Comment by pvg
3 days ago
This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538
Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
> a product that mostly doesn't do anything except for occasionally break the internet
I wouldn't say that. The postmortem you referred to links to another CloudFlare blog post - one about a pretty serious RCE vuln in Microsoft SharePoint that was blocked by their WAF: https://blog.cloudflare.com/stopping-cve-2019-0604/
I mean, it's hardly surprising CloudFlare will tell you this is a useful product. But it is to securing a web application what regex is to parsing HTML.
Sadly I work with web developers that all assume they don’t need to bother too much with security “because we have a WAF”.
I'm not sure why "WAF has false positives" makes it useless, nor would I say this is anywhere near the scale of "breaking the internet" and I'm not even fan of the concept of WAFs in general.
The last one took out a lot more stuff than this one but the argument is the same - this product is a checkmark thing and when it's not fulfilling its checkmark purpose, it causes outages. Still an amusing bi-modality! I suppose it shares it with DNSSEC.
Basically CF default WAF settings saved more small and medium companies I can even count to. I’m not CF fan, but WAFs (with rate limiting) do help. Sad that one or two incidents for that complicated and big services make people post such comments, but cmon - it doesn’t have AI in it's name so sheeps have to cry, right?
we've used it to rescue some vintage appliances that are basically unsecurable.