Comment by dmitrygr 8 years ago Cloudflare's announcement, as it is currently worded, deserves the understatement-of-the-centry award. 8 comments dmitrygr Reply danielweber 8 years ago "Don't worry, the keys weren't compromised."I know how to replace my TLS keys. I have no idea how to replace everything else.It's like people who think losing my credit card number is the worst thing. No, it can be a hassle, but once I replace it I'm okay. It's everything else. fulafel 8 years ago The implied comparison to Heartbleed problem is that everyone's old encrypted traffic was suddenly in the open, key change didn't help.(except for the enlightened few who used PFS before Heartbleed) masterleep 8 years ago Is that because, even though a very small number of pages (they claim) triggered the bug, any adjacent traffic in memory could be disclosed?That traffic could be basically anything sent through Cloudflare, it would seem. jlgaddis 8 years ago Yep, even Tavis said it "severely downplays the risk". sneak 8 years ago Only three thousand something sites [were potentially serving private data from all 7 million customer domains we host] creshal 8 years ago If the bug exposes random uninitialized memory, can't it affect a lot more sites?And if it truly is only ~3000 sites, where's the list?
danielweber 8 years ago "Don't worry, the keys weren't compromised."I know how to replace my TLS keys. I have no idea how to replace everything else.It's like people who think losing my credit card number is the worst thing. No, it can be a hassle, but once I replace it I'm okay. It's everything else. fulafel 8 years ago The implied comparison to Heartbleed problem is that everyone's old encrypted traffic was suddenly in the open, key change didn't help.(except for the enlightened few who used PFS before Heartbleed)
fulafel 8 years ago The implied comparison to Heartbleed problem is that everyone's old encrypted traffic was suddenly in the open, key change didn't help.(except for the enlightened few who used PFS before Heartbleed)
masterleep 8 years ago Is that because, even though a very small number of pages (they claim) triggered the bug, any adjacent traffic in memory could be disclosed?That traffic could be basically anything sent through Cloudflare, it would seem.
sneak 8 years ago Only three thousand something sites [were potentially serving private data from all 7 million customer domains we host] creshal 8 years ago If the bug exposes random uninitialized memory, can't it affect a lot more sites?And if it truly is only ~3000 sites, where's the list?
creshal 8 years ago If the bug exposes random uninitialized memory, can't it affect a lot more sites?And if it truly is only ~3000 sites, where's the list?
"Don't worry, the keys weren't compromised."
I know how to replace my TLS keys. I have no idea how to replace everything else.
It's like people who think losing my credit card number is the worst thing. No, it can be a hassle, but once I replace it I'm okay. It's everything else.
The implied comparison to Heartbleed problem is that everyone's old encrypted traffic was suddenly in the open, key change didn't help.
(except for the enlightened few who used PFS before Heartbleed)
Is that because, even though a very small number of pages (they claim) triggered the bug, any adjacent traffic in memory could be disclosed?
That traffic could be basically anything sent through Cloudflare, it would seem.
Yep, even Tavis said it "severely downplays the risk".
Only three thousand something sites [were potentially serving private data from all 7 million customer domains we host]
If the bug exposes random uninitialized memory, can't it affect a lot more sites?
And if it truly is only ~3000 sites, where's the list?