Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Internet IT

Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 82

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?

Leave your own answers in the comments. How did you respond to Cloudbleed?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Are You Responding To Cloudbleed?

Comments Filter:
  • by Anonymous Coward
    I'm still not sure how this affects me
    • by nmb3000 ( 741169 ) <nmb3000@that-google-mail-site.com> on Sunday February 26, 2017 @12:26AM (#53932211) Journal

      I'm still not sure how this affects me

      Here's a very short version:

      Cloudflare provides proxying, caching, and DDoS protection (plus other things) for a huge number of websites. This means that instead of connecting directly to a website's servers, you're instead connecting to a Cloudflare server which inspects and routes the traffic to the real website.

      A bug in Cloudflare's system would occasionally result in random memory contents from the Cloudflare server incorrectly getting sent back to clients in the HTTP response stream. This memory could contain anything -- random parts of a webpage, a picture, or a username and password that was recently passed through the system.

      Since these memory dumps can be (and were) captured by caching systems such as Google's cached pages, Internet Archive, etc, it's not enough that Cloudflare fix the bug -- all the cached pages must also be deleted or somehow cleared of any memory dump contents. Until this happens (and frankly, it's likely an impossible goal given the size and scope), there is the potential that your username and password for some website could be saved out in a cached copy of a Cloudflare site, there just waiting for someone to find it. Attackers can, and are, scanning all of this cached data looking for such valuable leaked memory contents.

      Overall it's a major bug and huge error on Cloudflare's part, but the likelihood of it impacting you seems astronomically small.

      What it does do, however, is raise questions about whether or not we should have a single company acting as a back-end gatekeeper to vast swaths of the web. It also raises the question of the responsibility of sites like the Internet Archive. Should they be required to mass-delete archived sites going back years due to this bug? There is no way to recover those past cached sites. Finally, who is responsible if this breach does get exploited? Is it Cloudflare, or the website that chose to use them?

      I've never been a fan of Cloudflare from a privacy and security standpoint, and this failure on their part more or less cemented my opinion.

      • I wouldn't be worried about the caching from third parties picking up snapshots (ala Internet Archive's Wayback Machine) because I doubt there's any way one could make the organization delete their copies on the basis of a third-party bug (the web is global and no single legal regime covers it all), particularly when adversely affected users need only change their credentials to avoid inadvertent credential exposure.

        As to allowing a few organizations act as gateways to the information on the web: that's a m

  • by Streetlight ( 1102081 ) on Saturday February 25, 2017 @08:48PM (#53931389) Journal
    Techdirt asked me to change my password. What I want to know is what sites I might use use Cloudflare as I havn't seen such a list. They seem to keeping that list close to their vest.
    • Re: (Score:2, Informative)

      by Anonymous Coward


    • That would be a very long list. I wouldn't be surprised if over half of major sites use Cloudflare, for some definition of "major sites".

    • by anadem ( 143644 )

      Sites using Cloudflare: https://github.com/pirate/site... [github.com]

    • Others have already posted a link to the full list (22 MB text file - whee). Someone else has set up a website to let you search that list from your browser (only one site at a time) which may be a bit more manageable if you don't visit many sites which require logins.

      http://www.doesitusecloudflare.com/ [doesitusecloudflare.com]
    • Thanks, guys! Others might have been interested, too. 22 MByte file - yikes!
    • by Zocalo ( 252965 )
      I grabbed the 22MB zip file of domains on Cloudflare from this page [github.com], which supposedly contains a superset of the sites that *might* have been infected by CloudBleed - e.g. not all the sites included have a problem, but all those that did are in the list. I then dumped a list of all the domain names in my Password Manager to a second text file and used "egrep -f" to see which domains were in both files. That turned out to be a pretty short list considering the supposed reach of CloudFlare, so I then worked
  • by darkain ( 749283 )

    Almost all major sites I use have both 2FA enabled plus login notifications enabled. *IF* someone attempted to access one of those accounts, even failed attempts, I would have instant notifications. None have appeared for this, or for pretty much all previous leaks for that matter... Guess I'm just "lucky"? Or maybe the hype was simply turned up to 11.

    • by green1 ( 322787 )

      You're not "lucky" you're an extremely unusual person who doesn't visit any of the vast majority of sites on the internet that don't even have 2FA as an option, nor login notifications. Sure I use those when they're available... but they simply aren't in most places.

      BTW... how's Slashdot's 2FA and login notifications working for you?

      • There is no luck required at all. If it is shit, or random, don't log in. If they ask you to, leave. There is an information glut, after all. Other content awaits.

