David Osipov
LightNews LightNews
david-osipov.vision
David Osipov
@david-osipov.vision
2 followers 5 following 6 posts
AI & B2B SaaS Product Leader. Building secure enterprise software. Cybersecurity researcher, OpenStreetMap mapper & Wikipedian.
Posts Replies Media Videos
david-osipov.vision
So Cloudflare says they "fixed a vulnerability." Don't let the PR fool you. 🛡️❌

They still force settings that effectively say "Let anyone issue a pass for this site." The jabber.ru attack is still possible here.

notcve.org/view.php?id=...

#CyberSecurity #Cloudflare #Tech #WebDev
NotCVE-2026-0001 - Cloudflare Universal SSL CAA augmentation may enable unauthorized DV certificate issuance by weakening RFC 8657 account binding
notcve.org
January 22, 2026 at 10:50 AM
david-osipov.vision
I've analyzed a critical design flaw in Cloudflare's Universal SSL: it actively nullifies IETF standard RFC 8657.

By overriding user-defined accounturi parameters with permissive CAA records, Cloudflare re-opens the exact vulnerability exploited in the 2023 jabber.ru MitM attack. 🧵
A wounded knight in armor slumped in defeat, holding a large shield with the Cloudflare logo that has been pierced by a bullet hole.
January 6, 2026 at 6:07 PM
david-osipov.vision
I've tested your new model #GPT5 - it does a great job at uncovering vulnerabilities and patching them - good job, guys, from #openai
A screenshot of Visual Studio Code in dark mode showing a web development project. The file explorer on the left shows table-of-contents.js as modified. The central editor displays JavaScript code for a SecureDOMValidator class. A terminal below shows the npm run dev output. On the right, a GitHub Copilot Chat pane is open. It displays a detailed, AI-generated summary of recent code changes, likely for a commit message. The summary is titled "Implemented scroll-spy robustness and security refinements" and includes a bulleted list of "Changes made": Added broader safe ID pattern to allow GitHub-style generated slugs. Fixed a bug where no heading stayed active if all intersections temporarily dropped. Improved heading selection heuristic. Adjusted rootMargin and thresholds for more stable activation. Added defensive validation to ignore malformed IDs. Kept Security Constitution alignment.
August 8, 2025 at 10:13 AM