Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com)

Posted by EditorDavid on from the hole-in-the-host dept.

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?

45 of 82 comments (clear)

  1. I'm still not sure by Anonymous Coward · · Score: 2, Informative

    I'm still not sure how this affects me

    1. Re:I'm still not sure by nmb3000 · · Score: 5, Informative

      I'm still not sure how this affects me

      Here's a very short version:

      Cloudflare provides proxying, caching, and DDoS protection (plus other things) for a huge number of websites. This means that instead of connecting directly to a website's servers, you're instead connecting to a Cloudflare server which inspects and routes the traffic to the real website.

      A bug in Cloudflare's system would occasionally result in random memory contents from the Cloudflare server incorrectly getting sent back to clients in the HTTP response stream. This memory could contain anything -- random parts of a webpage, a picture, or a username and password that was recently passed through the system.

      Since these memory dumps can be (and were) captured by caching systems such as Google's cached pages, Internet Archive, etc, it's not enough that Cloudflare fix the bug -- all the cached pages must also be deleted or somehow cleared of any memory dump contents. Until this happens (and frankly, it's likely an impossible goal given the size and scope), there is the potential that your username and password for some website could be saved out in a cached copy of a Cloudflare site, there just waiting for someone to find it. Attackers can, and are, scanning all of this cached data looking for such valuable leaked memory contents.

      Overall it's a major bug and huge error on Cloudflare's part, but the likelihood of it impacting you seems astronomically small.

      What it does do, however, is raise questions about whether or not we should have a single company acting as a back-end gatekeeper to vast swaths of the web. It also raises the question of the responsibility of sites like the Internet Archive. Should they be required to mass-delete archived sites going back years due to this bug? There is no way to recover those past cached sites. Finally, who is responsible if this breach does get exploited? Is it Cloudflare, or the website that chose to use them?

      I've never been a fan of Cloudflare from a privacy and security standpoint, and this failure on their part more or less cemented my opinion.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
  2. What sites use Cloudflare? by Streetlight · · Score: 2

    Techdirt asked me to change my password. What I want to know is what sites I might use use Cloudflare as I havn't seen such a list. They seem to keeping that list close to their vest.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
    1. Re:What sites use Cloudflare? by Anonymous Coward · · Score: 2, Informative

      https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

    2. Re:What sites use Cloudflare? by anadem · · Score: 1

      Sites using Cloudflare: https://github.com/pirate/site...

    3. Re:What sites use Cloudflare? by Solandri · · Score: 1

      Others have already posted a link to the full list (22 MB text file - whee). Someone else has set up a website to let you search that list from your browser (only one site at a time) which may be a bit more manageable if you don't visit many sites which require logins.

      http://www.doesitusecloudflare.com/

    4. Re:What sites use Cloudflare? by Streetlight · · Score: 1

      Thanks, guys! Others might have been interested, too. 22 MByte file - yikes!

      --
      In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
    5. Re:What sites use Cloudflare? by Zocalo · · Score: 1

      I grabbed the 22MB zip file of domains on Cloudflare from this page, which supposedly contains a superset of the sites that *might* have been infected by CloudBleed - e.g. not all the sites included have a problem, but all those that did are in the list. I then dumped a list of all the domain names in my Password Manager to a second text file and used "egrep -f" to see which domains were in both files. That turned out to be a pretty short list considering the supposed reach of CloudFlare, so I then worked through those domains and updated those passwords (increasing length and complexity where I could as well), just in case. Done.

      The whole process took me less than 15 minutes and, barring future developments, CloudBleed is now hopefully in my rear view mirror. Not that I consider the odds of any of my data being leaked likely to cause much pain cleaning up the aftermath anyway - one of the benefits of unique passwords for every single site.

      --
      UNIX? They're not even circumcised! Savages!
  3. 2FA by darkain · · Score: 1

    Almost all major sites I use have both 2FA enabled plus login notifications enabled. *IF* someone attempted to access one of those accounts, even failed attempts, I would have instant notifications. None have appeared for this, or for pretty much all previous leaks for that matter... Guess I'm just "lucky"? Or maybe the hype was simply turned up to 11.

    1. Re:2FA by green1 · · Score: 1

      You're not "lucky" you're an extremely unusual person who doesn't visit any of the vast majority of sites on the internet that don't even have 2FA as an option, nor login notifications. Sure I use those when they're available... but they simply aren't in most places.

      BTW... how's Slashdot's 2FA and login notifications working for you?

