While the POC requires su, the underlying flaw potentially works on any setuid binary on systems with AF_ALG enabled (provided there isn’t something else preventing it).

Your ummm… Your clocks are not synchronized.

Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:

openssl s_client -servername your-domain-here.org -connect your-ip-here:443 < /dev/null 2>/dev/null | openssl x509 -text -noout

Replace your-domain-here.org with your domain and your-ip-here with your actual server IP, but also do it with the Cloudflare IP.

The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.

If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.

I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.

I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.

You should check the certificate shown to clients when accessing your domain. I think you’ll find that it is not the certificate that you created outside of Cloudflare. Cloudflare doesn’t need your private key as they issue a certificate for your domain to themselves and use that for the connection with the client. The certificate you created is used between Cloudflare and your server. The only option I’m aware to route traffic through Cloudflare where they don’t terminate SSL is an enterprise only feature.

I’m in very early stages of a similar project (platform fighter) and a similar issue (I can’t do everything and was having trouble finding reliable people). I don’t know if our project goals are similar enough to warrant working together, but I think it may be worth talking about a possible collaboration. Perhaps even just to make the game multi platform (I’m targeting a retro game console) given that we’ll both need a lot of the same things even if the code itself has a lot of differences. Art, sound, music, story/text, but even things like defining character lists, abilities, and game balance related things is important and duplicative.

By very early stages I mean I don’t have any game logic written yet. I’m targeting retro game console hardware and so far I’ve mostly been writing code (primarily C) to test my understanding of how the hardware functions/limitations (already found some bugs between emulator and real hardware that impacts some home brew games from other developers), and then writing functions that will become a game building library (I don’t know that it’s right to call it an “engine”). Granted, I’m making a lot of assumptions at this point about what I’ll need in terms of features, but also in terms of how much system resources are safe to allocate to different pieces, so when I get things a little more understood and have some core library functions I’m happy with, I’ll start writing game logic to see what more I need / what changes I need to make.

I’ve not worked on it for a few months as I’ve been busy with contract work that I was just informed this week is ending prematurely due to budgetary changes. As such, I expect to have time to pick it up again starting next week.

I think that depends what you consider a bug. I thinj Mario not being present makes sense as he’s dead. The princess was saved even though Mario died, so I think it’s reasonable to say the win condition is met. What I think is definitely a bug is that you hear the death sound 2x when you do this (jump and hit the axe at the same time bowser touches you).

I also like Frigate and it has some integrations with Home Assistant as well.

Alternatively may be worth trying Shinobi. I tried Shinibi a while ago. I liked how it worked, but had some random UI bugs in the release versions. At that time the UI was being rewritten and while some things were improved in the new (in development at the time) UI, I had other bugs in the new UI (again it was in active development and not considered stable when in used it) and switched to Frigate. This was years ago, but I think I’m going to give it another try as I generally liked the UI and features over Frigate, but Frigate has been reliable.

Blue Iris is for security cameras, so think near real time object detection of multiple video streams.

It says it can’t be decrypted with passive means due to a proper ECDH key exchange, but if they are not doing any sort of verification that theor server sent or created the key, then it would be possible to do an active attack like MITM that manipulates the key exhcnage. What I mean is, your MITM proxy would substitute the real key with one that you have the keypair to and hand that to the target application. The target application then encrypts using the key you provide, your MITM proxy decrypts and reencrypts with the real key and all seems legit from both sides.

If there are server validation of some sort, signature checks or whatever, then it would require extra work like patching out or otherwise modifying those checks in the application, extracting the key from the application’s memory, or something like this.

I guess myvpoint is, if you’re motivated enough, you can make it happen.

If I understand your question correctly, between English and Italian is “camera”. In Italian it means “room”, not a device for photographs.