Episode #2022-01

Posted on Jan 14, 2022

azure brave cache pki tplink wiz

TP-Link was setting up hidden networks and thinking that was a good idea. ¹

Same-origin may not be sufficient for privacy protection, and Brave browser is introducing partitioning in various kinds of web components. ²

Wiz found that Azure App service pushes .git directory to public, and then use a blacklist that only works with IIS to stop serving it. ³

Emily Stark discussed the limitations of PKI and what are the viable alternatives. ⁴

A large number of cache poisoning in popular websites were revealed. ⁵

Footnotes

1. Hidden Networks in TP-Link Routers (jahed.dev)

See also:

Archer C7 v5 is emitting a hidden network (community.tp-link.com)

[New Firmware] Disable Hidden SSID on the MR600 (community.tp-link.com)

2. Partitioning Network-State for Privacy (brave.com)

See also:

Client-Side Storage Partitioning | storage-partitioning (privacycg.github.io)

3. NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories (www.wiz.io)

See also:

App Service — Build & Host Web Apps | Microsoft Azure (azure.microsoft.com)

4. When a web PKI certificate won’t cut it (emilymstark.com)

See also:

Android 11 tightens restrictions on CA certificates | HTTP Toolkit (httptoolkit.tech)

How Plex is doing HTTPS for all its users (blog.filippo.io)

There is still no complete replacement for LAN plaintext connections · Issue #23 · WICG/private-network-access (github.com)

WebTransport (w3c.github.io)

Approaches to Achieving HTTPS in Local Network (httpslocal.github.io)

5. Cache Poisoning at Scale (youst.in)

See also:

Researcher discovers 70 web cache poisoning vulnerabilities, nets $40k in bug bounty rewards | The Daily Swig (portswigger.net)