Slashdot Mirror
Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com)
An anonymous IT geek writes:
Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."
And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?
And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?
I'm still not sure how this affects me
I use unique passwords for every single website I visit and as long as my email is safe(which no email provider use cloudflare AFAIK), I could recover any compromised account easily.
Techdirt asked me to change my password. What I want to know is what sites I might use use Cloudflare as I havn't seen such a list. They seem to keeping that list close to their vest.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Almost all major sites I use have both 2FA enabled plus login notifications enabled. *IF* someone attempted to access one of those accounts, even failed attempts, I would have instant notifications. None have appeared for this, or for pretty much all previous leaks for that matter... Guess I'm just "lucky"? Or maybe the hype was simply turned up to 11.
I moved it to the othe leg of the pants. That's how much I can be bothered.
On the other hand I have moved practically everything of value to local servers and local storage. The only things that go in the cloud is data that is already encrypted locally before the transfer.
1. realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.' when the worlds first automated toilet gets hacked, rest assured, thats turd-bleed.
2. quit relying on cloudflare to shave a few cents off your infrastructure and learn how to competently host and deploy your own load balanced services that are resilient to DDoS. most hosting providers offer ddos protection anyhow, and the statistical likelyhood youll need cloudflare levels of protection is limited, unless youre 4chan or wikileaks.
Good people go to bed earlier.
People who seem to address this more on a factual level than reporting it in a hysterical way don't seem to be concerned. Tech news these days is rather boring and any type of hint at a security problem gets many tech journalists in a lather. I have little concern giving the open disclosure and quick remedy of this. Last year I have worked to limit myself significantly in web exposure. Start talking cloud and your gonna get a storm eventually.
Since ThePirateBay is using cloudfare, I felt it wise to change my password on it so my download record didn't get hacked. Don't need anyone to know about my fetish for midget unicorn porn.
Be seeing you...
And I pity those who do.
I have three responses from sites that use Cloudflare. Essentially, their boiled down response is "We don't use those features that were affected. Cloudflare told us we weren't affected." One art site, Weasyl, just forced everyone to log off just to be safe.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
So it affects me exactly 0%. FWIW I avoid the could because of these issues.
No, Instagram, because you took a picture of what you ate, not just say you ate.
That would be a very long list. I wouldn't be surprised if over half of major sites use Cloudflare, for some definition of "major sites".
Perhaps this leak might be a sufficient wake up call to leave that ultimate MITM service. What you gain by using it is protection against troubles you wish you had. No, your crappy cooking wordpress won't be DDoSed. Yes, I can buy a bank-grade vault and hire guards to protect my whole life's savings of $197, but you'd think I'm crazy if I did, wouldn't you?
I changed passwords on a case by case basis. The following website provides a tool for determining if a URL you type in is hosted on Cloudflare: http://www.doesitusecloudflare.com/
No problem.
Why did that get modded down? Studies have already shown that frequently changing passwords just causes people to chose bad passwords, and that is assuming everyone is changing their password(s) every time a breach comes up. Most people, especially non-technical ones, are not going to change their password unless forced. And that gets additionally difficult with breaches that affect multiple sites like this, where people can't easily figure out what sites they use were affected, and some subset admins may not take appropriate actions to inform users.
Security breaches are probably going to get worse before they get better. If the result is security is compromised whenever someone doesn't change a password at the drop of a hat, then the security is going to fail for the vast majority of users.
I wouldn't be worried about the caching from third parties picking up snapshots (ala Internet Archive's Wayback Machine) because I doubt there's any way one could make the organization delete their copies on the basis of a third-party bug (the web is global and no single legal regime covers it all), particularly when adversely affected users need only change their credentials to avoid inadvertent credential exposure.
As to allowing a few organizations act as gateways to the information on the web: that's a major issue and I charge the sites that choose to use the caching services with the responsibility. It's bad enough that the web is so centralized—there's no easy way to replicate even websites that have largely static data so that one can browse them offline, for instance. But caches one can't avoid make this worse by making users contend with single points of failure that are also empowered to needlessly require Javascript, discriminate against traffic from VPNs, etc., on behalf of so many websites. My experience is that admins who choose to use such cache services aren't so picky about the elements I recommend against (browse with JS off, eliminate a site's cookies soon after the need for those cookies are gone, don't run nonfree software, etc.). Unavoidable caching is a very bad choice and the caching feature strikes me as no benefit worth the price of giving away such power.
Digital Citizen
Not only does your post make little sense, it actually makes less sense in the context of a reply to the post you replied to.
I'm not mad. I am actually kind of impressed.
Perhaps his wrist & forearms are already sore from exercise.
*slow clap* Well played. It would have worked with the double play on "exercise", but that was icing on the cake.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
If someone wants my recipe for Tomato Surprise, they're welcome to it.
I changed my passwords on the affected sites, based on the list of Cloudflare-using sites that's been publicized. All of my passwords are randomly-generated strings, so even if one site was completely compromised, all of my other accounts would be fine.
Since I don't personally transmit any sensitive data through the affected sites, I'm reasonably sure that is all I have to bother about Cloudbleed. The situation is a lot worse for people running bitcoin etc. transactions through affected sites.
Eat the rich.
I just used a cloudbandage for my cloudbleed.
You would not be worried?
Think. Seriously think.
Do you really believe that the
Wayback Machine is unique?
Seriously, think about it.
And there was gategate, where a
person died. If you can find the ref,
you are good at searching, and have
plenty of time. Probaby you work
at a TLA and already have the info.
(Hint: it was years ago)
Just tested one of my own websites that use cloudflare on it, didn't identify it.
Change is certain; progress is not obligatory.