Comment by jkells
8 years ago
My first thought was relief, thank god I'm not using Cloudflare.
Where would you even start to address this? Everything you've been serving is potentially compromised, API keys, sessions, personal information, user passwords, the works.
You've got no idea what has been leaked. Should you reset all your user passwords, cycle all or your keys, notify all your customers that there data may have been stolen?
My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?
What an epic mess. This is the problem with centralization, the system is broken.
We're compiling a list of domains using several scrapers and updating it here: https://github.com/pirate/sites-using-cloudflare
You can start by cross referencing your password manager with this list, and working your way out from there.
As an aside, I found this really interesting:
ashleymadison.com
ashleyrnadison.com
I find it really interesting that they registered that particular misspelling and they both point to the same servers. I can see doing this for some obvious domains like gogle.com, but the distinction there is simply that r+n looks like m.
Probably a really obvious answer here, but my guess is that they are trying to help people throw off the scent of someone browsing a history.
I think it's more likely that they bought the domain to prevent scammers from trying to bait users onto a fake site and enter login info, and since they have it why not redirect traffic.
You don't have to use scrapers, just use copies of the TLD zone files looking for cloudflare nameservers.
This will not cover all sites[1].
1. https://support.cloudflare.com/hc/en-us/articles/202320534-C...
1 reply →
Not everyone uses Cloudflare for their proxying service. I use them purely for my DNS, but don't have the MITM proxy enabled at all. His scraping is a better idea probably.
> My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?
Yes. Right now. Don't wait for the vendor to notify you.
> What an epic mess. This is the problem with centralization, the system is broken.
Yep.
My password manager has > 500 entries. Changing all the passwords....isn't going to happen any time soon.
If it only took 60 seconds per site, it would still take eight hours to change them all.
Might change a few key passwords, though. Couldn't hurt. I only have a couple of bank/financial passwords at this point. And my various hosting service access passwords.
Anything else is not worth the hassle -- and mostly would have 2FA anyway.
Your argument essentially revolves around "what are the chances I'll be compromised!?" rather than focusing on "What's the potentially affect of getting compromised" Most people with data or access rights which have several orders of magnitude of value relative to 8 hours worth of labor.
The decision to wear a seatbelt isn't driven by the probability of needing it, the decision is drive by the magnitude of exposure to an event where you would need it.
4 replies →
Lastpass knows how to change your passwords for many popular sites, and can automate it away for you.
4 replies →
You use 500 sites which use 2FA?
1 reply →
Note that for sites like HN, changing your password doesn't expire other sessions. You have to go find every browser with an HN cookie and logout.
(Where I mean some other sites that are not at all HN, but might plausibly exist.)
No, we log you out of all HN sessions when you change your password.
2 replies →
How do you check if a website uses cloudflare ? Any scripts that do that ?
Response headers will contain a "cf-ray" header or "server: cloudflare-nginx"
1 reply →
There is no reliable way to check. The problem is that even if you verify that a site isn't using CloudFlare now, that doesn't mean that they didn't use it in the past (and you'd still be affected).
In other words: Just assume that everything has been compromised. With how much of the web CloudFlare controls nowadays, you're not going to be far off anyway.
Icon lights up if the current site is on Cloudflare proxy.
https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...
$ host -t NS digitalocean.com
digitalocean.com name server walt.ns.cloudflare.com.
digitalocean.com name server kim.ns.cloudflare.com.
1 reply →
There's this browser addon
https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...
$ dig example.com
to get the A Record, then
$ whois 1.2.3.4|grep Cloudflare
Not 100% reliable, but should do the Job.
4 replies →
I know it's kinda late,but there is one more way to find if a site is using Cloudflare
append /cdn-cgi/trace to the URL and you will some debug info
Ex:
https://cloud.digitalocean.com/cdn-cgi/trace
https://news.ycombinator.com/cdn-cgi/trace
http://www.doesitusecloudflare.com/
So it's fixed, then? (I haven't read the article yet.)
No, nothing is fixed. The leak has been plugged, but the water damage (and partly the water itself) is still there.
2 replies →
> You've got no idea what has been leaked
If your site is served through Cloudflare, assume it's all out there because it might be. Standard Big Red Button(tm) procedure.
I don't run any particularly impressive sites but I'll be resetting passwords today. Also cycling things I use behind Cloudflare like DigitalOcean passwords/API keys.
It's supposed to be read-only Friday, Cloudflare :(
I won't take the initiative of changing passwords, and I will only be doing it for services that ask me to do it.
In my opinion, if my accounts get compromised because the provider uses Cloudflare and leaks my data all over, it's their fault, not mine... It's not my job to guess which services are using Cloudflare, which ones were affected... and further, if my account gets compromised, others presumably will.
(PS: Of course you may need to change passwords if you reuse passwords from one service to the other, but obviously you shouldn't be doing that in the first place.)
If someone runs a red light, broadsides you while you're in the intersection, and leaves you paralyzed... it is their fault both morally and legally... but it still sucks to be you since you bear the consequences regardless of fault.
While this event is orders of magnitude less severe than my example, depending on the service that could be compromised there can be sufficient repercussions that you could not be made whole or avoid on-going inconvenience through the legal system or other acts of the genuinely responsible party.
I absolutely get and sympathize with where you're coming from... but you may want to check a few of your more important accounts none-the-less :-)
The damage is still yours even if its not your fault
I second this, and you'll be even more furious if someone used that to compromise your data/accounts.
They said https never broke, so if you were doing things right way you should not be affected at all. Do not overreact.
Wrong. You need to re-read the disclosure.