Cloudflare Reverse Proxies are Dumping Uninitialized Memory

[kirashi]

21 minutes ago, LAwLz said:

Everyone should change their passwords regardless of whether or not the sites you use have 2 factor authentication. Having your password out there is bad.

 

And I will take this opportunity to shill recommend Keepass2.

No need to pay money for a password manager when there is a great one that's free and open source out there.

Paying for a password manager isn't an issue for me, although I too would rather use Keepass2 as well.

It's the value of my time and sanity having to go through all my accounts that makes me never want to use any online services again. But alas, that's a liability us consumers must take if we're to use the internet. We can't have it both ways.  

[Castdeath97]

Amazing, I'm going to have to change all my passwords.

[Pesmerga]

fuck not again.

[HarryNyquist]

I'll take the risk. I don't have time to sift through my logins to figure out which are affected & change them. And I definitely don't have time to change every password.

[vorticalbox]

36 minutes ago, HarryNyquist said:

I'll take the risk. I don't have time to sift through my logins to figure out which are affected & change them. And I definitely don't have time to change every password.

I added a list and a website that allows you to see if a given site is effected. I would just change password to ones you care about.

[Scionyde]

I'm looking at a list of sites affected, and I think LTT might be the only one I actually use. I'll browse some of those other affected sites like Reddit, but I never actually made a log-in for any of them. Sooo... hopefully, I'm okay?

[Thony]

Im sick and tired of this crap ! changing passwords every week pisses me off !

[Sir Asvald]

Damn. The transport for London is there.

[Mutoh]

Just my luck, I think this is the 3rd time I've had to change my passwords in the last 4 months  

[KuJoe]

Cloudflare has always and will always be a bad idea. When did the internet stop caring about MITM attacks?

[Enishiat0r]

So many sites affected. I'm sure I won't be able to remember all the sites I've got accounts on.

[imreloadin]

Keepass FTW! I had 4 accounts that were affected and just went and changed them to another randomly generated 20-30 character password. Took me longer to update copy the new database to my NAS and phone than it did to actually change the passwords lol.

[vorticalbox]

4 hours ago, KuJoe said:

Cloudflare has always and will always be a bad idea. When did the internet stop caring about MITM attacks?

When they started believing that HTTPS was enough. MITM attacks aren't the easiest to pull off successfully.

[KuJoe]

Just now, vorticalbox said:

When they started believing that HTTPS was enough. MITM attacks aren't the easiest to pull off successfully.

Unless you give the attacker total control of your DNS like people do with Cloudflare.

[Blade of Grass]

6 hours ago, KuJoe said:

Cloudflare has always and will always be a bad idea. When did the internet stop caring about MITM attacks?

The benefits of using a WAF and CDN like CF far exceed the risk of an event like this. The risk of a MITM attack now is lower than ever before, due to the wide adoption of technology like HTTPS and HSTS. 

Plus, for the majority of websites, handing off to another company which has specialization in security is a much better option than them rolling their own. 

[LAwLz]

16 minutes ago, Blade of Grass said:

The benefits of using a WAF and CDN like CF far exceed the risk of an event like this. The risk of a MITM attack now is lower than ever before, due to the wide adoption of technology like HTTPS and HSTS. 

Plus, for the majority of websites, handing off to another company which has specialization in security is a much better option than them rolling their own. 

I wish more people would understand this concept (ignore the Hearthstone gameplay, he makes an example at 3 minutes in):

 

 

Using a CDN is the right thing to do. Just because it in this situation turned out to backfire doesn't mean it would have been the right thing to not use it.

[KuJoe]

6 minutes ago, LAwLz said:

I wish more people would understand this concept (ignore the Hearthstone gameplay, he makes an example at 3 minutes in):

 

 

Using a CDN is the right thing to do. Just because it in this situation turned out to backfire doesn't mean it would have been the right thing to not use it.

I guess I'm too much of a nerd to use commercial CDNs when I can roll my own for cheap.

29 minutes ago, Blade of Grass said:

The benefits of using a WAF and CDN like CF far exceed the risk of an event like this. The risk of a MITM attack now is lower than ever before, due to the wide adoption of technology like HTTPS and HSTS. 

Plus, for the majority of websites, handing off to another company which has specialization in security is a much better option than them rolling their own. 

In your opinion yes, but this isn't the first time Cloudflare has messed up and it won't be the last time. I used to use Cloudflare many moons ago for my personal websites where the impact of such a breach was so minimal it didn't matter, but I would never give any company control over my business websites regardless of the risks. That's my personal views on the subject.

[Mattb6288]

Found out about this during WAN show. Since the password I use on here is the same for 80% of my login I spent the last hour using LastPass to change all my passwords.

[vorticalbox]

cloudflare data is still in bing caches, this is still a problem

 

http://cc.bingj.com/cache.aspx?q=&d=4857656909960944&w=rj9cgKJZJYOhAbxPoQ4RPcxV_spLZkc2