[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HN] Cloudflare Reverse Proxies Are Dumping Uninitialized Memory

Update @Clodflare



Ps. Portals (AOL etc) & dDos prevention sites like Cloudflare, Akmai (etc) intrinsically defeat the purpose of 'distributed networking' TCP/IP was designed for! Suckers. If you were on Arpanet you'd still have distributed networking. But they can't allow that sort of freedom-of-information-transfer now can they... Citizen?

On 02/23/2017 07:06 PM, Mirimir wrote:
So tptacek's comment summarizes it well:

| Oh, my god.
| Read the whole event log.
| If you were behind Cloudflare and it was proxying sensitive data
| (the contents of HTTP POSTs, &c), they've potentially been spraying
| it into caches all across the Internet; it was so bad that Tavis
| found it by accident just looking through Google search results.
| The crazy thing here is that the Project Zero people were joking
| last night about a disclosure that was going to keep everyone at
| work late today. And, this morning, Google announced the SHA-1
| collision, which everyone (including the insiders who leaked that
| the SHA-1 collision was coming) thought was the big announcement.
| Nope. A SHA-1 collision, it turns out, is the minor security news
| of the day.
| This is approximately as bad as it ever gets. A significant number
| of companies probably need to compose customer notifications; it's,
| at this point, very difficult to rule out unauthorized disclosure
| of anything that traversed Cloudflare.