   On 02/23/2017 07:06 PM, Mirimir wrote:

So tptacek's comment summarizes it well:

| Oh, my god.
|
| Read the whole event log.
|
| If you were behind Cloudflare and it was proxying sensitive data
| (the contents of HTTP POSTs, &c), they've potentially been spraying
| it into caches all across the Internet; it was so bad that Tavis
| found it by accident just looking through Google search results.
|
| The crazy thing here is that the Project Zero people were joking
| last night about a disclosure that was going to keep everyone at
| work late today. And, this morning, Google announced the SHA-1
| collision, which everyone (including the insiders who leaked that
| the SHA-1 collision was coming) thought was the big announcement.
|
| Nope. A SHA-1 collision, it turns out, is the minor security news
| of the day.
|
| This is approximately as bad as it ever gets. A significant number
| of companies probably need to compose customer notifications; it's,
| at this point, very difficult to rule out unauthorized disclosure
| of anything that traversed Cloudflare.

[1]https://news.ycombinator.com/item?id=13718752


   @joepie91 just posted a funny on twitter with link to a 2016 writeup he
   did about Cloudflare's sieve-like tls setup.

     joepie91's Ramblings
     CloudFlare, We Have A Problem
     14 Jul 2016
     For the past few years, CloudFlare has been steadily gaining
     popularity - being used by a staggering amount of websites, big and
     small. One of their frequently repeated claims to fame is that they
     "make web properties faster and safer".
     I disagree.
     In reality, CloudFlare has been structurally making the web less
     secure during these years. And they are incredibly good at selling
     that as a feature.
     The Solution To No Problems
     Back in 2011, when I ran AnonNews.org, I had to cope with frequent
     DDoS attacks - not all that surprising, given that it was a very
     popular news site and community for Anonymous, which was seeing the
     peak of its media coverage at the time. In 2011, however, it was
     pretty much impossible to get working DDoS mitigation for less than
     $100 a month, and that was simply not a budget I had to spend on it.
     I eventually ran across CloudFlare, and - despite it not advertising
     DDoS mitigation anywhere at the time - I realized that with it being
     essentially a reverse proxy on beefy infrastructure, it would make
     for a useful pincushion against most DDoS attacks. And it did - it
     got in the way of many attacks, saved me some traffic as a bonus,
     and was overall a good solution to the problem at the time, even if
     it wasn't "real" DDoS mitigation.
     Fast-forward to today, in 2016. It's not so clear anymore whether
     CloudFlare really solves any problems. Single-homed bandwidth can be
     gotten for $0.35/TB, DDoS mitigation services are plentiful and
     sometimes even provided by default, and the web is generally Fast
     Enough. Of course this doesn't stop CloudFlare from marketing to AWS
     customers - who are still grossly overpaying for bandwidth - or
     simply to those who are not aware of the changes in the hosting
     landscape.
     Essentially, there's not really a reason to use CloudFlare anymore,
     and the majority of sites won't see any real benefit from it at all.
     I'll go into the alternatives further down the article, but I want
     to address some of the problems that CloudFlare introduces first.

   In full:
   [2]http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-prob
   lem/
   The funny, as a screenshot (77.7kb):

References

   1. https://news.ycombinator.com/item?id=13718752
   2. http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/