Readit NewsAlso I am not counting that Insomina won't follow the same footsteps as Postman.
You keep saying that, but you did change my belief! My opinion is not immutable, I listen to what people say, and that is the reason we have ended up here. Because I listened to you and you convinced me to change my mind about Caddy.
> Show me an actual security threat relating to this and I will address it. But this problem as stated is not one.
“This problem” that I’m concerned with is your attitude not the FQDN bug, and I already gave the Signal example. When you start perceiving people reporting bugs as attacks and grudges, it makes it dangerously easy to dismiss real problems.
If that person found another problem with Caddy, I think they are less likely to report it to you because of this. If they did report it, I would think you are very likely to dismiss it because of who they are, not the contents of the bug report. This is a serious problem for my trust in Caddy.
Given they're aware of previous discussion and the stance on the feature request, I don't think they're deterred by the discussion here. Your addition of fuel to fire here is the very thing that's not helping.
> If they did report it, I would think you are very likely to dismiss it because of who they are, not the contents of the bug report.
That's a huge assumption on your behalf.
They accused them of a grudge, an attack, slander, and shoving it in their face. For something as mild as this:
> There still remains this simple to reproduce bug where the page doesn't load of you use the full domain name of a site.
That’s a long way beyond exasperation, that’s a massive overreaction.
> That’s a long way beyond exasperation, that’s a massive overreaction.
Your reaction to Francis is _the_ overreaction. Francis simply said to OP to put their money where their mouth is. The "slander" comment comes later as a general statement on why this subject has become annoying.
Stop being hung up on Francis' response. The niche feature was discussed at length multiple times. You're welcome to search the web for all the conversations we had on the subject. Caddy has been around for 11 years. We've seen this subject more than you've seen it brought up. Again, OP referenced the discussion on the issue tracker in one of the earlier times they brought it up. They _admit_ it's niche. What's the point of continuously bringing it up?
> we'd just like for it to stop being shoved in our face.
This is the comment you are referring to:
> There still remains this simple to reproduce bug where the page doesn't load of you use the full domain name of a site.
They aren’t asking you to repeat yourself. They aren’t shoving it in your face. This is an open discussion thread with many participants. They weren’t talking to you directly. This is information anybody here can find interesting and relevant. I did.
> I really don't think it's fair for you to make a judgement on me or the project from an interaction like this. At least judge the project on its technical merits.
How you are reacting to this is far more important to me than the original bug.
Remember when 37signals suffered data loss because they were using GET requests to delete things? When people pointed out they had a bug, they were offended and blamed GWA. What happened next? The same thing happened all over again, users suffered more data loss.
Or how about when Naomi Wu reported a problem with Signal, where the common use case of third-party keyboards for Chinese people was rendering all of their security worthless? They dismissed that as somebody with a grudge and ignored her for a year. What happened next? People found out that Chinese keyboards were compromised; she was 100% right, and Signal users were in danger.
I’ve seen what happens when people have this attitude towards inconvenient people reporting inconvenient bugs. It’s a danger to users, and you are making Caddy seem dangerous with this attitude. I was a happy user of Caddy right up until this thread, and even halfway down this thread – even after reading the mention of the bug – but your reaction has flipped that to the opposite because I can’t trust that there aren’t more bugs you are handling this way.
Anyways, on the feature request, Caddy is not the only software who disagrees with it being valid, and curl had their back-and-forth on it. There's no legitimate bug being dismissed, and you can go through the issue tracker to audit it. Equating this discussion with 37signals or Signal is false equivalence.
Disclaimer: Caddy maintainer
Another Moby-Dick of mine is Kadessh, the SSH server plugin of Caddy, formerly known as caddy-ssh. This one is an itch. I wrote about it here https://www.caffeinatedwonders.com/2022/03/28/new-ssh-server..., and the repo is here: https://github.com/kadeessh/kadeessh. Similar to the other one, feedback and helping hands are sorely needed.
They are both sort of an obsession and itches of mine, but between dayjob and school, I barely have a chance to have the clear mind to give them the attention they require.
One particular example of this is that anonymous access, as hinted in the article, is turned on by default and it’s not straightforward to just disable it, it requires some in depth knowledge around how the Postgres security model works to do it correctly.
This is not a problem with Supabase.
https://letsencrypt.org/docs/caa/
You can use https://www.entrust.com/resources/tools/caa-lookup (or e.g. `dig caa paypal.com`) to see if any domain is protected.
https://isc.sans.edu/diary/26738 is a cautionary study from 2020 indicating only 3% of the Alexa top 1M had CAA records. And just now, I've seen numerous news and government sites that do not have CAA enabled... making them vulnerable to issuance bugs like this on CAs they may never have heard of, and thus making their readership/constituencies vulnerable to misinformation and fraud, especially in the context of a potential multifaceted attack against router infrastructure to perform MITM attacks at scale.
Of course, you'll want to make sure you don't accidentally disavow an important subdomain where an engineer used a different CA than your usual suspects. But looking at all historic issuers for your domain hierarchies on transparency logs using e.g. https://crt.sh/ might be a good place to start.
It's also good to monitor certificate transparency logs, but then the onus is on your security team to react if an incident occurs. Proactive controls are vital as well, and IMHO CAA avoids many of the downsides of pinning.
If CORS weren't an issue, it could've been done in 1/10th of that time. But if that were the case, there would've already been tons of web-based RSS readers available.
Anyway, the goal of this project is to help foster interest in indie blogs and help a bit with discovery. Feel free to submit your blog if you'd like!
If anyone has any questions, I'd be happy to answer them.