Ask Slashdot: How Are You Responding To Cloudbleed?

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?
Leave your own answers in the comments. How did you respond to Cloudbleed?

I'm still not sure

I'm still not sure how this affects me

Re:I'm still not sure

[nmb3000]

I'm still not sure how this affects me

Here's a very short version:

Cloudflare provides proxying, caching, and DDoS protection (plus other things) for a huge number of websites. This means that instead of connecting directly to a website's servers, you're instead connecting to a Cloudflare server which inspects and routes the traffic to the real website.

A bug in Cloudflare's system would occasionally result in random memory contents from the Cloudflare server incorrectly getting sent back to clients in the HTTP response stream. This memory could contain anything -- random parts of a webpage, a picture, or a username and password that was recently passed through the system.

Since these memory dumps can be (and were) captured by caching systems such as Google's cached pages, Internet Archive, etc, it's not enough that Cloudflare fix the bug -- all the cached pages must also be deleted or somehow cleared of any memory dump contents. Until this happens (and frankly, it's likely an impossible goal given the size and scope), there is the potential that your username and password for some website could be saved out in a cached copy of a Cloudflare site, there just waiting for someone to find it. Attackers can, and are, scanning all of this cached data looking for such valuable leaked memory contents.

Overall it's a major bug and huge error on Cloudflare's part, but the likelihood of it impacting you seems astronomically small.

What it does do, however, is raise questions about whether or not we should have a single company acting as a back-end gatekeeper to vast swaths of the web. It also raises the question of the responsibility of sites like the Internet Archive. Should they be required to mass-delete archived sites going back years due to this bug? There is no way to recover those past cached sites. Finally, who is responsible if this breach does get exploited? Is it Cloudflare, or the website that chose to use them?

I've never been a fan of Cloudflare from a privacy and security standpoint, and this failure on their part more or less cemented my opinion.

What sites use Cloudflare?

[Streetlight]

Techdirt asked me to change my password. What I want to know is what sites I might use use Cloudflare as I havn't seen such a list. They seem to keeping that list close to their vest.

Re:What sites use Cloudflare?

https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Changed my password on TPB to be safe

[Nyder]

Since ThePirateBay is using cloudfare, I felt it wise to change my password on it so my download record didn't get hacked. Don't need anyone to know about my fetish for midget unicorn porn.

Re:Changed my password on TPB to be safe

[CaptainDork]

... midget unicorn porn ...

So, no link?

We discussed this before, you selfish clod.

Re:two solutions.

[CaptainDork]

.2 is bullshit.

How many people use Cloudflare and don't even know it?

And, by your logic, people should build their own OS from scratch, complete with ring zero hardened security and no telemetry that calls mommy ...

Re:two solutions.

[Ksevio]

1. The "bleed" come from it bleeding data that was in memory - I don't recall any other exploits that release data in other ways being called that. It was also first jokingly called cloudbleed by the security researcher (not the media).

2. This isn't the '90s anymore. CDNs are extremely common and cloudflare is one of the cheapest out there, especially for small sites. Most sites can't afford to deploy load balanced services and rely on others to do it for them. Cloudflare has been in the business for a while now and has more experience than your average IT guy.