A potentially very bad exploit for most languages/versions


(Greg Robson) #1

Just saw this on Twitter:

https://httpoxy.org/
PHP, Phython, Go are affected in pretty much all versions and could exist in other languages. The exploit has existed for years, but nobody seems to have realised how wide the scope of the exploit is.


(Daniel Hollands) #2

I love how all of these big vulnerabilities are now branded. Heartbleed is the one that instantly springs to mind, but I’m sure there have been others.


(Greg Robson) #3

It’s not serious unless it has a logo and a brand! :smile:

It seems to help make the story newsworthy outside of the usual areas of The Register, Slashdot, Tech Crunch etc, so I’m all for a fancy logo!


(Andy Wootton) #4

Having worked in ‘the security game’, I can understand that. It’s how infosec companies and crackers (sometimes these are different people) make a name for themselves, to win work or kudos. It uses the slightly dodgy logic that if you can exploit a weakness then you can protect a customer from being exploited. It’s what makes infosec work frustrating too. Crackers only need 1 way in. Protection requires every potential route to be protected. You have to be better than every cracker and other people keep putting holes in your defences.

I see it’s one of the http://martinfowler.com/bliki/TwoHardThings.html in computer science: “naming things”.