4/25/2025 at 2:33:46 PM
The people configuring WAF rules at CDNs tend to do a poor job understanding sites and services that discuss technical content. It's not just Cloudflare, Akamai has the same problem.If your site discusses databases then turning on the default SQL injection attack prevention rules will break your site. And there is another ruleset for file inclusion where things like /etc/hosts and /etc/passwd get blocked.
I disagree with other posts here, it is partially a balance between security and usability. You never know what service was implemented with possible security exploits and being able to throw every WAF rule on top of your service does keep it more secure. Its just that those same rulesets are super annoying when you have a securely implemented service which needs to discuss technical concepts.
Fine tuning the rules is time consuming. You often have to just completely turn off the ruleset because when you try to keep the ruleset on and allow the use-case there are a ton of changes you need to get implemented (if its even possible). Page won't load because /etc/hosts was in a query param? Okay, now that you've fixed that, all the XHR included resources won't load because /etc/hosts is included in the referrer. Now that that's fixed things still won't work because some random JS analytics lib put the URL visited in a cookie, etc, etc... There is a temptation to just turn the rules off.
by matt_heimer
4/25/2025 at 2:55:02 PM
> I disagree with other posts here, it is partially a balance between security and usability.And economics. Many people here are blaming incompetent security teams and app developers, but a lot of seemingly dumb security policies are due to insurers. If an insurer says "we're going to jack up premiums by 20% unless you force employees to change their password once every 90 days", you can argue till you're blue in the face that it's bad practice, NIST changed its policy to recommend not regularly rotating passwords over a decade ago, etc., and be totally correct... but they're still going to jack up premiums if you don't do it. So you dejectedly sigh, implement a password expiration policy, and listen to grumbling employees who call you incompetent.
It's been a while since I've been through a process like this, but given how infamous log4shell became, it wouldn't surprise me if insurers are now also making it mandatory that common "hacking strings" like /etc/hosts, /etc/passwd, jndi:, and friends must be rejected by servers.
by mjr00
4/25/2025 at 3:12:01 PM
Not just economics, audit processes also really encourage adopting large rulesets wholesale.We're SOC2 + HIPAA compliant, which either means convincing the auditor that our in-house security rules cover 100% of the cases they care about... or we buy an off-the-shelf WAF that has already completed the compliance process, and call it a day. The CTO is going to pick the second option every time.
by swiftcoder
4/25/2025 at 3:21:00 PM
Yeah. SOC2 reminds me that I didn't mention sales as well, another security-as-economics feature. I've seen a lot of enterprise RFPs that mandate certain security protocols, some of which are perfectly sensible and others... not so much. Usually this is less problematic than insurance because the buyer is more flexible, but sometimes they (specifically, the buyer's company's security team, who has no interest besides covering their own ass) refuse to budge.If your startup is on the verge of getting a 6 figure MRR deal with a company, but the company's security team mandates you put in a WAF to "protect their data"... guess you're putting in a WAF, like it or not.
by mjr00
4/25/2025 at 3:38:08 PM
>guess you're putting in a WAF, like it or not.Install the WAF crap, and then feed every request through rot13(). Everyone is happy!
by meindnoch
4/25/2025 at 3:54:11 PM
Up until you need to exercise the insurance policy and the court room "experts" come down on you like a ton of bricks.by throwup238
4/25/2025 at 4:32:29 PM
now you've banned several different arbitrary strings!by benaubin
4/25/2025 at 5:55:13 PM
Good luck debugging why the string "/rgp/cnffjq" causes your request to be rejected :)by connicpu
4/25/2025 at 4:25:23 PM
I wish IT teams would say "sorry about the password requirement, it's required by our insurance policy". I'd feel a lot less angry about stupid password expiration rules if they told me that.by simonw
4/25/2025 at 4:40:22 PM
Sometime in the past few years I saw a new wrinkle: password must be changed every 90 days unless it is above a minimum length (12 or so as best I recall) in which case you only need to change it yearly. Since the industry has realized length trumps dumb "complexity" checks, it's a welcome change to see that encoded into policy.by cratermoon
4/25/2025 at 4:53:55 PM
I think I like this idea that the rotation interval could be made proportional to length, for example doubling the interval with each additional character. Security standards already now acknowledge that forced yearly rotation is a net decrease in security, so this would incentivize users to pick the longest password for which they would tolerate the rotation interval. Is yearly rotation too annoying for you? For merely the effort of going from 12 -> 14 characters, you could make it 4 years instead, or 8 years, 16, and so on.by manwe150
4/25/2025 at 5:58:56 PM
Can confirm when I found out I'd be required to regularly change my password the security of it went down significantly. At my current job when I was a new employee I generated a secure random password and spent a week memorizing it. 6 months later when I found out I was required to change it, I reverted to a variation of the password I used to use for everything years ago with some extra characters at the end that I'll be rotating with each forced change...by connicpu
4/25/2025 at 11:40:05 PM
I do the same but write the number at the end of the password on the laptop in sharpie. I work from home so I've been thinking about making a usb stick that simulates a keyboard with a button to enter the password.by jimmaswell
4/26/2025 at 9:21:50 AM
Dangerous. You might accidentally press the button in a group chat.by immibis
4/25/2025 at 10:37:19 PM
Why not make use of a password manager?by byproxy
4/25/2025 at 11:10:36 PM
You can’t open the password manager until your computer is unlocked.by Aeolun
4/25/2025 at 11:47:41 PM
You can put the password manager on your phone or another device.by isomorphic-
4/26/2025 at 12:12:09 AM
and now you’re violating a different policy.by denkmoon
4/25/2025 at 11:55:15 PM
I'm not pulling my phone out every time I have to unlock my computer at work. If IT wants my work account to be secure they should change their policies.by connicpu
4/26/2025 at 12:36:44 AM
As discussed here, the policy is from outside the org.by edoceo
4/25/2025 at 10:26:22 PM
Unfortunately, lots of end users refuse to read the password policy and won't understand why their password reset interval is "random" or shorter than their colleague's.by butshouldyou
4/25/2025 at 7:00:31 PM
> Sometime in the past few years I saw a new wrinkle: password must be changed every 90 days unless it is above a minimum length (12 or so as best I recall) in which case you only need to change it yearly. Since the industry has realized length trumps dumb "complexity" checks, it's a welcome change to see that encoded into policy.This is such a bizarre hybrid policy, especially since forced password rotations at fixed intervals are already not recommended for end-user passwords as a security practice.