        • by green1 ( 322787 )

          And yet here you are logged in to Slashdot. Which has no 2FA, nor sign in notifications.

          • There is no luck in that either.

            • by green1 ( 322787 )

              No, but the OP said that all the sites they visit use 2FA and sign in notifications. Yet they are on Slashdot which does neither. Then they said they have "luck".

              I positt that they are being dishonest with themselves in believing that they only use sites with 2FA.

              • No, it was actually "almost all," so they could still use slashdot without any contradiction. Also, it was "almost all major sites." Slashdot isn't as relevant as it used to be.

                • by green1 ( 322787 )

                  And I still maintain that either they are lying, or they are an edge case, as the vast majority of sites on the internet do not support these technologies, and therefore the vast majority of people can not protect themselves by using them.

  • two solutions. (Score:2, Interesting)

    by nimbius ( 983462 )

    1. realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.' when the worlds first automated toilet gets hacked, rest assured, thats turd-bleed.

    2. quit relying on cloudflare to shave a few cents off your infrastructure and learn how to competently host and deploy your own load balanced services that are resilient to DDoS. most hosting providers offer ddos protection anyhow, and th

    • .2 is bullshit.

      How many people use Cloudflare and don't even know it?

      And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...

      • And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...

        Yes more people should build their own OS from scratch. Complete with features. And they should call somebody. Good idea.

    • by Ksevio ( 865461 )
      1. The "bleed" come from it bleeding data that was in memory - I don't recall any other exploits that release data in other ways being called that. It was also first jokingly called cloudbleed by the security researcher (not the media).

      2. This isn't the '90s anymore. CDNs are extremely common and cloudflare is one of the cheapest out there, especially for small sites. Most sites can't afford to deploy load balanced services and rely on others to do it for them. Cloudflare has been in the business for
    • by lucm ( 889690 )

      realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.'

      It's either "gate" or "bleed", depending on what kind of people you want in your twitter mob.

    • Dudebro, this is 2017 and Japan is full of automatic toilets, and yes, they get hacked. No, nobody cares, except the person getting the wrong wash cycle.

    • 1.It would have the potential to make a funny comic sketch though. A person goes to an automated toilet and gets sprayed by faeces on his white shirt.. He now has to get back to an important meeting.
  • by Anonymous Coward

    People who seem to address this more on a factual level than reporting it in a hysterical way don't seem to be concerned. Tech news these days is rather boring and any type of hint at a security problem gets many tech journalists in a lather. I have little concern giving the open disclosure and quick remedy of this. Last year I have worked to limit myself significantly in web exposure. Start talking cloud and your gonna get a storm eventually.

  • by Nyder ( 754090 ) on Saturday February 25, 2017 @09:26PM (#53931565) Journal

    Since ThePirateBay is using cloudfare, I felt it wise to change my password on it so my download record didn't get hacked. Don't need anyone to know about my fetish for midget unicorn porn.

  • I have three responses from sites that use Cloudflare. Essentially, their boiled down response is "We don't use those features that were affected. Cloudflare told us we weren't affected." One art site, Weasyl, just forced everyone to log off just to be safe.
  • So it affects me exactly 0%. FWIW I avoid the could because of these issues.
    • What does this have to do with the cloud? Cloudflare is a reverse proxy and a CDN. Last time i checked /. runs on a cloud, because I'm sure as fuck it is not running on that old iron under some advertising agency desk like when it started.
  • Perhaps this leak might be a sufficient wake up call to leave that ultimate MITM service. What you gain by using it is protection against troubles you wish you had. No, your crappy cooking wordpress won't be DDoSed. Yes, I can buy a bank-grade vault and hire guards to protect my whole life's savings of $197, but you'd think I'm crazy if I did, wouldn't you?

    • More importantly, if your site is dynamic enough, cloudflare has to ask the original http servers if the content has changed anyway, and the real http servers crazy from the load anyway. Cloudflare is not a panacea for fixing DDoS attacks.

  • I changed my passwords on the affected sites, based on the list of Cloudflare-using sites that's been publicized. All of my passwords are randomly-generated strings, so even if one site was completely compromised, all of my other accounts would be fine.

    Since I don't personally transmit any sensitive data through the affected sites, I'm reasonably sure that is all I have to bother about Cloudbleed. The situation is a lot worse for people running bitcoin etc. transactions through affected sites.

  • I just used a cloudbandage for my cloudbleed.

Man is an animal that makes bargains: no other animal does this-- no dog exchanges bones with another. -- Adam Smith