Cloudflare Leaks Sensitive User Data Across the Web

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

Re:Lovely

[fuzzyf]

As long as passwords are encrypted and decrypted on the client it's not really that much of a risk.

I think the benefit of having different complex passwords for every web/system with easy access from all devices is worth it. At least I havent managed to set up a better system for myself... yet.

MFA and a strong master password is pretty good for protecting your passwords.

Re:Lovely

[Troed]

It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.

No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

https://blog.agilebits.com/201...

(I use LastPass myself)

The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.

just STOP using C already!

In 2017 with so many better languages available what kind of gross incompetence does it take to still be programming in C? The sheer number of buffer overrun vulnerabilities in everything we've seen over the decades is a fucking disaster.

This is the point where C programmers say, "but I can do it right!" No.. you CANNOT. History has made that crystal fucking clear. Even people much smarter than you keep fucking it up.

Stop using languages that make buffer overruns so fucking easy. At the very least use a managed language. Anything else is simple negligence and we need to start holding programmers legally liable for the damage they do through simple incompetence of using bad tools. We would never accept a world where airplanes fell out of the sky because aero engineers used piss poor tools to design the wing spars when better ones were available for decades.

I know that might mean you have to get dragged out of the 1970's.

Re:obligatory cutesy name

[DonaId+Trump]

Yep, CloudFlare is spraying supposedly TLS-encrypted data all over the internet in clear text?! What the fuck!? I almost want to laugh at CloudFlare's misfortune, except every internet user including me is probably affected by this. What the hell is the point of HTTPS at all, when so much HTTPS traffic is being purposely MITM'd for profit by CloudFlare? A very large part of the web is living under their leaky roof, meantime many in the professional networking community encourage this and help implement it. Again I ask what the fuck!? The whole company smells more like a CIA operation as time goes on.

CLOUDFLARE IS UNDERMINING THE INTERNET, not to mention proudly serving ISIS terrorist websites, malware distributors, and DDoSers/Booters. They should be null routed and de-peered!