Comment by joepie91_
8 years ago
> My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?
Yes. Right now. Don't wait for the vendor to notify you.
> What an epic mess. This is the problem with centralization, the system is broken.
Yep.
My password manager has > 500 entries. Changing all the passwords....isn't going to happen any time soon.
If it only took 60 seconds per site, it would still take eight hours to change them all.
Might change a few key passwords, though. Couldn't hurt. I only have a couple of bank/financial passwords at this point. And my various hosting service access passwords.
Anything else is not worth the hassle -- and mostly would have 2FA anyway.
Your argument essentially revolves around "what are the chances I'll be compromised!?" rather than focusing on "What's the potentially affect of getting compromised" Most people with data or access rights which have several orders of magnitude of value relative to 8 hours worth of labor.
The decision to wear a seatbelt isn't driven by the probability of needing it, the decision is drive by the magnitude of exposure to an event where you would need it.
> Your argument essentially revolves around "what are the chances I'll be compromised!?" ...
You misunderstand. My argument is explicitly around "What is the potential effect?" That's why I listed changing financial passwords is on my list of things that I might do. (Though see below for why I won't.)
If I only change passwords where someone can do real damage (my primary social media accounts, my accounts that have a current, saved credit card, and any hosting-related accounts) then I've already hit the 98th percentile in damage avoidance. And as I pointed out above, most (all?) of those accounts are unaffected because they don't use CloudFlare at all.
If someone has stolen my password to the Woodworking Forums, and they ... what, post rabid alt-right spam in my name and get me banned? Oh well, either tell them that it was hacked, or if they don't believe me, let that account die and create a new one, if I ever decide to go back and post something again. No big deal. I haven't used it in years anyway, and I can create unlimited new (wildcard-based) email addresses on any of several domains I own.
Aside from the top 10-15 sites I use, I rarely have logins that are that important, anyway. So I'm totally basing this on worst-case damage assessment, not on "how likely it is I'm attacked."
AND...I just looked through all of the top sites I use, and according to the HTTP header, none of them is served using CloudFlare at all (I only checked the index page of each, but none have the telltale CF-Cache-Status headers). No financial sites, no shopping sites that have my credit card, no social media sites. So where's the fire exactly?
1 reply →
In the case of seat belts that's probably because the cost of your life is infinity.
The same isn't quite true for my blogger account.
1 reply →
Lastpass knows how to change your passwords for many popular sites, and can automate it away for you.
I have been reluctant to use a service that keeps my passwords for me in the cloud.
Instead I'm using KeePass. KeePass is open source and has its "full stack" of encryption available for review. For LastPass I need to trust they're doing everything right, and that a government actor hasn't asked for some kind of backdoor. It's so easy to screw up security that I'm more comfortable trusting two levels of security: That KeePass has its encryption done right, and that Google Drive keeps my KeePass file out of the hands of bad-guys.
LastPass would become a single point of failure compared to what I'm doing: They just need to make one mistake and suddenly any bad guy gets all of my passwords.
Nice feature for LastPass, though.
LastPass uses local encryption to enable LastPass to have Zero knowledge of users passwords. This means that user's passwords aren't passed in the clear even inside a TSL session.
So LastPass isn't the password manager mentioned in the post.
2 replies →
You use 500 sites which use 2FA?
No, the ones I consider to be "important" have 2FA.
When I log into the Woodworking Forums, I have to use a password. If someone steals my Woodworking Forums authentication and posts as me there, um....Oh well. Sucks, and I'll clean up the mess.
Glancing through my password vault (kept in KeePass, for those wondering) I have some in there that I literally haven't used since before Cloudfare was founded, like the Creative Labs developer site.
Note that for sites like HN, changing your password doesn't expire other sessions. You have to go find every browser with an HN cookie and logout.
(Where I mean some other sites that are not at all HN, but might plausibly exist.)
No, we log you out of all HN sessions when you change your password.
Oh, cool. (This was not the case last time I did a reset.)
1 reply →
How do you check if a website uses cloudflare ? Any scripts that do that ?
Response headers will contain a "cf-ray" header or "server: cloudflare-nginx"
Both should be there, as well as 'Set-Cookie: __cfduid=...'
EDIT: Better yet, make that 'curl -IL domain.com' to follow redirects because it may not show in the first response.
There is no reliable way to check. The problem is that even if you verify that a site isn't using CloudFlare now, that doesn't mean that they didn't use it in the past (and you'd still be affected).
In other words: Just assume that everything has been compromised. With how much of the web CloudFlare controls nowadays, you're not going to be far off anyway.
Icon lights up if the current site is on Cloudflare proxy.
https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...
$ host -t NS digitalocean.com
digitalocean.com name server walt.ns.cloudflare.com.
digitalocean.com name server kim.ns.cloudflare.com.
That may not necessarily work. Example:
But if you check the response headers you'll see 'CF-RAY:...' and 'Server: cloudflare-nginx'
There's this browser addon
https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...
$ dig example.com
to get the A Record, then
$ whois 1.2.3.4|grep Cloudflare
Not 100% reliable, but should do the Job.
Not at a terminal now, but this long one-liner should work.
Like you said, not 100% reliable though. For example, I'm pretty sure Reddit uses CloudFlare, but their whois mentions Fastly, which is a competitor.
3 replies →
I know it's kinda late,but there is one more way to find if a site is using Cloudflare
append /cdn-cgi/trace to the URL and you will some debug info
Ex:
https://cloud.digitalocean.com/cdn-cgi/trace
https://news.ycombinator.com/cdn-cgi/trace
http://www.doesitusecloudflare.com/
So it's fixed, then? (I haven't read the article yet.)
No, nothing is fixed. The leak has been plugged, but the water damage (and partly the water itself) is still there.
Weird. I read the Cloudflare blog entry (<https://blog.cloudflare.com/incident-report-on-memory-leak-c...) at the bottom of the linked Chromium bug tracker page and they make it sound like it's fixed (the implication being that now would be the time to change all my passwords…)
1 reply →