What Can We Learn from the Cloudflare Leak?

What Can We Learn from the Cloudflare Leak?

by | Hosting Security

What Can We Learn from the Cloudflare Leak?

Cloudflare calls itself the “web performance and security company,” so it was a serious blow to its reputation when researchers discovered that it had a security bug that made sites' data visible on other sites. What was really disturbing was that supposedly secure data from HTTPS requests leaked out this way. Passwords, session cookies, credit card information, and other sensitive data simply showed up in random places.

Google researcher Tavis Ormandy discovered this problem on February 17, and tech media have attached the name “Cloudbleed” to it. Cloudflare provides services to millions of websites, and any of them could have suffered a loss of confidential data. Many of them have urged users to change their passwords. The risk to any individual is low, but the effect was so widespread that personal data could have been stolen from a significant number of people.

Cloudflare has fixed the bug, but the leaked data could still be lurking in the caches of search engines and edge servers, and data thieves now know to look for it.

Cloudflare's incident report explains that the problem stemmed from a buffer overrun bug. For efficiency reasons, low-level system software is often written in programming languages, such as C, which don't automatically guard against accessing memory structures outside their limits. An HTML parser had a bug of this type, resulting in its picking up data from whatever was past the end of a memory buffer. It could be anything, and sometimes it was private data from another website.

The risk in third-party services

Any website can have bugs in its software that open security holes. That's one reason HTTPS connections aren't 100% secure. Old versions of SSL (TLS) have problems. The “Heartbleed” bug in older versions of the widely used OpenSSL software showed it was possible to exploit the weaknesses. The latest version fixes the problem, but there's no guarantee that it's completely bug-free. Many websites still use old versions of OpenSSL, with known weaknesses.

When a site uses a third-party service such as a caching proxy or a content delivery network, it can gain or lose security. A top-quality CDN has better security measures than most do-it-yourself sites, and it filters requests to the sites' servers. It can absorb DDoS attacks that would kill a one-machine server. Cloudflare features a web application firewall (WAF) that protects sites at the application level from many kinds of attacks.

This comes at a price, though.

To get the full range of services from Cloudflare, a website has to hand over its most precious secret: its private SSL key. Without that datum, Cloudflare couldn't do anything with HTTPS requests and responses but pass them through. It wouldn't be able to see anything except what server and port number they were going to.

The fact that the breach included HTTPS data underscores this issue. If Cloudflare didn't have sites' private keys, it could never have leaked passwords that were properly sent through HTTPS. By the same token, it couldn't have provided a useful WAF to protect servers that use secure communication. Sharing a private key with a CDN creates a potential risk, even if there's an overall gain in security.

Vulnerability to governments

However, giving a CDN a site's private key opens up one serious hole, which no software can guard against. A government can demand it, compel the CDN to stay silent, and have access to all of the site's SSL transactions. Government agents can spy on it indefinitely, and the site's owners won't have a clue that it's happening.

In the United States, a National Security Letter can accomplish this. Anyone who receives one isn't allowed to say anything about it or challenge it in an open court hearing. The Electronic Frontier Foundation has called the power to issue them “one of the most frightening and invasive” surveillance power created by the PATRIOT Act.

Cloudflare has received at least two NSLs and possibly more. The FBI could have compelled it to turn over customers' private keys and not tell them. In a similar case, the FBI tried to compel Lavabit, a confidential email service, to turn over keys that would give it access to every user's private mail, even though it was just after Edward Snowden. Founder Ladar Levison was under a gag order not to disclose this until recently.

Other countries have similar or worse issues. The UK's Investigatory Powers Act gives law enforcement the authority to make telecommunication companies break their encryption. They would be under a compulsion of secrecy comparable to a National Security Letter. In the truly authoritarian states, the situation is even worse, with privacy being virtually non-existent.

How many websites do governments have access to, without their knowledge, because CDNs had to give up their private keys? There's no way to know.

The OrangeWebsite Difference

At OrangeWebsite we take your privacy seriously. We don't share our private keys, or yours, with third-party services. Government agencies in North America or Europe can't demand anything from us. We maintain state-of-the-art server security, performing regular security audits and keeping system software up to date. Optional two-factor authentication is available.

Nomad Capitalist has called Iceland the best host country for data privacy. The Icelandic Modern Media Initiative, passed by our Parliament in 2010, commits the country to freedom of information and expression. We allow anonymous registration, so that even torture or telepathy wouldn't get us to disclose your identity. Contact us to learn how to set up a secure, censorship-free website.

