> Incident report on memory leak caused by Cloudflare parser bug
This title sounds like Cloudflare doesn't know what a memory leak is or are intentionally trying to downplay information disclosure. Neither option is comforting.
From the blog post: "For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug."
Is this statement accurate considering Tavis said in his report that: "We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users."
Not the TLS Private key, this would pertain to the ClientKeyExchange. The TLS Private Key, should NEVER leave the server. The buffer overruns was only what a client/server exchange would see.
Why is your company severely downplaying it?
Honestly, this is the biggest security incident in a long time, and proper mitigation would probably warrant:
- forcefully terminating all cookies on CloudFlare sites, cloudflare already injects JS onto the page anyway
- MITMing all CloudFlare sites with a warning for users to change their passwords
> MITMing all CloudFlare sites with a warning for users to change their passwords
REALLY?
> Incident report on memory leak caused by Cloudflare parser bug
This title sounds like Cloudflare doesn't know what a memory leak is or are intentionally trying to downplay information disclosure. Neither option is comforting.
They know what a memory leak is, so...
... and the HN link/discussion (submitted by jgrahamc): https://news.ycombinator.com/item?id=13718720
From the blog post: "For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug."
Is this statement accurate considering Tavis said in his report that: "We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users."
Not the TLS Private key, this would pertain to the ClientKeyExchange. The TLS Private Key, should NEVER leave the server. The buffer overruns was only what a client/server exchange would see.
"enable AMP, and more" is a certainly nicer than ""ScrapeShield" feature which parses and obfuscates html".