So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)

I’ll trust Cloudflare over Comcast/AT&T/etc. any day of the week.

I found it amusing that these posts were adjacent.

I believe you. I’m just saying their non-firewalls (i.e., switches and APs) don’t have that limitation.

My firewall is a Fortigate 60F.

I would never use their firewalls/gateways, but their switches are pretty good for the price and their APs are decent (although tbh after 3 generations my next AP will likely be an enterprise Aruba).

That said, I still use Unifi in docker, everything is up to date, and nothing is requiring a sign-in to the cloud. Am I missing something? If it’s just the firewalls, then I’m not surprised since I’ve never been remotely tempted to use them, but it sure isn’t all of their devices.

Ctrl-', E

The definition I learned for web 2.0, as it was happening, was a shift from static web pages generated all at once on the server and delivered to the client whole, to using Ajax with in-browser Javascript dynamically changing already-delivered pages with back-end XML calls.

Look man, it’s okay to be wrong. It’s a natural part of growth.

But when you double down on your ignorance instead of taking the opportunity to open your mind and listen to the experts in the room, you just end up embarrassing yourself.

Try to be better.

We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.

Admins can’t control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don’t think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.

Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.

This is incredibly well said and I agree 100%. I’ll just add that software TOTP is weaker than the MS Authenticator with number matching because the TOTP seed can still be intercepted and/or stolen by an attacker.

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the “something you have” second factor in my threat model.

While I prefer pure phishing-resistant MFA methods (FIDO2, WHFB, or CBA), the support isn’t quite there yet for mobile devices (especially mobile browsers) so the MS Authenticator is the best alternative we have.

We’re not as stupid as they think we are.

Aren’t we though?

Oh yeah, I had forgotten that too. UAC with separate elevated tokens and Session 0 isolation didn’t even exist until Vista/2008.

Do you even know what an electrolyte is?!

And conversely, when we lose weight the vast majority is exhaled as CO2, not excreted as liquid or solid waste.

Google:

Except it’s not “them” that gets to decide, it’s the courts. And from what I’ve seen, TST is actually winning. So I wouldn’t call it a fallacy.

Don’t worry, the FBI confiscated all of their phones but they received other phones and SIMs without data.

I agree as long as the money is actually going toward building out the charging network and not just getting sucked up by corporations like the ISPs that were supposed to improve our network infrastructure.

Although it would be nice for them to let us know what is happening and when we can expect some real improvements. Maybe that info is out there, but I haven’t seen it and this biased reporter sure isn’t looking to do any real journalism.

In that case, if CF is taking to Traefik and not the actual origin server, you just need to forget about the origin certs altogether and use LE certs in Traefik.