The Ultimate How-to Guide for Domain Registration

The Ultimate How-to Guide for Domain Registration

by | Domains

Ultimate Guide on How to register a domain.

Your domain name is one of the most important aspects to your web presence. It exudes the essence of your brand, expresses who you are through your email and website address, and is among the first impressions you give to prospective customers.

In addition to choosing the right domain name that represents your company (or new project), it’s important to have a general understanding of how domains work and ways you can manage them to your business advantage. Actions like parking a domain, for example, may prove useful for a new marketing campaign you’re implementing. The goal in this guide is to highlight these actions and provide how-to steps to domain registration and management.

How to Register a Domain:

If you’ve thought of the domain name for your website, registering your domain is a breeze. As a client, you can simply register your domain here with OrangeWebsite to begin managing them under one account. The major advantages to having your domain with us is that we give you extended privacy and low online censorship. We also offer advanced security options, ensuring that your prices always stay the same.

As long as your website isn't currently being used, you’re safe to secure your domain.  In this process, you’ll choose the domain extension, whether it's .com, .net, .org, etc. The most common of course is .com but it's best to select the extension that’s most congruent to your website's purpose.  Your domain registration lasts one-year until renewal unless you’ve elected to pay for multiple years.

Prior to securing your domain name, here some do’s and do not’s to consider when choosing your site’s name:

  • Include a location or keywords in your domain name, if applicable and possible, to help boost SEO
  • Abstain from using dashes, abbreviations or numbers in your domain. You want to make it easy for your audience to remember
  • Be sure that you're named as the owner of the domain, not your marketing agency or personnel

How to Transfer a Domain:

On occasion, some business owners choose to transfer their domain name to us. The following illustrate a few reasons why brands opt to transfer domains:

  • Your hosting provider (us) is also a domain registrar company and provides better features when you put both services under one umbrella
  • It’s cost-efficient, meaning, you’ve found a company that’s offering a lower price than your renewal rate
  • You've experienced various issues (support and/or technical) and ready to make a much needed change
  • With OrangeWebsite, you’ll get a FREE one-year extension included when you transfer your domain to us!

Transferring your domain is not an overnight process.  It can take several days to complete and can only occur after you’ve registered your domain for 60 days.

Here are the steps to transferring your domain:

Complete these actions with your current registrar first

  • Confirm that the administrator's contact information is correct since all communications regarding the transfer will be sent to the email address listed
  • Unlock your domain
  • Cancel any Protected or Private Registrations that will prevent the transfer

Unsure how to complete any of these steps?  Locate the helpdesk of your domain provider for step-by-step instructions.

Once you’ve finished the steps, easily start the transfer of your domain over to OrangeWebsite. Be sure to check your email as you’ll receive confirmation of the transfer along with the final steps necessary to finalize the process

How to Park a Domain:

Park domains are used when a business wants more than one web address for advertising reasons. These additional domains display the same website and its content as your primary domain. Similar to mask forwarding, the address bar will still show the parked domain website address.

This feature is accessible on our VPS Hosting Service and above. Here’s how you would add a parked domain to your account:

  1. Log into cPanel
  2. In the Domains section, click the Parked Domains icon
  3. Under Create a New Parked Domain, enter the domain name you would like to park on top of your primary domain
  4. Click Add Domain

How to Buy a Domain:

Purchasing new domains is as simple as logging into your account and researching to see if your desired domain name is available.

How to Renew a Domain:

Prior to your renewal date, you’ll begin receiving reminder emails that your domain is set to expire. If you have it set for automatic renewal, your credit card will be charged on the date and you’re active for another year.

If you fail to renew on the scheduled date, your domain enters redemption or a 30-day grace period as a final chance to maintain your domain.  After the redemption period, the domain will officially expire and be placed back into the market for sale.

How to Sell a Domain:

Perhaps you’ve bought domain names that you never used or there are ones sitting around going unused because it no longer serves your business. You can sell these domains back into the marketplace to recoup some (or all) or your costs.

Consider these key pointers if you plan to put your domains up for sale:

  1. Keep in mind that its harder to sell names no one has heard of.  Short, basic, relatable and common domain names tend to have higher value
  2. Determine your domain's value by taking into account traffic, top level domains, and name length (again, shorter is better)
  3. Be realistic about your price.  Don’t overprice which can result in missed selling opportunities
  4. List your domain with a selling service.  Popular ones include Flippa, eBay, and Sedo

What other questions do you have regarding domain registration and management? Contact us here or leave us a buzz in the comments below.