DNSSEC: Complexities and Considerations

Published on by Nick Sullivan.

This blog post is a follow-up to our previous introduction to DNSSEC. Read that first if you are not familiar with DNSSEC. DNSSEC is an extension to DNS: it provides a system of trust for DNS records. It’s a major change to one of the core components of the Internet. In this post we examine some of the complications of DNSSEC, and what CloudFlare plans to do…

Take a break and watch two recent engineering talks

Published on by John Graham-Cumming.

Recently, I spoke at the dotGo 2014 conference in Paris and my colleague (and creator of OpenResty) Yichun Zhang spoke at the first NGINX conference in San Francisco. If you need to take a break, go grab a drink and enjoy one of these two talks. The Latest and Greatest from ngx_lua: New Features & Tools Tired of writing NGINX C-modules or setting-up back-end application servers? The…

Drupal 7 SA-CORE-2014-005 SQL Injection Protection

Published on by John Graham-Cumming.

Yesterday the Drupal Security Team released a critical security patch for Drupal 7 that fixes a very serious SQL injection vulnerability. At the same time we pushed an update to our Drupal WAF rules to mitigate this problem. Any customer using the WAF and with the Drupal ruleset enabled will have received automatic protection. Rule D0002 provides protection against this vulnerability. If you do not have that ruleset…

SSLv3 Support Disabled By Default Due to POODLE Vulnerability

Published on by Matthew Prince.

For the last week we've been tracking rumors about a new vulnerability in SSL. This specific vulnerability, which was just announced, targets SSLv3. The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol. Full details have been published by Google…

Automatic protection for common web platforms

Published on by John Graham-Cumming.

If you are a CloudFlare Pro or above customer you enjoy the protection of the CloudFlare WAF. If you use one of the common web platforms, such as WordPress, Drupal, Plone, WHMCS, or Joomla, then it's worth checking if the relevant CloudFlare WAF ruleset is enabled. That's because CloudFlare pushes updates to these rules automatically when new vulnerabilities are found. If you enable the relevant ruleset for your…