lynnesbian 3 days ago

> a product that mostly doesn't do anything except for occasionally break the internet

I wouldn't say that. The postmortem you referred to links to another CloudFlare blog post - one about a pretty serious RCE vuln in Microsoft SharePoint that was blocked by their WAF: https://blog.cloudflare.com/stopping-cve-2019-0604/

Reply View 2 replies
  • pvg 3 days ago

    I mean, it's hardly surprising CloudFlare will tell you this is a useful product. But it is to securing a web application what regex is to parsing HTML.

    Reply View 1 reply
    • jiggawatts 2 days ago

      Sadly I work with web developers that all assume they don’t need to bother too much with security “because we have a WAF”.

      Reply View 0 replies
AdamJacobMuller 3 days ago

I'm not sure why "WAF has false positives" makes it useless, nor would I say this is anywhere near the scale of "breaking the internet" and I'm not even fan of the concept of WAFs in general.

Reply View 2 replies
  • pvg 3 days ago

    The last one took out a lot more stuff than this one but the argument is the same - this product is a checkmark thing and when it's not fulfilling its checkmark purpose, it causes outages. Still an amusing bi-modality! I suppose it shares it with DNSSEC.

    Reply View 1 reply
    • misiek08 3 days ago

      Basically CF default WAF settings saved more small and medium companies I can even count to. I’m not CF fan, but WAFs (with rate limiting) do help. Sad that one or two incidents for that complicated and big services make people post such comments, but cmon - it doesn’t have AI in it's name so sheeps have to cry, right?

      Reply View 0 replies
calvinmorrison 3 days ago

we've used it to rescue some vintage appliances that are basically unsecurable.

Reply View 0 replies