by chimeracoder
4/26/2025 at 12:09:36 PM
Having worked with PCI-DSS, some rules seem to only exist to appease insurance. When criticising decisions, you are told that passing audits to be able to claim insurance is the whole game, even when you can demonstrate how you can bypass certain rules in reality. High-level security has more to do with politics (my definition) than purely technical ability. I wouldn't go as far as to call it security theatre, there's too much good stuff there that many don't think about without having a handy list, but the game is certainly a lot bigger than just technical skills and hacker vs anti-hacker.I still have a nervous tick from having a screen lock timeout "smaller than or equal to 30 seconds".
by wvh
4/25/2025 at 3:33:39 PM
> but a lot of seemingly dumb security policies are due to insurers.I keep hearing that often on HN, however I've personally never seen seen such demands from insurers. I would greatly appreciate if one share such insurance policy. Insurance policies are not trade secrets and OK to be public. I can google plenty of commercial cars insurance policies for example.
by betaby
4/25/2025 at 5:03:29 PM
I found an example!https://retail.direct.zurich.ch/resources/definition/product...
Questionnaire Zurich Cyber Insurance
Question 4.2: "Do you have a technically enforced password policy that ensures use of strong passwords and that passwords are changed at least quarterly?"
Since this is an insurance questionnaire, presumably your answers to that question affect the rates you get charged?
(Found that with the help of o4-mini https://chatgpt.com/share/680bc054-77d8-8006-88a1-a6928ab99a...)
by simonw
4/26/2025 at 12:56:07 AM
We've been asked that question before on security questionnaires, and our answer has always been, "Forcing users to change passwords regularly is widely regarded as a very bad security practice, and we don't engage in bad security practices." We've never had anyone complain.by smithkl42
4/26/2025 at 11:10:13 AM
I've never had a complaint about anything I put in to a form requesting a quote for insurance. I just get the quote back. Did you write that in the comment expecting an insurance salesperson to call you up and argue passwords with you? Call their back office and say "hey this guy says our password question is crap, get our best guys on it!"?I just cant imagine any outcome other than it was translated to just a "no" and increased your premium over what it would have otherwise been.
by austhrow743
4/25/2025 at 7:40:58 PM
Password policy is something rather common, and 'standard' firewalls. Question is in the context of of WAF as in the article. WAF requirement is something more invasive to say the least.by betaby
4/25/2025 at 5:53:01 PM
Directly following is question 4.3: "Are users always prevented from installing programs on end-user devices?"Totally bonkers stuff.
by kiitos
4/25/2025 at 6:11:22 PM
A trend for corporate workstations is moving closer to a phone with a locked-down app store, with all programs from a company software repo.Eliminating everything but a business's industry specific apps, MS Office, and some well-known productivity tools slashes support calls (no customization!) and frustrates cyberattacks to some degree when you can't deploy custom executables.
by 9x39
4/25/2025 at 10:06:28 PM
That's why this it's been a requirement for Australian government agencies for about 15 years.In around 2011, the Defence Signals Directorate (now the Australian Signals Directorate) went through and did an analysis of all of the intrusions they had assisted with over the previous few years. It turned out that app whitelisting, patching OS vulns, patching client applications (Office, Adobe Reader, browsers), and some basis permission management would have prevented something like 90% of them.
The "Top 4" was later expanded to the Essential Eight which includes additional elements such as backups, MFA, disabling Office macros and using hardened application configs.
https://www.cyber.gov.au/resources-business-and-government/e...
by bigfatkitten
4/25/2025 at 9:35:15 PM
Then the users start using cloud webapps to do everything. I can't install a PDF-to-excel converter, so I'll use this online service to do it.At first glance that might seem a poor move for corporate information security. But crucially, the security of cloud webapps is not the windows sysadmins' problem - buck successfully passed.
by michaelt
4/25/2025 at 6:45:30 PM
I don’t think locking down slashes support calls because you will now receive support requests anytime someone wants to install something and actually have a good business reason to do so.by serial_dev