Cloudbleed for Humans
You may have already heard about the security breach nicknamed #Cloudbleed, wherein Cloudflare, reverse caching proxy and unintentional competitor to our own logging proxy service Cloud Middleman, was discovered to be leaking plaintext from its servers’ memory, at random, in HTTP responses (i.e. websites) featuring certain malformed HTML tags.
“Plaintext” is a word that means “not encrypted,” usually in a context where this is regarded as a bad thing. Sentences that contain the phrase “leaking plaintext” should therefore be regarded as particularly bad, especially when they’re talking about a service that almost everyone on the internet uses every day in some capacity.
This issue was discovered last week by Tavis Ormandy and disclosed publicly today, but had apparently been happening for some months. Here’s my favorite summary of it, in the words of Thomas Ptacek on Hacker News:
If you were behind Cloudflare and it was proxying sensitive data (the contents of HTTP POSTs, &c), they’ve potentially been spraying it into caches all across the Internet.
That doesn’t sound so bad, until you think about how much caching goes on across the internet. For example, Google’s search engine is, in one way of speaking, a giant searchable cache of HTTP responses, and indeed you can still find compromising data in Google’s cached pages if you know how to look for it. But of course there are plenty of other search engines, and exponentially more cached HTTP responses scattered about. Make no mistake, this is probably one of the largest security breaches ever.
Who is affected?
Did I mention that Cloudflare has its fingers in a huge number of the internet’s largest and most well-funded pies? Major users of Cloudflare that are affected by this include Fitbit, Uber, and OK Cupid, but this is far from an exhaustive list — Cloudflare’s head of engineering himself claims that they identified about 3500 affected domains.
You don’t just have to just take my word about this being a wide-ranging issue, either. Here’s a full list of companies whose logos appear Cloudflare’s homepage at the time of writing:
- Quizlet
- Nasdaq
- Zendesk
- Salesforce
- Bain Capital
- Digital Ocean
- OK Cupid
- Montecito Bank & Trust (!)
- Discord
- FastMail
- Udacity
- Cisco
Incidentally, Medium is another service that seems to have some Cloudflare headers in its responses.
What should I do?
At a minimum, if you use any of the above services, it would not be a bad idea to stop reading now and change your password, plus the password of any other service that uses the same credentials to sign in. Some would go so far as recommend that you change all your passwords, revoke all your oAuth connections, burn your computer and build a Faraday cage around your house — but even then, your OK Cupid private messages might be floating around the public internet somewhere. Perhaps you should just go grab a drink instead.
(By the way, if you’re in the market for a service that logs your traffic on purpose but keeps it a secret, you should check out Cloud Middleman.)
