Comment by AznHisoka

8 years ago

Can someone tell me the implications of this in laymen terms?

For instance what does it mean "sprayed into caches"? what cache? dns cache? browser cache? if the latter, does it mean you are safe if the person who owns that cache is an innocent non technical iser?

14 comments

AznHisoka

Reply
tptacek  8 years ago

There are caches all over the Internet; Google and Microsoft run some of them, but so do virtually every Fortune 500 company, most universities, and governments all over the world.

The best way to understand the bug is this: if a particular HTTP response happened to be generated in response to a request, the response would be intermingled with random memory contents from Cloudflare's proxies. If that request/response happened through someone else's HTTP proxy --- for instance, because it was initiated by someone at a big company that routes all its traffic through a Bluecoat appliance --- then that appliance might still have that improperly disclosed memory saved.

hannob  8 years ago

There are all kinds of places were things are cached, both on- and offline. Your data may end up in:

* Browser caches.

* Sites like wayback machine or search engines that make copies of webpages and save them.

* Tools that store data downloaded from the web, e.g. RSS readers.

* Caching proxies.

* the list goes on and on.

I think what tptacek wanted to say: It's just so common that people download things from the web and store them without even thinking much about it. And all those places where this happens now potentially can contain sensitive data.

yojo  8 years ago

Many services on the internet keep a copy of a page they have loaded in the past. Google does this, for example. It lets them do things like search across websites quickly.

Many of these caches are available online, to anyone who wants to look at them.

This bug meant that any time a page was sent through Cloudflare, the requester might receive the page plus some sensitive personal information, or credentials that could be used to log in to a stranger's account. Some of these credentials might let a bad actor pretend to be a service like Uber or Fitbit.

This very sensitive information might end up saved in a public cache, where anyone could find it and use it to do harm.

  • oddratios  8 years ago

    What are my rough odds of having stored a credential,if I were a provider?

    What are the odds I had a credential stored?

    We know the impact but what are the odds to a provider and to a possible exposeee?

emmelaich  8 years ago

It's reminiscent of the earlier days of the Squid cache.

When it had bugs and devivered up cached files the typical symptom was that everyone in the company got unwanted porn.

Because the biggest user (by far) of the 'net was the person into porn and so 90% of the Squid cache was porn.

  • oddratios  8 years ago

    It served the wrong resource instead of failing to serve a resouce? Back then, if I were to suffer this, what is the likelihood of a porn for cats experience?

  • oddratios  8 years ago

    It served the wrong resource instead of failing to serve a resouce? Back then, if I were to suffer this, what is the likelihood of a porn for cats experience?

nicoburns  8 years ago

Far worse than this. Yes, browser caches, but also web crawlers (like google)'s caches. This means that anyone who requested certain public content could have instead received secret content from completely unrelated websites.

tr44564  8 years ago

As for the SHA-1 collision mentioned by jgrahamc[1] earlier today:

How am I going to explain this to my wife?

Actually a serious question. How do we communicate something like this to the general public?

[1] https://news.ycombinator.com/item?id=13713826