Jonathan Foote
Senior Principal Engineer, Fastly
Jonathan Foote leads bot management & anti-fraud security product engineering at Fastly.
Examining Chrome's TLS ClientHello Permutation | Fastly
On January 20th, Chrome shipped an update that changed the profile of one of the most popular TLS client fingerprinting algorithms, JA3. In this short blog post we’ll describe the change and our observations across Fastly's network.
Private Access Tokens: A CAPTCHA-less future | Fastly
At its core, Private Access Tokens present a privacy-respecting, anti-fraud and authorization framework. This blog post provides an overview of what it does and how developers can try it out with Fastly and Apple today.
Trustworthy internet created by new tech standards | Fastly
The Coalition for Content Provenance and Authenticity (C2PA) develops technology to combat disinformation. Recently, the group released a public draft specification designed to make it easier to trace both the origin and evolution of the media we all create and consume. In this blog post, we cover the problem, the role of C2PA tech, and how you can get involved.
Hijacking the control flow of a WebAssembly program
While WebAssembly has already proven a fertile attack surface for the browser, as more web application code moves to WebAssembly from Javascript there will be a need to research and secure WebAssembly programs themselves. The WebAssembly design obviates common classes of attacks that might be inherited from development languages like C and C++, but there is still some room for exploitation. This tutorial will cover control flow protection guarantees provided by WebAssembly, known weaknesses, and how to use clang control flow integrity (CFI) in WebAssembly programs to mitigate some risks around control flow hijacks.
How to bootstrap self-service continuous fuzzing
OSS-Fuzz is an innovative project that is both advancing the state of the art in OSS security engineering and immediately improving the overall quality of the software that serves the internet. In this blog post, I’ll describe how to use the open source components of google/oss-fuzz to bootstrap self-service continuous fuzzing for both private and public software using h2o, Fastly’s HTTP/2 proxy, as a running example.
How to fuzz a server with American Fuzzy Lop
In this blog post, I'll describe how to use AFL's experimental persistent mode to blow the doors off of a server without having to make major modifications to the server's codebase. I've used this technique at Fastly to expand testing in some of the servers that we rely on and others that we are experimenting with.
