Macha a day ago

> But having it is generally better than not having it.

The problem is that generally you're breaking actual valid use cases as the tradeoff to being another layer of defense against hypothetical vulnerabilities.

Yes, discussing the hosts file is a valid use case.

Yes putting angle brackets in the title of your message is valid use case your users are going to want.

Yes putting "mismatched" single quotes inside double quotes is a thing users will do.

Yes your users are going to use backslashes and omit spaces in a way that looks like attempts at escaping characters.

(All real problems I've seen caused by overzealous security products)

Reply View 0 replies
simonw a day ago

"But having it is generally better than not having it."

I believe the exact opposite.

One (of many) reasons is that it can make your code less secure, by hiding your security mistakes from you.

If your WAF obscures escaping issues during your own testing and usage you could very easily let those escaping issues go unresolved - leaving you vulnerable to any creative attacker who can outsmart your WAF.

Reply View 1 reply
  • RamRodification a day ago

    If you are in charge of testing code for escaping issues, and you do that through a WAF, you might not be very good at your job.

    Reply View 0 replies
paxys a day ago

> But having it is generally better than not having it.

So is HN and every other site in the world insecure because it allows users to post "/etc/hosts" ?

Reply View 7 replies
  • [removed] a day ago
    [deleted]
    Reply View 0 replies
  • [removed] a day ago
    [deleted]
    Reply View 0 replies
  • mystifyingpoi a day ago

    Maybe? I don't know nor care. Assuming that HN has a vuln with path traversal, a sanely configured WAF would block the traversal attempt.

    Reply View 4 replies
    • latexr a day ago

      I propose someone who doesn’t know or care how a system works shouldn’t be prescribing what to do to make it secure. Otherwise this is like suggesting every gate must have a lock to be secure, even those which aren’t connected to any walls.

      https://i.imgur.com/ntYUQB1.jpeg

      Reply View 2 replies
      • MatthiasPortzel a day ago

        > someone who doesn’t know or care how a system works shouldn’t be prescribing what to do to make it secure

        The part that’s not said outloud is that a lot of “computer security” people aren’t concerned with understanding the system. If they were, they’d be engineers. They’re trying to secure it without understanding it.

        Reply View 1 reply
rcxdude a day ago

Is it? The WAF is also now an attack surface itself, and I don't think WAFs have exactly proven themselves as something that meaningfully increases security. They certainly break things unpredictably, though.

Reply View 0 replies
wavemode a day ago

No, that logic doesn't follow. If your application is so hopelessly vulnerable as to benefit from such naive filtering of the text "/etc/hosts, then your application is still going to be vulnerable in precisely the same ways, with just slightly modified inputs.

It is net zero for security and net negative for user experience, so having it is worse than not having it.

Reply View 1 reply
  • serial_dev a day ago

    Net zero for security might be generous.

    The way I assume it works in practice on a real team is that after some time, most of your team will have no idea how the WAF works and what it protects against, where and how it is configured… but they know it exists, so they will no longer pay attention to security because “we have a tool for that”, especially when they should have finished that feature a week ago…

    Reply View 0 replies
smallnix a day ago

Dropping 0.5% of requests will prevent even the most sophisticated attacks (think APT!). Sometimes.

Reply View 2 replies
wyager a day ago

> But having it is generally better than not having it.

Why? It obviously has an annoying cost and equally obviously won't stop any hacker with a lukewarm IQ

Reply View 0 replies