[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HN] Cloudflare Reverse Proxies Are Dumping Uninitialized Memory

On 02/23/2017 07:06 PM, Mirimir wrote:
So tptacek's comment summarizes it well:

| Oh, my god.
| Read the whole event log.
| If you were behind Cloudflare and it was proxying sensitive data
| (the contents of HTTP POSTs, &c), they've potentially been spraying
| it into caches all across the Internet; it was so bad that Tavis
| found it by accident just looking through Google search results.
| The crazy thing here is that the Project Zero people were joking
| last night about a disclosure that was going to keep everyone at
| work late today. And, this morning, Google announced the SHA-1
| collision, which everyone (including the insiders who leaked that
| the SHA-1 collision was coming) thought was the big announcement.
| Nope. A SHA-1 collision, it turns out, is the minor security news
| of the day.
| This is approximately as bad as it ever gets. A significant number
| of companies probably need to compose customer notifications; it's,
| at this point, very difficult to rule out unauthorized disclosure
| of anything that traversed Cloudflare.


@joepie91 just posted a funny on twitter with link to a 2016 writeup he did about Cloudflare's sieve-like tls setup.

joepie91's Ramblings

CloudFlare, We Have A Problem

14 Jul 2016

For the past few years, CloudFlare has been steadily gaining popularity - being used by a staggering amount of websites, big and small. One of their frequently repeated claims to fame is that they "make web properties faster and safer".

I disagree.

In reality, CloudFlare has been structurally making the web less secure during these years. And they are incredibly good at selling that as a feature.
The Solution To No Problems

Back in 2011, when I ran AnonNews.org, I had to cope with frequent DDoS attacks - not all that surprising, given that it was a very popular news site and community for Anonymous, which was seeing the peak of its media coverage at the time. In 2011, however, it was pretty much impossible to get working DDoS mitigation for less than $100 a month, and that was simply not a budget I had to spend on it.

I eventually ran across CloudFlare, and - despite it not advertising DDoS mitigation anywhere at the time - I realized that with it being essentially a reverse proxy on beefy infrastructure, it would make for a useful pincushion against most DDoS attacks. And it did - it got in the way of many attacks, saved me some traffic as a bonus, and was overall a good solution to the problem at the time, even if it wasn't "real" DDoS mitigation.

Fast-forward to today, in 2016. It's not so clear anymore whether CloudFlare really solves any problems. Single-homed bandwidth can be gotten for $0.35/TB, DDoS mitigation services are plentiful and sometimes even provided by default, and the web is generally Fast Enough. Of course this doesn't stop CloudFlare from marketing to AWS customers - who are still grossly overpaying for bandwidth - or simply to those who are not aware of the changes in the hosting landscape.

Essentially, there's not really a reason to use CloudFlare anymore, and the majority of sites won't see any real benefit from it at all. I'll go into the alternatives further down the article, but I want to address some of the problems that CloudFlare introduces first.

In full: http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

The funny, as a screenshot (77.7kb):