Comment by dbmnt
8 years ago
No. Only Cloudflare customers using a subset of features of the SSL proxy service are impacted.
Cloudflare has a lot of customers who only use the free DNS service, for example.
8 years ago
No. Only Cloudflare customers using a subset of features of the SSL proxy service are impacted.
Cloudflare has a lot of customers who only use the free DNS service, for example.
Careful. It appears that any Cloudflare client who was sending HTTP/S traffic through their proxies is affected. A small subset of their customers had the specific problem that triggered the bug, but once triggered, the bug disclosed secrets from all their web customers.
You're not exposed if you never sent traffic through their proxies; for instance, if you somehow only used them for DNS.
I suspect there are a large number of Cloudflare customers that only use their DNS. I have a couple of domains in this category.
The DNS service is essentially free. It's an upgrade from most registrars' built-in DNS. It's a pretty robust solution, really -- global footprint, DNSSEC, fully working IPv6, etc.
My point is, the actual number of impacted customers was much smaller than the entire set of Cloudflare customers. There are lists in this thread that still reference hundreds of thousands (millions?) of sites, and that's just wrong.
(I agree on your first point though; I was confused about the nature of the proxy bug at first).