On Feb 23, 2017, at 10:06 PM, Mirimir <mirimir@riseup.net> wrote:
So tptacek's comment summarizes it well:
| Oh, my god. | | Read the whole event log. | | If you were behind Cloudflare and it was proxying sensitive data | (the contents of HTTP POSTs, &c), they've potentially been spraying | it into caches all across the Internet; it was so bad that Tavis | found it by accident just looking through Google search results. | | The crazy thing here is that the Project Zero people were joking | last night about a disclosure that was going to keep everyone at | work late today. And, this morning, Google announced the SHA-1 | collision, which everyone (including the insiders who leaked that | the SHA-1 collision was coming) thought was the big announcement. | | Nope. A SHA-1 collision, it turns out, is the minor security news | of the day. | | This is approximately as bad as it ever gets. A significant number | of companies probably need to compose customer notifications; it's, | at this point, very difficult to rule out unauthorized disclosure | of anything that traversed Cloudflare.
Holy shit! Ars has a write up https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-po...