18:41 UTC] No.43797156{4}[source]
    > someone who doesn’t know or care how a system works shouldn’t be prescribing what to do to make it secure

    The part that’s not said outloud is that a lot of “computer security” people aren’t concerned with understanding the system. If they were, they’d be engineers. They’re trying to secure it without understanding it.

    replies(1): >>43800393 #
    18. serial_dev ◴[25 Apr 25 19:06 UTC] No.43797432[source]
    Net zero for security might be generous.

    The way I assume it works in practice on a real team is that after some time, most of your team will have no idea how the WAF works and what it protects against, where and how it is configured… but they know it exists, so they will no longer pay attention to security because “we have a tool for that”, especially when they should have finished that feature a week ago…

    19. saagarjha ◴[26 Apr 25 02:27 UTC] No.43800393{5}[source]
    Good computer security people are engineers.