[HN] Cloudflare Reverse Proxies Are Dumping Uninitialized Memory

Razer g2s at riseup.net
Thu Feb 23 19:13:40 PST 2017 


On 02/23/2017 07:06 PM, Mirimir wrote:
> So tptacek's comment summarizes it well:
>
> | Oh, my god.
> |
> | Read the whole event log.
> |
> | If you were behind Cloudflare and it was proxying sensitive data
> | (the contents of HTTP POSTs, &c), they've potentially been spraying
> | it into caches all across the Internet; it was so bad that Tavis
> | found it by accident just looking through Google search results.
> |
> | The crazy thing here is that the Project Zero people were joking
> | last night about a disclosure that was going to keep everyone at
> | work late today. And, this morning, Google announced the SHA-1
> | collision, which everyone (including the insiders who leaked that
> | the SHA-1 collision was coming) thought was the big announcement.
> |
> | Nope. A SHA-1 collision, it turns out, is the minor security news
> | of the day.
> |
> | This is approximately as bad as it ever gets. A significant number
> | of companies probably need to compose customer notifications; it's,
> | at this point, very difficult to rule out unauthorized disclosure
> | of anything that traversed Cloudflare.
>
> https://news.ycombinator.com/item?id=13718752
>

@joepie91 just posted a funny on twitter with link to a 2016 writeup he 
did about Cloudflare's sieve-like tls setup.


> joepie91's Ramblings
>
> CloudFlare, We Have A Problem
>
> 14 Jul 2016
>
> For the past few years, CloudFlare has been steadily gaining 
> popularity - being used by a staggering amount of websites, big and 
> small. One of their frequently repeated claims to fame is that they 
> "make web properties faster and safer".
>
> I disagree.
>
> In reality, CloudFlare has been structurally making the web less 
> secure during these years. And they are incredibly good at selling 
> that as a feature.
> The Solution To No Problems
>
> Back in 2011, when I ran AnonNews.org, I had to cope with frequent 
> DDoS attacks - not all that surprising, given that it was a very 
> popular news site and community for Anonymous, which was seeing the 
> peak of its media coverage at the time. In 2011, however, it was 
> pretty much impossible to get working DDoS mitigation for less than 
> $100 a month, and that was simply not a budget I had to spend on it.
>
> I eventually ran across CloudFlare, and - despite it not advertising 
> DDoS mitigation anywhere at the time - I realized that with it being 
> essentially a reverse proxy on beefy infrastructure, it would make for 
> a useful pincushion against most DDoS attacks. And it did - it got in 
> the way of many attacks, saved me some traffic as a bonus, and was 
> overall a good solution to the problem at the time, even if it wasn't 
> "real" DDoS mitigation.
>
> Fast-forward to today, in 2016. It's not so clear anymore whether 
> CloudFlare really solves any problems. Single-homed bandwidth can be 
> gotten for $0.35/TB, DDoS mitigation services are plentiful and 
> sometimes even provided by default, and the web is generally Fast 
> Enough. Of course this doesn't stop CloudFlare from marketing to AWS 
> customers - who are still grossly overpaying for bandwidth - or simply 
> to those who are not aware of the changes in the hosting landscape.
>
> Essentially, there's not really a reason to use CloudFlare anymore, 
> and the majority of sites won't see any real benefit from it at all. 
> I'll go into the alternatives further down the article, but I want to 
> address some of the problems that CloudFlare introduces first.

In full: 
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

The funny, as a screenshot (77.7kb):



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4620 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20170223/ea9f9448/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2017-02-23 19-11-21.png
Type: image/png
Size: 77730 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20170223/ea9f9448/attachment-0002.png>

More information about the cypherpunks mailing list