Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 82
An anonymous IT geek writes:
Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."
And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?
And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?
I'm still not sure (Score:2, Informative)
Re:I'm still not sure (Score:5, Informative)
I'm still not sure how this affects me
Here's a very short version:
Cloudflare provides proxying, caching, and DDoS protection (plus other things) for a huge number of websites. This means that instead of connecting directly to a website's servers, you're instead connecting to a Cloudflare server which inspects and routes the traffic to the real website.
A bug in Cloudflare's system would occasionally result in random memory contents from the Cloudflare server incorrectly getting sent back to clients in the HTTP response stream. This memory could contain anything -- random parts of a webpage, a picture, or a username and password that was recently passed through the system.
Since these memory dumps can be (and were) captured by caching systems such as Google's cached pages, Internet Archive, etc, it's not enough that Cloudflare fix the bug -- all the cached pages must also be deleted or somehow cleared of any memory dump contents. Until this happens (and frankly, it's likely an impossible goal given the size and scope), there is the potential that your username and password for some website could be saved out in a cached copy of a Cloudflare site, there just waiting for someone to find it. Attackers can, and are, scanning all of this cached data looking for such valuable leaked memory contents.
Overall it's a major bug and huge error on Cloudflare's part, but the likelihood of it impacting you seems astronomically small.
What it does do, however, is raise questions about whether or not we should have a single company acting as a back-end gatekeeper to vast swaths of the web. It also raises the question of the responsibility of sites like the Internet Archive. Should they be required to mass-delete archived sites going back years due to this bug? There is no way to recover those past cached sites. Finally, who is responsible if this breach does get exploited? Is it Cloudflare, or the website that chose to use them?
I've never been a fan of Cloudflare from a privacy and security standpoint, and this failure on their part more or less cemented my opinion.
A bad tradeoff: power over users vs some speedup (Score:2)
I wouldn't be worried about the caching from third parties picking up snapshots (ala Internet Archive's Wayback Machine) because I doubt there's any way one could make the organization delete their copies on the basis of a third-party bug (the web is global and no single legal regime covers it all), particularly when adversely affected users need only change their credentials to avoid inadvertent credential exposure.
As to allowing a few organizations act as gateways to the information on the web: that's a m
What sites use Cloudflare? (Score:3)
Re: (Score:2, Informative)
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
Millions of sites (Score:2)
That would be a very long list. I wouldn't be surprised if over half of major sites use Cloudflare, for some definition of "major sites".
Re: (Score:1)
Sites using Cloudflare: https://github.com/pirate/site... [github.com]
Re: (Score:2)
http://www.doesitusecloudflare.com/ [doesitusecloudflare.com]
Re: (Score:2)
Re: (Score:2)
2FA (Score:2)
Almost all major sites I use have both 2FA enabled plus login notifications enabled. *IF* someone attempted to access one of those accounts, even failed attempts, I would have instant notifications. None have appeared for this, or for pretty much all previous leaks for that matter... Guess I'm just "lucky"? Or maybe the hype was simply turned up to 11.
Re: (Score:2)
You're not "lucky" you're an extremely unusual person who doesn't visit any of the vast majority of sites on the internet that don't even have 2FA as an option, nor login notifications. Sure I use those when they're available... but they simply aren't in most places.
BTW... how's Slashdot's 2FA and login notifications working for you?
Re: (Score:2)
There is no luck required at all. If it is shit, or random, don't log in. If they ask you to, leave. There is an information glut, after all. Other content awaits.
Re: (Score:2)
And yet here you are logged in to Slashdot. Which has no 2FA, nor sign in notifications.
Re: (Score:2)
There is no luck in that either.
Re: (Score:2)
No, but the OP said that all the sites they visit use 2FA and sign in notifications. Yet they are on Slashdot which does neither. Then they said they have "luck".
I positt that they are being dishonest with themselves in believing that they only use sites with 2FA.
Re: (Score:2)
No, it was actually "almost all," so they could still use slashdot without any contradiction. Also, it was "almost all major sites." Slashdot isn't as relevant as it used to be.