    2. Re:2FA by Aighearach · · Score: 1

      There is no luck required at all. If it is shit, or random, don't log in. If they ask you to, leave. There is an information glut, after all. Other content awaits.

    3. Re:2FA by green1 · · Score: 1

      And yet here you are logged in to Slashdot. Which has no 2FA, nor sign in notifications.

    4. Re:2FA by Aighearach · · Score: 1

      There is no luck in that either.

    5. Re:2FA by green1 · · Score: 1

      No, but the OP said that all the sites they visit use 2FA and sign in notifications. Yet they are on Slashdot which does neither. Then they said they have "luck".

      I positt that they are being dishonest with themselves in believing that they only use sites with 2FA.

    6. Re:2FA by Aighearach · · Score: 1

      No, it was actually "almost all," so they could still use slashdot without any contradiction. Also, it was "almost all major sites." Slashdot isn't as relevant as it used to be.

    7. Re:2FA by green1 · · Score: 1

      And I still maintain that either they are lying, or they are an edge case, as the vast majority of sites on the internet do not support these technologies, and therefore the vast majority of people can not protect themselves by using them.

  4. two solutions. by nimbius · · Score: 1, Interesting

    1. realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.' when the worlds first automated toilet gets hacked, rest assured, thats turd-bleed.

    2. quit relying on cloudflare to shave a few cents off your infrastructure and learn how to competently host and deploy your own load balanced services that are resilient to DDoS. most hosting providers offer ddos protection anyhow, and the statistical likelyhood youll need cloudflare levels of protection is limited, unless youre 4chan or wikileaks.

    --
    Good people go to bed earlier.
    1. Re:two solutions. by CaptainDork · · Score: 2

      .2 is bullshit.

      How many people use Cloudflare and don't even know it?

      And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:two solutions. by Ksevio · · Score: 2

      1. The "bleed" come from it bleeding data that was in memory - I don't recall any other exploits that release data in other ways being called that. It was also first jokingly called cloudbleed by the security researcher (not the media).

      2. This isn't the '90s anymore. CDNs are extremely common and cloudflare is one of the cheapest out there, especially for small sites. Most sites can't afford to deploy load balanced services and rely on others to do it for them. Cloudflare has been in the business for a while now and has more experience than your average IT guy.

    3. Re:two solutions. by lucm · · Score: 1

      realize that in this foul year of our lord 2017, any media coverage of a potential exploit that releases unanticipated or unauthorized amounts of data must now be called a 'bleed.'

      It's either "gate" or "bleed", depending on what kind of people you want in your twitter mob.

      --
      lucm, indeed.
    4. Re:two solutions. by Aighearach · · Score: 1

      Dudebro, this is 2017 and Japan is full of automatic toilets, and yes, they get hacked. No, nobody cares, except the person getting the wrong wash cycle.

    5. Re:two solutions. by Aighearach · · Score: 1

      And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...

      Yes more people should build their own OS from scratch. Complete with features. And they should call somebody. Good idea.

    6. Re:two solutions. by CaptainDork · · Score: 1

      And they should call somebody.

      Ghost Busters?

      --
      It little behooves the best of us to comment on the rest of us.
    7. Re:two solutions. by Neuronwelder · · Score: 1

      1.It would have the potential to make a funny comic sketch though. A person goes to an automated toilet and gets sprayed by faeces on his white shirt.. He now has to get back to an important meeting.

  5. It's over hyped by Anonymous Coward · · Score: 1

    People who seem to address this more on a factual level than reporting it in a hysterical way don't seem to be concerned. Tech news these days is rather boring and any type of hint at a security problem gets many tech journalists in a lather. I have little concern giving the open disclosure and quick remedy of this. Last year I have worked to limit myself significantly in web exposure. Start talking cloud and your gonna get a storm eventually.

  6. Changed my password on TPB to be safe by Nyder · · Score: 3, Funny

    Since ThePirateBay is using cloudfare, I felt it wise to change my password on it so my download record didn't get hacked. Don't need anyone to know about my fetish for midget unicorn porn.

    --
    Be seeing you...
    1. Re:Changed my password on TPB to be safe by CaptainDork · · Score: 4, Funny

      ... midget unicorn porn ...

      So, no link?

      We discussed this before, you selfish clod.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re: Changed my password on TPB to be safe by Anonymous Coward · · Score: 1

      Perhaps his wrist & forearms are already sore from exercise.

    3. Re:Changed my password on TPB to be safe by antdude · · Score: 1

      We now know about your fetish for midget unicorn porn, Nyder. ;)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    4. Re:Changed my password on TPB to be safe by thegarbz · · Score: 1

      This is one case where he's probably a "sensitive clod".

