$argon2id$v=19$m=64,t=512,p=2$SfpLVj9WHxeQXQDPcO8epg$yrRS3qXk4qWDyMto/rcZ3w
David Osipov DavidOsipov
🏠
DavidOsipov
/ gist:32308afd1e40b8e4bb696c0d8cea45ea
Created
July 25, 2025 09:34
How the 2023 MitM Attack Reveals a Critical Security Gap in Cloudflare's Universal SSL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # How the 2023 MitM Attack Reveals a Critical Security Gap in Cloudflare's Universal SSL | |
| <img src="https://habrastorage.org/r/w780/getpro/habr/upload_files/5a0/731/17c/5a073117c595a0da5299bf14b4136cf9.jpg" alt="A wounded knight in armor slumped in defeat, holding a large shield with the Cloudflare logo that has been pierced by a bullet hole." width="200"/> | |
| ## Summary | |
| * Cloudflare's free Universal SSL automatically adds broad [CAA records](https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization) (e.g., issue "letsencrypt.org") without the accounturi parameter from RFC 8657. | |
| * This creates the exact security gap that enabled the [jabber.ru MitM attack](https://notes.valdikss.org.ru/jabber.ru-mitm/) back in 2023, where attackers got a valid Let's Encrypt certificate because they could pass domain validation from a different LE account. | |
| * I have tried to get Cloudflare to address this on their [community forum](https://community.cloudflare.com/t/critical-security-gap-cloudflare-must-fully-suppor |
DavidOsipov
/ sysctl.conf
Last active
July 25, 2025 23:34
Ubuntu 22.04 small VPN server (1 CPU 2 GB) sysctl.conf hardened file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/sysctl.conf - Configuration file for setting system variables | |
| # See /etc/sysctl.d/ for additional system variables. | |
| # See sysctl.conf (5) for information. | |
| ####################### General Kernel Parameters ####################### | |
| #kernel.domainname = example.com | |
| #kernel.printk = 3 4 1 3 # Uncomment to stop low-level messages on console | |
| ####################### Kernel Hardening Parameters ##################### |
DavidOsipov
/ openpgp.md
Last active
November 1, 2024 17:12
DavidOsipov
/ keybase.md
Created
December 10, 2022 11:04
I hereby claim:
- I am davidosipov on github.
- I am david_osipov (https://keybase.io/david_osipov) on keybase.
- I have a public key ASAHC7hiaP-wM0opCu9vH7awZTzhQeERDjiOc2dIfKmP5Ao
To claim this, I am signing this object: