(blogs.cisco.com)

166 points rldjbpin | 3 comments | 03 Sep 25 08:18 UTC | HN request time: 0.716s | source

1. Havoc ◴[03 Sep 25 10:21 UTC] No.45114124[source]▶

Similarly a lot of projects using gradio come with a tunnel/public proxy enabled out of the box. ie instantly publicly accessible just by running it. Behind a long unique uuid looking url which provides some measure of security by obscurity but wow was still surprised first time I saw that.

Must be a good time to be in security space with this sort of stuff plus the inevitable vibe code security carnage

replies(1): >>45114697 #

2. ahtihn ◴[03 Sep 25 11:57 UTC] No.45114697[source]▶

>>45114124 (TP) #

> Behind a long unique uuid looking url which provides some measure of security by obscurity

That's not security by obscurity.

If the "uuid looking" part is generated using a csprng and has enough entropy, it has the same security properties as any other secret.

There's other issues with having the secret in the URL.

replies(1): >>45133125 #

3. oceanplexian ◴[04 Sep 25 22:49 UTC] No.45133125[source]▶

>>45114697 #

Not when the user leaks their DNS query it doesn't. Those endpoints must be one of the dumbest "vibe security" ideas I've literally ever heard of.

↑

Finding thousands of exposed Ollama instances using Shodan