  7. Some responses by strredwolf · · Score: 1

    I have three responses from sites that use Cloudflare. Essentially, their boiled down response is "We don't use those features that were affected. Cloudflare told us we weren't affected." One art site, Weasyl, just forced everyone to log off just to be safe.

    --

    --
    # Canmephians for a better Linux Kernel
    $Stalag99{"URL"}="http://stalag99.net";
    1. Re: Some responses by Ash-Fox · · Score: 1

      Weasyl is full of SJW furries, nobody cares.

      --
      Change is certain; progress is not obligatory.
  8. Re:I moved it by lucm · · Score: 1

    I have moved practically everything of value to local servers and local storage.

    That works well with floods, burglaries and fires.

    --
    lucm, indeed.
  9. Millions of sites by raymorris · · Score: 1

    That would be a very long list. I wouldn't be surprised if over half of major sites use Cloudflare, for some definition of "major sites".

  10. Biggest MITM on the net by ptaff · · Score: 1

    Perhaps this leak might be a sufficient wake up call to leave that ultimate MITM service. What you gain by using it is protection against troubles you wish you had. No, your crappy cooking wordpress won't be DDoSed. Yes, I can buy a bank-grade vault and hire guards to protect my whole life's savings of $197, but you'd think I'm crazy if I did, wouldn't you?

    1. Re: Biggest MITM on the net by ewanm89 · · Score: 1

      More importantly, if your site is dynamic enough, cloudflare has to ask the original http servers if the content has changed anyway, and the real http servers crazy from the load anyway. Cloudflare is not a panacea for fixing DDoS attacks.

  11. Re:I moved it by Known+Nutter · · Score: 1

    That works well with floods, burglaries and fires.

    Local storage! I live in a cloud, you insensitive clod!

    --
    Beware of the Leopard.
  12. Re:I moved it by Aighearach · · Score: 1

    I can offer you financing on your own cloud, if you'd like.

  13. Had another beer. by BoRegardless · · Score: 1

    No problem.

  14. Re:I avoid the cloud like the plague by indi0144 · · Score: 1

    What does this have to do with the cloud? Cloudflare is a reverse proxy and a CDN. Last time i checked /. runs on a cloud, because I'm sure as fuck it is not running on that old iron under some advertising agency desk like when it started.

  15. A bad tradeoff: power over users vs some speedup by jbn-o · · Score: 1

    I wouldn't be worried about the caching from third parties picking up snapshots (ala Internet Archive's Wayback Machine) because I doubt there's any way one could make the organization delete their copies on the basis of a third-party bug (the web is global and no single legal regime covers it all), particularly when adversely affected users need only change their credentials to avoid inadvertent credential exposure.

    As to allowing a few organizations act as gateways to the information on the web: that's a major issue and I charge the sites that choose to use the caching services with the responsibility. It's bad enough that the web is so centralized—there's no easy way to replicate even websites that have largely static data so that one can browse them offline, for instance. But caches one can't avoid make this worse by making users contend with single points of failure that are also empowered to needlessly require Javascript, discriminate against traffic from VPNs, etc., on behalf of so many websites. My experience is that admins who choose to use such cache services aren't so picky about the elements I recommend against (browse with JS off, eliminate a site's cookies soon after the need for those cookies are gone, don't run nonfree software, etc.). Unavoidable caching is a very bad choice and the caching feature strikes me as no benefit worth the price of giving away such power.

    --
    Digital Citizen
  16. I love word play by Gazzonyx · · Score: 1

    Perhaps his wrist & forearms are already sore from exercise.

    *slow clap* Well played. It would have worked with the double play on "exercise", but that was icing on the cake.

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  17. Changed passwords by KozmoStevnNaut · · Score: 1

    I changed my passwords on the affected sites, based on the list of Cloudflare-using sites that's been publicized. All of my passwords are randomly-generated strings, so even if one site was completely compromised, all of my other accounts would be fine.

    Since I don't personally transmit any sensitive data through the affected sites, I'm reasonably sure that is all I have to bother about Cloudbleed. The situation is a lot worse for people running bitcoin etc. transactions through affected sites.

    --
    Eat the rich.
  18. Easy Peasy by nospam007 · · Score: 1

    I just used a cloudbandage for my cloudbleed.

  19. Re: I changed passwords for sites hosted on cloudf by Ash-Fox · · Score: 1

    Just tested one of my own websites that use cloudflare on it, didn't identify it.

    --
    Change is certain; progress is not obligatory.