A sense of the familiar could be felt toward the end of last year, when the UK and Scottish Government’s first locked horns over the coverage levels of “superfast broadband.” Now they’re at it again after Scotland claimed to have achieved the 95% “fibre broadband” coverage target, but there’s a problem. Over the past few […]
Starting tomorrow, in Cambridge, more than 300 student hackers, programmers, and designers will put their creative and technical competence to the test over an exciting 24-hour period, developing projects that push the boundaries of technology—a new generation of talent that may change the landscape of things to come.
Read that blog post to learn about how to configure your website, and for those who are not able to do that, how to disable caching for certain URIs to prevent this type of attacks. Since our previous blog post, we have looked for but have not seen any large scale attacks like this in the wild.
Today, we have released a tool to help our customers make sure only assets that should be cached are being cached.
A brief re-introduction to Web Cache Deception attack
Recall that the Web Cache Deception attack happens when an attacker tricks a user into clicking a link in the format of http://www.example.com/newsfeed/foo.jpg, when http://www.example.com/newsfeed is the location of a dynamic script that returns different content for different users. For some website configurations (default in Apache but not in nginx), this would invoke /newsfeed with PATH_INFO set to /foo.jpg. If http://www.example.com/newsfeed/foo.jpg does not return the proper Cache-Control headers to tell a web cache not to cache the content, web caches may decide to cache the result based on the extension of the URL. The attacker can then visit the same URL and retrieve the cached content of a private page.
The proper fix for this is to configure your website to either reject requests with the extra PATH_INFO or to return the proper Cache-Control header. Sometimes our customers are not able to do that (maybe the website is running third-party software that they do not fully control), and they can apply a Bypass Cache Page Rule for those script locations.
Cache Deception Armor
The new Cache Deception Armor Page Rule protects customers from Web Cache Deception attacks while still allowing static assets to be cached. It verifies that the URL’s extension matches the returned Content-Type. In the above example, if http://www.example.com/newsfeed is a script that outputs a web page, the Content-Type is text/html. On the other hand, http://www.example.com/newsfeed/foo.jpg is expected to have image/jpeg as Content-Type. When we see a mismatch that could result in a Web Cache Deception attack, we will not cache the response.
There are some exceptions to this. For example if the returned Content-Type is application/octet-stream we don’t care what the extension is, because that’s typically a signal to instruct the browser to save the asset instead of to display it. We also allow .jpg to be served as image/webp or .gif as video/webm and other cases that we think are unlikely to be attacks.
This new Page Rule depends upon Origin Cache Control. A Cache-Control header from the origin or Edge Cache TTL Page Rule will override this protection.
The Government’s Office for National Statistics is to re-examine how they assess mobile, fixed broadband and phone services in terms of their impact upon the UK economy, which follows concern that the influence of such services may have been historically underestimated. Contrary to what some newspaper reports may have suggested, the ONS does not expect […]
Threats are constantly evolving and, just like everything else, tend to follow certain trends. Whenever a new type of threat is especially successful or profitable, many others of the same type will inevitably follow. The best defenses need to mirror those trends so users get the most robust protection against the newest wave of threats. Along those lines, Gartner has identified the most important categories in cybersecurity technology for the immediate future.
We wanted to dive into the newest cybersecurity products and services from those hot categories that Gartner identified, reviewing some of the most innovative and useful from each group. Our goal is to discover how cutting-edge cybersecurity software fares against the latest threats, hopefully helping you to make good technology purchasing decisions.
Microsoft’s Surface Precision Mouse is a practical PC accessory for Surface owners, especially right-handed ones. Over a week of use, I found the cordless, six-button mouse comfortable and precise. I wasn’t truly happy with it, however, until I downloaded Microsoft’s hard-to-find Mouse and Keyboard Center app, which includes a cool but gimmicky ability to straddle multiple PCs.
Priced at $100 (sometimes discounted on Amazon), the Surface Precision Mouse is Microsoft’s flagship PC peripheral. As such, it’s the direct competitor to the Logitech MX Master 2S mouse ($100 or discounted on Amazon), which offers similar features, including its own ability to leap from PC to PC.