What Can We Learn from the Cloudflare Leak?

Cloudflare calls itself the “web performance and security company,” so it was a serious blow to its reputation when researchers discovered that it had a security bug that made sites' data visible on other sites. What was really disturbing was that supposedly secure data from HTTPS requests leaked out this way. Passwords, session cookies, credit card information, and other sensitive data simply showed up in random places.

Google researcher Tavis Ormandy discovered this problem on February 17, and tech media have attached the name “Cloudbleed” to it. Cloudflare provides services to millions of websites, and any of them could have suffered a loss of confidential data. Many of them have urged users to change their passwords. The risk to any individual is low, but the effect was so widespread that personal data could have been stolen from a significant number of people.

Cloudflare has fixed the bug, but the leaked data could still be lurking in the caches of search engines and edge servers, and data thieves now know to look for it.

Cloudflare's incident report explains that the problem stemmed from a buffer overrun bug. For efficiency reasons, low-level system software is often written in programming languages, such as C, which don't automatically guard against accessing memory structures outside their limits. An HTML parser had a bug of this type, resulting in its picking up data from whatever was past the end of a memory buffer. It could be anything, and sometimes it was private data from another website.

The risk in third-party services

Any website can have bugs in its software that open security holes. That's one reason HTTPS connections aren't 100% secure. Old versions of SSL (TLS) have problems. The “Heartbleed” bug in older versions of the widely used OpenSSL software showed it was possible to exploit the weaknesses. The latest version fixes the problem, but there's no guarantee that it's completely bug-free. Many websites still use old versions of OpenSSL, with known weaknesses.

When a site uses a third-party service such as a caching proxy or a content delivery network, it can gain or lose security. A top-quality CDN has better security measures than most do-it-yourself sites, and it filters requests to the sites' servers. It can absorb DDoS attacks that would kill a one-machine server. Cloudflare features a web application firewall (WAF) that protects sites at the application level from many kinds of attacks.

This comes at a price, though.

To get the full range of services from Cloudflare, a website has to hand over its most precious secret: its private SSL key. Without that datum, Cloudflare couldn't do anything with HTTPS requests and responses but pass them through. It wouldn't be able to see anything except what server and port number they were going to.

The fact that the breach included HTTPS data underscores this issue. If Cloudflare didn't have sites' private keys, it could never have leaked passwords that were properly sent through HTTPS. By the same token, it couldn't have provided a useful WAF to protect servers that use secure communication. Sharing a private key with a CDN creates a potential risk, even if there's an overall gain in security.

Vulnerability to governments

However, giving a CDN a site's private key opens up one serious hole, which no software can guard against. A government can demand it, compel the CDN to stay silent, and have access to all of the site's SSL transactions. Government agents can spy on it indefinitely, and the site's owners won't have a clue that it's happening.

In the United States, a National Security Letter can accomplish this. Anyone who receives one isn't allowed to say anything about it or challenge it in an open court hearing. The Electronic Frontier Foundation has called the power to issue them “one of the most frightening and invasive” surveillance power created by the PATRIOT Act.

Cloudflare has received at least two NSLs and possibly more. The FBI could have compelled it to turn over customers' private keys and not tell them. In a similar case, the FBI tried to compel Lavabit, a confidential email service, to turn over keys that would give it access to every user's private mail, even though it was just after Edward Snowden. Founder Ladar Levison was under a gag order not to disclose this until recently.

Other countries have similar or worse issues. The UK's Investigatory Powers Act gives law enforcement the authority to make telecommunication companies break their encryption. They would be under a compulsion of secrecy comparable to a National Security Letter. In the truly authoritarian states, the situation is even worse, with privacy being virtually non-existent.

How many websites do governments have access to, without their knowledge, because CDNs had to give up their private keys? There's no way to know.

The OrangeWebsite Difference

At OrangeWebsite we take your privacy seriously. We don't share our private keys, or yours, with third-party services. Government agencies in North America or Europe can't demand anything from us. We maintain state-of-the-art server security, performing regular security audits and keeping system software up to date. Optional two-factor authentication is available.

Nomad Capitalist has called Iceland the best host country for data privacy. The Icelandic Modern Media Initiative, passed by our Parliament in 2010, commits the country to freedom of information and expression. We allow anonymous registration, so that even torture or telepathy wouldn't get us to disclose your identity. Contact us to learn how to set up a secure, censorship-free website.

The 2016 Data Centre Risk Index, published by Cushman & Wakefield (C&W), has moved Iceland to the number one position among 37 countries as the safest location for remote data storage, while the United States dropped from the number 1 to the number 10 position. The reasons Iceland rose to the top of the list (as described below under "Methodology"), but what it means for key business decision makers around the globe is unmistakable: Iceland is the best country in the world to secure their data. What it means for the clients of companies like OrangeWebsite, located in Reykjavík, Iceland, is added reassurance that their data is safe and protected.

Why Is Remote Data Storage Important?

For companies large and small, unplanned downtime is a cost of doing business. That doesn’t mean, of course, that businesses should (or do) passively acquiesce to the eventuality of downtime. In fact, American businesses spend millions implementing strategies to avoid downtime, from moving operations to the cloud or data centres to training employees to ignore suspicious emails and documents.

