Curated topic

security

Posts tagged with security

Engineering at MetaMar 9, 2026

How Advanced Browsing Protection Works in Messenger

Why it matters: It demonstrates how to implement privacy-preserving security features in end-to-end encrypted environments. Engineers can learn how to balance cryptographic privacy primitives like PIR and OPRF with the practical performance requirements of large-scale real-time messaging.

Messenger's Advanced Browsing Protection (ABP) uses Private Information Retrieval (PIR) to check links against a malicious URL database without revealing user activity to the server.
The system employs Oblivious Pseudorandom Functions (OPRF) to ensure the server cannot see the specific content of the client's query during the lookup process.
To handle URL prefix matching for subpaths, the system groups links by domain rather than requiring exact matches, preventing multiple queries that could leak data.
ABP addresses the privacy-efficiency tradeoff by sharding the database into buckets, carefully managing the number of bits leaked to the server to optimize performance.
The architecture is designed to scale to millions of potentially malicious websites while maintaining low latency for users within end-to-end encrypted chats.

#security #dist #data

Read original

GitHub EngineeringMar 9, 2026

Under the hood: Security architecture of GitHub Agentic Workflows

Why it matters: As AI agents integrate into CI/CD, they introduce risks like prompt injection and credential theft. This architecture provides a blueprint for running non-deterministic agents safely within trusted environments by enforcing strict isolation, secret redaction, and governed execution.

GitHub Agentic Workflows implement a layered security model consisting of substrate, configuration, and planning layers to mitigate risks from non-deterministic agent behavior.
The architecture enforces a zero-trust approach for secrets by isolating agents in dedicated containers with restricted egress and no direct access to environment variables or API keys.
A trusted Model Context Protocol (MCP) gateway manages server authentication and communication, preventing agents from leaking credentials via prompt injection or malicious inputs.
Network isolation is achieved through private networking between agents and a firewall, with all LLM calls routed through a secure API proxy to prevent data exfiltration.
The safe outputs subsystem ensures all repository writes are staged and vetted, preventing agents from making unauthorized or malicious commits to the codebase.

#security #mlp

Read original

Cloudflare BlogMar 9, 2026

Active defense: introducing a stateful vulnerability scanner for APIs

Why it matters: Traditional security tools miss logic-based vulnerabilities like BOLA because the requests appear valid. This stateful scanner allows engineers to proactively hunt for authorization flaws, ensuring business logic integrity beyond simple schema validation and signature matching.

Cloudflare launched a stateful Web and API Vulnerability Scanner in beta, specifically targeting Broken Object Level Authorization (BOLA).
Unlike traditional WAFs that focus on syntax-based attacks like SQLi, this scanner identifies logic flaws where valid requests violate business rules.
The tool utilizes Dynamic Application Security Testing (DAST) to proactively hunt for vulnerabilities in both development and production environments.
The scanner is stateful, enabling it to chain multiple requests together to simulate complex attack patterns that require resource creation and manipulation.
Integration with API Shield allows the scanner to leverage existing API Discovery and Schema Learning for deeper context and easier configuration.

#security

Read original

Cloudflare BlogMar 9, 2026

Fixing request smuggling vulnerabilities in Pingora OSS deployments

Why it matters: Request smuggling vulnerabilities can lead to critical security breaches like session hijacking and cache poisoning. For engineers using Pingora as an ingress proxy, upgrading to 0.8.0 is essential to ensure RFC compliance and prevent connection desynchronization attacks.

Cloudflare patched three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) in Pingora 0.8.0.
One flaw involved Pingora prematurely entering passthrough mode for Upgrade requests before receiving a 101 Switching Protocols response.
Vulnerabilities also stemmed from non-RFC-compliant interpretations of request bodies involving Transfer-Encoding in specific HTTP contexts.
These issues could allow attackers to bypass security controls, hijack user sessions, or poison caches in standalone Pingora deployments.
Cloudflare's CDN was unaffected due to architectural safeguards and internal proxy configurations that prevent these exploitation vectors.
Users of the Pingora framework are strongly urged to upgrade to version 0.8.0 to mitigate risks of connection desynchronization.

#security #sre

Read original

Cloudflare BlogMar 9, 2026

Complexity is a choice. SASE migrations shouldn’t take years.

Why it matters: Engineers can bypass the 'marathon of misery' of multi-year SASE deployments. By using programmable, identity-centric tools, teams can secure global infrastructure and AI workflows in weeks rather than years, reducing technical debt and improving performance.

Cloudflare One reduces SASE migration timelines from 18 months to 6 weeks by replacing legacy hardware-centric approaches with a software-defined connectivity cloud.
The platform utilizes identity-first on-ramps and consolidated policy engines to eliminate the 'trombone effect' and latency common in traditional service chaining.
Lightweight cloud-native connectors like cloudflared enable instant connectivity without requiring inbound firewall port changes.
The extensible edge allows for custom environment support, such as creating native services for Arch Linux to maintain consistent device posture checks.
Integrated AI security tools provide shadow AI visibility and Data Loss Prevention (DLP) to control sensitive data flow into LLMs.

