Cloudflare Leaks Sensitive User Data Across the Web

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

Re:Lovely

[Troed]

It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.

No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

https://blog.agilebits.com/201...

(I use LastPass myself)

The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.

Re:obligatory cutesy name

Um.. Considering the size and scope of Cloudflare, this pretty massive news.

And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.

But please continue to keep swearing about nothing.