Phusion Passenger 世界性死亡事件

由於我寫的時候就是日文,暫時懶得翻譯。

For more details: https://github.com/phusion/passenger/issues/2089

 

大体の原因は掴めました:

Passenger の SecurityUpdateCheck は 5.1 から導入されたもので、もし重大 Fix があるバーションが出ると、Push します。

そこで、かつて一個バグがあって、リスポンスが 500B 超えると Passenger が Crash する、これは 5.1.5 で修正された。

今回 23 時間の前に発表されたバーション 5.3.2 がまさに重大 Fix が入るバーションなので、 Update Info は発送され、パケットが大きいと思い、全世界の Passenger < 5.1.5 が死んだ。

Not again, Namecheap

Never thought that I would have to criticize Namecheap again, after I left their services.

Let me explain, I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain through crt.sh. Naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller – Namecheap. After reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ), even after ticket escalation, they’re just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and “there is no need to worry about the security of your website and the information transmitted via Internet”.

So, according to Namecheap’s statement, Wosign accident is just a fraud and people obtained github.com’s certificate will do absolutely no harm to Github. Good to know.

A public discussion is under way: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/4R1parm1XCc