[HN] Cloudflare Reverse Proxies Are Dumping Uninitialized Memory
Razer
g2s at riseup.net
Fri Feb 24 08:57:11 PST 2017
Cloudflare bug was a result of "ScrapeShield" "feature" that inserts
trackers into html.
https://blog.cloudflare.com/introducing-scrapeshield-discover-defend-dete/
https://twitter.com/RichFelker/status/834916213344112647
On 02/24/2017 08:53 AM, Razer wrote:
> Update @Clodflare
>
> https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
>
>
> Rr
>
> Ps. Portals (AOL etc) & dDos prevention sites like Cloudflare, Akmai
> (etc) intrinsically defeat the purpose of 'distributed networking'
> TCP/IP was designed for! Suckers. If you were on Arpanet you'd still
> have distributed networking. But they can't allow that sort of
> freedom-of-information-transfer now can they... Citizen?
>
>
> On 02/23/2017 07:06 PM, Mirimir wrote:
>> So tptacek's comment summarizes it well:
>>
>> | Oh, my god.
>> |
>> | Read the whole event log.
>> |
>> | If you were behind Cloudflare and it was proxying sensitive data
>> | (the contents of HTTP POSTs, &c), they've potentially been spraying
>> | it into caches all across the Internet; it was so bad that Tavis
>> | found it by accident just looking through Google search results.
>> |
>> | The crazy thing here is that the Project Zero people were joking
>> | last night about a disclosure that was going to keep everyone at
>> | work late today. And, this morning, Google announced the SHA-1
>> | collision, which everyone (including the insiders who leaked that
>> | the SHA-1 collision was coming) thought was the big announcement.
>> |
>> | Nope. A SHA-1 collision, it turns out, is the minor security news
>> | of the day.
>> |
>> | This is approximately as bad as it ever gets. A significant number
>> | of companies probably need to compose customer notifications; it's,
>> | at this point, very difficult to rule out unauthorized disclosure
>> | of anything that traversed Cloudflare.
>>
>> https://news.ycombinator.com/item?id=13718752
>>
>
More information about the cypherpunks
mailing list