Well then...
Archive: https://archive.today/w6dq7
From the post:
>There is a URL on almost every modern website that exists for machines, not people. It lives under /.well-known/acme-challenge/ and, for a few seconds during certificate issuance, a robot visits it to check that you really control the domain. The visit is expected to be uneventful, a routine silent task. In this case, that quiet path got very loud!
This write‑up tells the story of how traffic aimed at that certificate path could reach origins behind Cloudflare even when the rest of the application was blocked by customer rules, why that matters, how we proved it with restraint, and how the issue is now fixed. It is written for researchers who want details and for security leaders who need the big picture without a textbook.
Well then...
Archive: https://archive.today/w6dq7
From the post:
>>There is a URL on almost every modern website that exists for machines, not people. It lives under /.well-known/acme-challenge/ and, for a few seconds during certificate issuance, a robot visits it to check that you really control the domain. The visit is expected to be uneventful, a routine silent task. In this case, that quiet path got very loud!
This write‑up tells the story of how traffic aimed at that certificate path could reach origins behind Cloudflare even when the rest of the application was blocked by customer rules, why that matters, how we proved it with restraint, and how the issue is now fixed. It is written for researchers who want details and for security leaders who need the big picture without a textbook.
Login or register