What Is the Cost to Business of Downtime?

There’s a good reason businesses spend so much time and money preventing downtime episodes. Downtime means a loss or revenues during the period their systems are down, in addition to lost productivity and damage to their reputations. According to the Data Center Journal, revenue losses due to downtime episodes are increasing exponentially. The average cost per minute of downtime is $7,900, an increase of 41% over a one-year period. The average downtime episode lasts 86 minutes. Doing the math, that’s a cost—on average—of almost $700,000 for every incident of downtime.

What Systems Are Most Affected by Downtime?

Downtime can affect every aspect of business operations, but the two at the top of the list are business applications and technology services. Business applications are those operations which employees access through the company’s internal server to do their jobs. Technology services include email operations, as well as internet and intranet access. Loss of either business or technology applications impacts productivity—and costs money.

The loss of business applications can affect the productivity of every employee, from financial services to marketing to information systems. For example, downtime can bring down CRM operations, making customer communications disorganized at best, or lost entirely at worst. It can also mean the loss of ERP capabilities, eliminating the flow of business information and preventing data-driven decision making.

The loss of technology services, like email and internet access, means employees have reduced access to non-mobile phone and fax machines service. It also compromises use of a company’s intranet, which employees rely on to access and share documents.

The Pervasiveness of Remote Data Storage

Understanding the risks associated with in-house data storage, an increasing number of businesses are looking at remote data storage options, such as remote data centers and cloud computing. For example, a study by RightScale reports that 93 percent of businesses now use cloud services. In another study, Emergent Research predicted that twice as many small businesses will move all business operations to the cloud within 6 years.

Other companies, particularly those which run a wider variety of business applications and have more complex workloads, are opting to store data at remote data centres. Those data centres offer more customized solutions and greater control over their data and equipment, better meeting the needs of large, complex businesses.

The complication for business decision makers is that remote data centers are, themselves, at some risk for downtime episodes. In order to help business owners decide which data centers are at least risk, Cushman & Wakefield each year publishes its annual Data Centre Risk Index. In its 2016 report, Cushman & Wakefield describe the importance of their analysis:

“The index ranks key established and emerging locations by the most appropriate risks affecting data centre operations in today’s current climate. It has been designed primarily to support data centre due diligence and senior decision making when considering global investment and deployment activities."

Data Risk Index 2016: Methodology

Cushman & Wakefield’s analysis surveys more than 4,000 clients worldwide to rate the relative security of 37 countries along 10 key factors related to data centre risk. These include factors like ease of doing business, natural disaster, energy security and corporation tax, among others. Each factor is weighted based on its relative importance to potential risk, with natural disaster (15.38%) and political stability (12.82%) at the top of the list, and GDP per capital (5.77%) and corporation tax (6.41%) at the bottom.

The methodology employed shifts each year to reflect changing conditions. This year’s report reflects the growing concern among businesses related to political stability, natural disaster and energy security, which have surpassed concerns related to cost and connectivity. As they explain in their introduction:

“Natural disaster and a location’s coping capability ranked as the most important risk factors while political stability ranked second this year, collectively accounting for one third of overall decision making and implying a level of emotional sentiment throughout the survey following a number of major incidents over the past few years.”

Data Risk Index 2016: Key Findings

Among this year's most significant takeaways are the following:

Iceland was rated the world’s safest data centre location, followed by Norway and Switzerland The United States dropped from the number one to the number 10 position, scoring particularly low in “corporation tax (36th out of 37)” and “international bandwidth (15th of 37).” European countries offer on average the lowest risk environment, taking the top 5 index positions because of low risk for natural disaster and strong energy security ratings Singapore, South Korea and Hong Kong rated highly based on proximity to market, ease of doing business and IT infrastructure, and despite poor ratings for risk of natural disaster The 10 safest countries in the report are:

• Iceland
• Norway
• Switzerland
• Finland
• Sweden
• Canada
• Singapore
• Republic of Korea
• United Kingdom
• United States

The top 5 riskiest markets for data centers, according to C&W, are:

• Nigeria
• India
• China
• Turkey
• Indonesia

Conclusion Businesses which are considering moving their data to a data centre, or moving from one data centre to another, should carefully weigh the conclusions of the most recent Data Centre Risk Index, and especially the particular factors which informed those conclusions.

Founded in 2006 and located in Reykjavík, OrangeWebsite is one of Iceland’s leading web hosting companies, a 100% green company offering top-quality and secure web hosting solutions for clients around the globe. Their servers are in Iceland, and all their data is stored and protected in Iceland. To learn more about the ways we can keep your company’s data safe and secure, contact us today.

How to Boost Your Search Rankings With An SSL

Why You Should Have an SSL Certificate

Have you been thinking about adding SSL security to your website? Have you been hesitating because it seems too complicated and expensive? Really, it’s neither. Half the traffic on the Web now goes over HTTPS / SSL connections, and it’s constantly growing. It’s not terribly difficult, even for a small business.