Re: (Score:2)
And I still maintain that either they are lying, or they are an edge case, as the vast majority of sites on the internet do not support these technologies, and therefore the vast majority of people can not protect themselves by using them.
Re: (Score:2)
I have moved practically everything of value to local servers and local storage.
That works well with floods, burglaries and fires.
Re: (Score:2)
Local storage! I live in a cloud, you insensitive clod!
Re: (Score:2)
I can offer you financing on your own cloud, if you'd like.
Re: (Score:2, Interesting)
Re: (Score:3)
.2 is bullshit.
How many people use Cloudflare and don't even know it?
And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...
Re: (Score:2)
And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...
Yes more people should build their own OS from scratch. Complete with features. And they should call somebody. Good idea.
Re: (Score:2)
And they should call somebody.
Ghost Busters?
Re: (Score:3)
2. This isn't the '90s anymore. CDNs are extremely common and cloudflare is one of the cheapest out there, especially for small sites. Most sites can't afford to deploy load balanced services and rely on others to do it for them. Cloudflare has been in the business for
Re: (Score:2)
realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.'
It's either "gate" or "bleed", depending on what kind of people you want in your twitter mob.
Re: (Score:2)
Dudebro, this is 2017 and Japan is full of automatic toilets, and yes, they get hacked. No, nobody cares, except the person getting the wrong wash cycle.
Re: (Score:1)
It's over hyped (Score:1)
People who seem to address this more on a factual level than reporting it in a hysterical way don't seem to be concerned. Tech news these days is rather boring and any type of hint at a security problem gets many tech journalists in a lather. I have little concern giving the open disclosure and quick remedy of this. Last year I have worked to limit myself significantly in web exposure. Start talking cloud and your gonna get a storm eventually.
Changed my password on TPB to be safe (Score:4, Funny)
Since ThePirateBay is using cloudfare, I felt it wise to change my password on it so my download record didn't get hacked. Don't need anyone to know about my fetish for midget unicorn porn.
Re:Changed my password on TPB to be safe (Score:5, Funny)
So, no link?
We discussed this before, you selfish clod.
Re: Changed my password on TPB to be safe (Score:1)
Perhaps his wrist & forearms are already sore from exercise.
I love word play (Score:2)
Perhaps his wrist & forearms are already sore from exercise.
*slow clap* Well played. It would have worked with the double play on "exercise", but that was icing on the cake.
Re: (Score:2)
This is one case where he's probably a "sensitive clod".
Re: (Score:1)
Don't need anyone to know about my fetish for midget unicorn porn.
Wait a minute. I thought "fetish" was bound to items of clothing or body parts. Are you... wearing midget unicorns? Is that a new thing? Someone should start a twitter of porn so we can keep up with trends.
Re: (Score:2)
We now know about your fetish for midget unicorn porn, Nyder. ;)
Some responses (Score:2)
Re: (Score:2)
I avoid the cloud like the plague (Score:1)
Re: (Score:2)
Biggest MITM on the net (Score:2)
Perhaps this leak might be a sufficient wake up call to leave that ultimate MITM service. What you gain by using it is protection against troubles you wish you had. No, your crappy cooking wordpress won't be DDoSed. Yes, I can buy a bank-grade vault and hire guards to protect my whole life's savings of $197, but you'd think I'm crazy if I did, wouldn't you?
Re: Biggest MITM on the net (Score:2)
More importantly, if your site is dynamic enough, cloudflare has to ask the original http servers if the content has changed anyway, and the real http servers crazy from the load anyway. Cloudflare is not a panacea for fixing DDoS attacks.
Re: (Score:2)
Had another beer. (Score:2)
No problem.
Changed passwords (Score:2)
I changed my passwords on the affected sites, based on the list of Cloudflare-using sites that's been publicized. All of my passwords are randomly-generated strings, so even if one site was completely compromised, all of my other accounts would be fine.
Since I don't personally transmit any sensitive data through the affected sites, I'm reasonably sure that is all I have to bother about Cloudbleed. The situation is a lot worse for people running bitcoin etc. transactions through affected sites.
Easy Peasy (Score:2)
I just used a cloudbandage for my cloudbleed.