On 02/23/2017 07:06 PM, Mirimir wrote:
So tptacek's comment summarizes it well:
| Oh, my god.
| Read the whole event log.
| If you were behind Cloudflare and it was proxying sensitive data
| (the contents of HTTP POSTs, &c), they've potentially been spraying
| it into caches all across the Internet; it was so bad that Tavis
| found it by accident just looking through Google search results.
| The crazy thing here is that the Project Zero people were joking
| last night about a disclosure that was going to keep everyone at
| work late today. And, this morning, Google announced the SHA-1
| collision, which everyone (including the insiders who leaked that
| the SHA-1 collision was coming) thought was the big announcement.
| Nope. A SHA-1 collision, it turns out, is the minor security news
| of the day.
| This is approximately as bad as it ever gets. A significant number
| of companies probably need to compose customer notifications; it's,
| at this point, very difficult to rule out unauthorized disclosure
| of anything that traversed Cloudflare.
@joepie91 just posted a funny on twitter with link to a 2016 writeup
he did about Cloudflare's sieve-like tls setup.
CloudFlare, We Have A Problem
14 Jul 2016
For the past few years, CloudFlare has been steadily gaining
popularity - being used by a staggering amount of websites, big
and small. One of their frequently repeated claims to fame is that
they "make web properties faster and safer".
In reality, CloudFlare has been structurally making the web less
secure during these years. And they are incredibly good at selling
that as a feature.
The Solution To No Problems
Back in 2011, when I ran AnonNews.org, I had to cope with frequent
DDoS attacks - not all that surprising, given that it was a very
popular news site and community for Anonymous, which was seeing
the peak of its media coverage at the time. In 2011, however, it
was pretty much impossible to get working DDoS mitigation for less
than $100 a month, and that was simply not a budget I had to spend
I eventually ran across CloudFlare, and - despite it not
advertising DDoS mitigation anywhere at the time - I realized that
with it being essentially a reverse proxy on beefy infrastructure,
it would make for a useful pincushion against most DDoS attacks.
And it did - it got in the way of many attacks, saved me some
traffic as a bonus, and was overall a good solution to the problem
at the time, even if it wasn't "real" DDoS mitigation.
Fast-forward to today, in 2016. It's not so clear anymore whether
CloudFlare really solves any problems. Single-homed bandwidth can
be gotten for $0.35/TB, DDoS mitigation services are plentiful and
sometimes even provided by default, and the web is generally Fast
Enough. Of course this doesn't stop CloudFlare from marketing to
AWS customers - who are still grossly overpaying for bandwidth -
or simply to those who are not aware of the changes in the hosting
Essentially, there's not really a reason to use CloudFlare
anymore, and the majority of sites won't see any real benefit from
it at all. I'll go into the alternatives further down the article,
but I want to address some of the problems that CloudFlare
The funny, as a screenshot (77.7kb):