Comment by blenderob

Comment by blenderob a day ago

2 replies

View on Hacker News

> This case highlights an interesting tension in web security: the balance between protection and usability.

But it doesn't. This case highlights a bug, a stupid bug. This case highlights that people who should know better, don't!

The tension between security and usability is real but this is not it. Tension between security and usability is usually a tradeoff. When you implement good security that inconveniences the user. From simple things like 2FA to locking out the user after 3 failed attempts. Rate limiting to prevent DoS. It's a tradeoff. You increase security to degrade user experience. Or you decrease security to increase user experience.

This is neither. This is both bad security and bad user experience. What's the tension?

myflash13 a day ago

I would say it’s a useful security practice in general to apply WAF as a blanket rule to all endpoints and then remove it selectively when issues like this occur. It’s much, much, harder to evaluate every single public facing endpoint especially when hosting third party software like Wordpress with plugins.

Reply View 0 replies
crabbone 8 hours ago

Precisely.

This also reminded me, I think in the PHP 3 era, PHP used to "sanitize" the contents of URL requests to blanket combat SQL injections, or perhaps, it was a configuration setting that would be frequently turned on in shared hosting services. This, of course, would've been very soon discovered by the authors of the PHP site and various techniques were employed to circumvent this restriction, overall giving probably even worse outcomes than if the "sanitation" wasn't there to begin with.

Reply View 0 replies