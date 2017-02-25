Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 59
An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."
And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?
I'm still not sure (Score:1, Informative)
I'm still not sure how this affects me
Here's a very short version:
Cloudflare provides proxying, caching, and DDoS protection (plus other things) for a huge number of websites. This means that instead of connecting directly to a website's servers, you're instead connecting to a Cloudflare server which inspects and routes the traffic to the real website.
A bug in Cloudflare's system would occasionally result in random memory contents from the Cloudflare server incorrectly getting sent back to clients in the HTTP response stream. This memory coul
A bad tradeoff: power over users vs some speedup (Score:2)
I wouldn't be worried about the caching from third parties picking up snapshots (ala Internet Archive's Wayback Machine) because I doubt there's any way one could make the organization delete their copies on the basis of a third-party bug (the web is global and no single legal regime covers it all), particularly when adversely affected users need only change their credentials to avoid inadvertent credential exposure.
As to allowing a few organizations act as gateways to the information on the web: that's a m
What sites use Cloudflare? (Score:3)
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
Millions of sites (Score:2)
That would be a very long list. I wouldn't be surprised if over half of major sites use Cloudflare, for some definition of "major sites".
Sites using Cloudflare: https://github.com/pirate/site... [github.com]
http://www.doesitusecloudflare.com/ [doesitusecloudflare.com]
2FA (Score:2)
Almost all major sites I use have both 2FA enabled plus login notifications enabled. *IF* someone attempted to access one of those accounts, even failed attempts, I would have instant notifications. None have appeared for this, or for pretty much all previous leaks for that matter... Guess I'm just "lucky"? Or maybe the hype was simply turned up to 11.
You're not "lucky" you're an extremely unusual person who doesn't visit any of the vast majority of sites on the internet that don't even have 2FA as an option, nor login notifications. Sure I use those when they're available... but they simply aren't in most places.
BTW... how's Slashdot's 2FA and login notifications working for you?
There is no luck required at all. If it is shit, or random, don't log in. If they ask you to, leave. There is an information glut, after all. Other content awaits.
I have moved practically everything of value to local servers and local storage.
That works well with floods, burglaries and fires.
Local storage! I live in a cloud, you insensitive clod!
I can offer you financing on your own cloud, if you'd like.
two solutions. (Score:2, Interesting)
1. realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.' when the worlds first automated toilet gets hacked, rest assured, thats turd-bleed.
2. quit relying on cloudflare to shave a few cents off your infrastructure and learn how to competently host and deploy your own load balanced services that are resilient to DDoS. most hosting providers offer ddos protection anyhow, and th
.2 is bullshit.
How many people use Cloudflare and don't even know it?
And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy
...
And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy
...
Yes more people should build their own OS from scratch. Complete with features. And they should call somebody. Good idea.
2. This isn't the '90s anymore. CDNs are extremely common and cloudflare is one of the cheapest out there, especially for small sites. Most sites can't afford to deploy load balanced services and rely on others to do it for them. Cloudflare has been in the business for
realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.'
It's either "gate" or "bleed", depending on what kind of people you want in your twitter mob.
Dudebro, this is 2017 and Japan is full of automatic toilets, and yes, they get hacked. No, nobody cares, except the person getting the wrong wash cycle.
Changed my password on TPB to be safe (Score:3)
Since ThePirateBay is using cloudfare, I felt it wise to change my password on it so my download record didn't get hacked. Don't need anyone to know about my fetish for midget unicorn porn.
So, no link?
We discussed this before, you selfish clod.
Don't need anyone to know about my fetish for midget unicorn porn.
Wait a minute. I thought "fetish" was bound to items of clothing or body parts. Are you... wearing midget unicorns? Is that a new thing? Someone should start a twitter of porn so we can keep up with trends.
Some responses (Score:2)
I avoid the cloud like the plague (Score:2)
Biggest MITM on the net (Score:2)
Perhaps this leak might be a sufficient wake up call to leave that ultimate MITM service. What you gain by using it is protection against troubles you wish you had. No, your crappy cooking wordpress won't be DDoSed. Yes, I can buy a bank-grade vault and hire guards to protect my whole life's savings of $197, but you'd think I'm crazy if I did, wouldn't you?
More importantly, if your site is dynamic enough, cloudflare has to ask the original http servers if the content has changed anyway, and the real http servers crazy from the load anyway. Cloudflare is not a panacea for fixing DDoS attacks.
Had another beer. (Score:2)
No problem.