History of SSL, TLS, and HTTPS

The Web was originally designed for communication, not security. A request and its response travel through multiple routers, which aren’t necessarily trustworthy. They can read and even alter anything that passes through them. They can steal passwords, add scripts, or censor information.

As the Web grew, it became obvious that secure communication was necessary. In 1994, Netscape created the Secure Sockets Layer (SSL) to support encrypted communication on the Web. It let a browser communicate securely with a server, even if the two parties didn’t know each other. The HTTPS protocol sends requests and responses over SSL, keeping them safe from any “man in the middle.”

SSL has gone through a series of revisions over the years to improve its security. In 1999 the Internet Engineering Task Force (IETF) took over the standard, renaming it Transport Layer Security (TLS). Strictly speaking, SSL is obsolete, but the term is still widely used. The data document which lets a site transfer data over TLS is still almost always called an “SSL certificate.” We’ll stick with that usage here.

Why SSL is important

The most obvious reason for using SSL (TLS) is to protect confidential information in transit. Snoopers shouldn’t be able to intercept passwords, credit card numbers, and other data that needs to be kept secret. With widespread use of public Wi-Fi, this is more important than ever. Anyone with some simple equipment can intercept communications near a public Wi-Fi hotspot. The hotspot itself may belong to a criminal using it to collect personal information. There’s no easy way to tell a legitimate one from a malicious one.

Even owners of sites that don’t deal in personal information should consider using SSL. There are actually four benefits that it offers:

• Authentication. It confirms that the response actually comes from the site it claims to come from (i.e., that no one else has hijacked the connection).
• Non-repudiation. A third party can confirm that a message came from a given source without the originator’s cooperation.
• Integrity. The information can’t be altered in transit without making the attempt obvious.
• Confidentiality. No one else can read the information transferred.

Integrity is important even if confidentiality isn’t. An intermediary can alter data over an insecure connection. This is a concern for every site, whether they handle confidential data or not There can be several motives for modifying data in transit:

• Censoring information. An autocratic government may want to block unfavorable news.
• Adding false information or other content. Someone might want to deceive the recipient, engage in “hacktivism,” or damage a site’s reputation.
• Inserting malicious scripts. Unauthorized JavaScript can make viewers download malware or redirect them to another site.
• Modifying links. Changing a link on a page could send the user to a malicious site or steal form data.

How it works

An SSL certificate is a small data file which establishes a site’s cryptographic identity. More formally, it’s called an X.509 certificate. It uses the Public Key Infrastructure (PKI) to set up secure communication with a browser. This approach uses two digital keys which are paired together. The private key is stored only on the website’s host. The public key is included in the certificate, which is available to anyone to view.

To get a certificate, a website’s owner has to generate a private key and a certificate signing request (CSR). From here there are two options.

The cheap option is to self-sign the certificate. This costs nothing and it allows encryption, but it provides no authentication. Someone coming in with a browser has no assurance that someone else hasn’t taken over your domain or intercepted and changed the data packets. Anyone else can create a self-signed certificate and claim it’s from your domain. It’s of little value outside of personal and test sites.

The useful option is to get a signed certificate. This requires submitting the CSR to a certificate authority (CA), which will generate a digitally signed certificate. It says that the CA has confirmed that the certificate actually belongs to your domain. A signed certificate provides authentication as well as encryption.

But wait. How do you know that the CA is who it claims to be? The answer is that the CA can have its own certificate signed. All certificates, to be generally accepted, have to follow a chain of certificates back to a trusted (root) CA. A trusted CA’s certificate is widely available, and browsers ship with a set of root certificates from them.

Setting up the server

To use the certificate, a site needs an SSL-capable server. Most modern server, including Apache, Nginx, and IIS, support SSL. Each one has its own method of installing the certificate.

It’s vital to keep the private key strictly confidential. Anyone who grabs it can intercept all secure communications. At the same time, it needs to be safely backed up, in case it ever needs to be restored.

SSL will protect only information that’s accessed through an HTTPS URL. If a site was previously using HTTP URLs, it’s necessary to change them to use HTTPS. The old URLs should forward to the new ones, both to avoid breaking links and to help people who are too lazy to type “https://”.

The server needs to use an up-to-date version of TLS — and here, the difference between SSL and TLS is important. The old versions, designated as SSL, have known weaknesses. So does TLS 1.0, which is basically the same as SSL 3.0. An attacker with enough computing resources can break the encryption. A website needs to use TLS 1.1 or later to have good security.

Getting your certificate

Obtaining an SSL certificate isn’t complicated or expensive when you get it from us. OrangeWebsite’s options range from the simple, economical RapidSSL to strongly validated, multidomain certificates. Whether you use our domain hosting or another host, we offer installation service and stand by our certificates. You can get a validated certificate at annual prices starting from:

• RapidSSL Standard (simple and available in minutes): €29.80 / $31.92
• Comodo InstantSSL (business validation): €73.60 / $78.84
• Comodo Multidomain EV (extended validation): €565.00 / $749.00
• RapidSSL Wildcard (unlimited subdomains): €134.70 / $144.29
• Comodo EV (single domain, extended validation, $250,000 warranty): €298.80 / $320.07

Prices may vary with currency fluctuations. Contact us if you have any questions.