Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.

Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. 

Egor Homakov 是一个Web安全的布道士，他前两天花了4个小时把github给黑了，并给github报了5个安全方面的bug，并因此挣了4000美金。我们可以通过他黑掉Github的过程学习一下Web安全开发。

This manual describes common security problems in web applications and how to avoid them with Rails.

After reading this guide, you will know:

• All countermeasures that are highlighted.
• The concept of sessions in Rails, what to put in there and popular attack methods.
• How just visiting a site can be a security problem (with CSRF).
• What you have to pay attention to when working with files or providing an administration interface.
• How to manage users: Logging in and out and attack methods on all layers.
• And the most popular injection attack methods.

Cron is the name of program that enables unix users to execute commands or scripts (groups of commands) automatically at a specified time/date. This file is an introduction to cron, it covers the basics of what cron does, and how to use it.

Postfix is a popular open-source Mail Transfer Agent (MTA) that can be used to route and deliver email on a Linux system. It is estimated that around 25% of public mail servers on the internet run Postfix. In this guide, we’ll teach you how to get up and running quickly with Postfix on an Ubuntu 16.04 server.

都说2015年是国内云计算元年，对我个人来说，2015年也是本人正式全面接触云服务的元年。本文仅从个人角度分析当前国内主流IaaS云的使用体验，主要从各云厂商提供的功能抽象，管理后台，付费机制等方面进行分析，不包括以下方面内容：

• 性能对比测试
• 故障率以及稳定性比较

It is very important for a developer to have a feeling about what the community of users, and the community of non users, think about the product he is developing. And my feeling is that there is no Redis feature that is as misunderstood as its persistence. 

In this blog post I’ll do an effort to be truly impartial: no advertising of Redis, no attempt to skip the details that may put Redis in a bad light. All I want is simply to provide a clear, understandable picture of how Redis persistence works, how much reliable is, and how it compares to other database systems.

BCrypt is not the best algorithm out there; however, it is sufficient for the large majority of use cases, and it is just as easy to implement, if not easier, than the basic hash-and-salt method. What sets BCrypt apart is that instead of the more typical SHA-* algorithm, it leverages the Blowfish algorithm, which has the advantage of being much slower in parallel. Since users log in one-at-a-time, this makes it much harder for attackers, who will test numerous passwords, to beat the algorithm.

科技公司为保系统安全出新招请来安全专家上演攻防大战双方对决，愈演愈烈安全专家如何变身“孙悟空”，攻破科技公司的防御系统