149 posts
A grocery store near you!
Posted 24 February 2017 - 06:40 AM
CloudFlare had a major vulnerability, deemed by the discoverer as "cloudbleed". Conveniently, the CC website in its entirety is using cloudflare.
In the spoiler below are a list of sources you may want to check out for more information on the issue.
Info:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Tavis Ormandy's twitter:
- https://mobile.twitter.com/taviso
Reddit's cloudbleed information page:
-https://www.reddit.c...dflare_reverse/
Log of all domains that possibly have this exploit (note, computercraft.info is there):
- https://raw.githubus...d_unique_cf.txt
CloudFlares twitter, as of me writing this, only 2 tweets reference the issue:
- https://twitter.com/cloudflare
CloudFlares blog post on this issue:
- https://blog.cloudfl...are-parser-bug/
Is it a reason to panic? No. The issue arose once in every 3.3 million http requests. It seemed to just give random information, embedded in http response data.
Is it a reason to change passwords? Yes. Any reason is a good reason to change your password. This is just an exceptional time to do so.
NOTE: the collision of SHA-1 that google discovered and the issues with cloudflare are completely unrelated, contrary to what my post has said for the past 2 hours. Different teams in google discovered different vulnerabilities… what a day to be alive.
To clarify, I am by no means an expert on this all, and if someone would like to explain and clarify the situation by all means please do.
In the spoiler below are a list of sources you may want to check out for more information on the issue.
Info:
Spoiler
Tavis Ormandy's issue report:- https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Tavis Ormandy's twitter:
- https://mobile.twitter.com/taviso
Reddit's cloudbleed information page:
-https://www.reddit.c...dflare_reverse/
Log of all domains that possibly have this exploit (note, computercraft.info is there):
- https://raw.githubus...d_unique_cf.txt
CloudFlares twitter, as of me writing this, only 2 tweets reference the issue:
- https://twitter.com/cloudflare
CloudFlares blog post on this issue:
- https://blog.cloudfl...are-parser-bug/
Is it a reason to panic? No. The issue arose once in every 3.3 million http requests. It seemed to just give random information, embedded in http response data.
Is it a reason to change passwords? Yes. Any reason is a good reason to change your password. This is just an exceptional time to do so.
NOTE: the collision of SHA-1 that google discovered and the issues with cloudflare are completely unrelated, contrary to what my post has said for the past 2 hours. Different teams in google discovered different vulnerabilities… what a day to be alive.
To clarify, I am by no means an expert on this all, and if someone would like to explain and clarify the situation by all means please do.
Edited on 24 February 2017 - 07:44 AM