#security #sre #dist

Read original

GitHub EngineeringMar 6, 2026

How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework

Why it matters: This framework enables engineers to leverage LLMs for deep security audits, moving beyond simple pattern matching to find complex logic flaws. By open-sourcing these taskflows, GitHub allows teams to automate high-quality vulnerability research and improve software supply chain security.

GitHub Security Lab's Taskflow Agent is an open-source framework that uses AI to perform deep security audits on codebases.
The framework utilizes YAML-based 'taskflows' to chain multiple LLM prompts, overcoming context window limitations and reducing hallucinations.
It automates repository decomposition by identifying entry points, intended privileges, and component purposes to provide structured context for analysis.
The system has successfully identified over 80 high-impact vulnerabilities, including complex authorization bypasses and PII disclosure issues.
Engineers can run audits via GitHub Codespaces, utilizing models like GPT or Claude to perform iterative, non-deterministic security scans.

#security #mlp

Read original

Cloudflare BlogMar 6, 2026

From the endpoint to the prompt: a unified data security vision in Cloudflare One

Why it matters: This unified approach addresses the 'endpoint-to-prompt' challenge, ensuring security policies follow data across tools and AI interfaces. For engineers, it simplifies visibility and control over sensitive information without sacrificing productivity or creating siloed security gaps.

Cloudflare One introduces browser-based RDP clipboard controls to manage data movement between local devices and remote sessions.
Operation mapping now enriches logs with specific SaaS actions, such as 'SendPrompt' in ChatGPT, to simplify policy authoring and forensic analysis.
Endpoint DLP is being integrated into the Cloudflare One Client to protect data in use, specifically monitoring and controlling OS clipboard activity.
New CASB integrations provide security scanning for Microsoft 365 Copilot, identifying sensitive data risks within AI-driven workflows.
The unified vision aims to secure data across its entire lifecycle: in transit, at rest, in use on endpoints, and at the AI prompt interface.

#security #data

Read original

Cloudflare BlogMar 5, 2026

Ending the "silent drop": how Dynamic Path MTU Discovery makes the Cloudflare One Client more resilient

Why it matters: Engineers often face 'zombie' connections caused by MTU mismatches and blocked ICMP feedback. By implementing active probing via QUIC, Cloudflare eliminates these silent failures, ensuring robust connectivity across diverse, unmanaged network infrastructures without manual tuning.

Cloudflare One Client now implements Dynamic Path MTU Discovery (PMTUD) to prevent 'black hole' packet loss and connection hangs.
Traditional PMTUD relies on ICMP messages that are frequently blocked by firewalls, leading to silent packet drops.
The new implementation follows RFC 8899, using active probing to interrogation the network path instead of relying on ICMP feedback.
Leveraging the MASQUE protocol and QUIC, the client sends encrypted probes of varying sizes to determine the optimal MTU.
The client dynamically resizes its virtual interface MTU on the fly, ensuring seamless transitions between different network environments like Wi-Fi and LTE.
This active discovery mechanism maintains session stability for mission-critical applications on restrictive or legacy infrastructure.

#security #dist

Read original

Cloudflare BlogMar 5, 2026

A QUICker SASE client: re-building Proxy Mode

Why it matters: This shift solves the performance penalty of SASE proxies by moving from L3 tunneling to direct L4 proxying via QUIC. It doubles throughput and lowers latency, making Zero Trust security transparent to users during high-bandwidth tasks or when coexisting with legacy VPNs.

Cloudflare re-engineered its SASE client proxy mode by replacing the WireGuard-based Layer 3 tunnel with a direct Layer 4 QUIC-based architecture.
The previous implementation relied on smoltcp, a user-space TCP stack that lacked modern features and created a performance ceiling for media-heavy traffic.
The new architecture leverages MASQUE and HTTP/3 (RFC 9114) using the CONNECT method to encapsulate traffic directly into QUIC streams.
By bypassing Layer 3 translation, the client eliminates inefficient IP packet handling and benefits from native QUIC congestion and flow control.
Internal testing demonstrated that download and upload speeds doubled while latency decreased significantly for end-users.
The update specifically improves performance for third-party VPN coexistence, high-bandwidth application partitioning, and developer CLI tools.

#security #dist #sre

Read original

Cloudflare BlogMar 5, 2026

How Automatic Return Routing solves IP overlap

Why it matters: ARR simplifies complex network architectures by eliminating the need for NAT or VRF when handling overlapping private IP spaces. This reduces administrative toil and prevents non-deterministic routing, allowing engineers to scale enterprise backbones without manual IP re-addressing.

Cloudflare introduced Automatic Return Routing (ARR) to resolve IP overlap issues in private enterprise networks without manual configuration.
IP overlap typically arises from mergers and acquisitions, extranet connections, or standardized 'cookie-cutter' site architectures.
Traditional solutions like NAT and VRF are effective but introduce significant administrative overhead and brittle configuration requirements.
ARR utilizes stateful tracking to remember the specific tunnel (IPsec, GRE, or CNI) that initiated a network flow.
By bypassing the routing table for return traffic, ARR ensures symmetric routing even when multiple sites share identical IP addresses.
The 'zero-touch' approach allows overlapping networks to coexist seamlessly without requiring complex route leaking or IP re-addressing.

#dist #security

Read original

Page 2 of 12

Prev 1 2 3 4...12 Next