What Can We Learn from the Cloudflare Leak?

Cloudflare Leak
Cloudflare Leak

What Can We Learn from the Cloudflare Leak?

Cloudflare calls itself the “web performance and security company,” so it was a serious blow to its reputation when researchers discovered that it had a security bug that made sites’ data visible on other sites. What was really disturbing was that supposedly secure data from HTTPS requests leaked out this way. Passwords, session cookies, credit card information, and other sensitive data simply showed up in random places.

Google researcher Tavis Ormandy discovered this problem on February 17, and tech media have attached the name “Cloudbleed” to it. Cloudflare provides services to millions of websites, and any of them could have suffered a loss of confidential data. Many of them have urged users to change their passwords. The risk to any individual is low, but the effect was so widespread that personal data could have been stolen from a significant number of people.

Cloudflare has fixed the bug, but the leaked data could still be lurking in the caches of search engines and edge servers, and data thieves now know to look for it.

Cloudflare’s incident report explains that the problem stemmed from a buffer overrun bug. For efficiency reasons, low-level system software is often written in programming languages, such as C, which don’t automatically guard against accessing memory structures outside their limits. An HTML parser had a bug of this type, resulting in its picking up data from whatever was past the end of a memory buffer. It could be anything, and sometimes it was private data from another website.

The risk in third-party services

Any website can have bugs in its software that open security holes. That’s one reason HTTPS connections aren’t 100% secure. Old versions of SSL (TLS) have problems. The “Heartbleed” bug in older versions of the widely used OpenSSL software showed it was possible to exploit the weaknesses. The latest version fixes the problem, but there’s no guarantee that it’s completely bug-free. Many websites still use old versions of OpenSSL, with known weaknesses.

When a site uses a third-party service such as a caching proxy or a content delivery network, it can gain or lose security. A top-quality CDN has better security measures than most do-it-yourself sites, and it filters requests to the sites’ servers. It can absorb DDoS attacks that would kill a one-machine server. Cloudflare features a web application firewall (WAF) that protects sites at the application level from many kinds of attacks.

This comes at a price, though.

To get the full range of services from Cloudflare, a website has to hand over its most precious secret: its private SSL key. Without that datum, Cloudflare couldn’t do anything with HTTPS requests and responses but pass them through. It wouldn’t be able to see anything except what server and port number they were going to.

The fact that the breach included HTTPS data underscores this issue. If Cloudflare didn’t have sites’ private keys, it could never have leaked passwords that were properly sent through HTTPS. By the same token, it couldn’t have provided a useful WAF to protect servers that use secure communication. Sharing a private key with a CDN creates a potential risk, even if there’s an overall gain in security.

Cloudflare Leak

Vulnerability to governments

However, giving a CDN a site’s private key opens up one serious hole, which no software can guard against. A government can demand it, compel the CDN to stay silent, and have access to all of the site’s SSL transactions. Government agents can spy on it indefinitely, and the site’s owners won’t have a clue that it’s happening.

In the United States, a National Security Letter can accomplish this. Anyone who receives one isn’t allowed to say anything about it or challenge it in an open court hearing. The Electronic Frontier Foundation has called the power to issue them “one of the most frightening and invasive” surveillance power created by the PATRIOT Act.

Cloudflare has received at least two NSLs and possibly more. The FBI could have compelled it to turn over customers’ private keys and not tell them. In a similar case, the FBI tried to compel Lavabit, a confidential email service, to turn over keys that would give it access to every user’s private mail, even though it was just after Edward Snowden. Founder Ladar Levison was under a gag order not to disclose this until recently.

Other countries have similar or worse issues. The UK’s Investigatory Powers Act gives law enforcement the authority to make telecommunication companies break their encryption. They would be under a compulsion of secrecy comparable to a National Security Letter. In the truly authoritarian states, the situation is even worse, with privacy being virtually non-existent.

How many websites do governments have access to, without their knowledge, because CDNs had to give up their private keys? There’s no way to know.

The OrangeWebsite Difference

At OrangeWebsite we take your privacy seriously. We don’t share our private keys, or yours, with third-party services. Government agencies in North America or Europe can’t demand anything from us. We maintain state-of-the-art server security, performing regular security audits and keeping system software up to date. Optional two-factor authentication is available.

Nomad Capitalist has called Iceland the best host country for data privacy. The Icelandic Modern Media Initiative, passed by our Parliament in 2010, commits the country to freedom of information and expression. We allow anonymous registration, so that even torture or telepathy wouldn’t get us to disclose your identity. Contact us to learn how to set up a secure, censorship-free website.

Data Centre Risk Index Names Iceland World’s Safest Location

The 2016 Data Centre Risk Index, published by Cushman & Wakefield (C&W), has moved Iceland to the number one position among 37 countries as the safest location for remote data storage, while the United States dropped from the number 1 to the number 10 position. The reasons Iceland rose to the top of the list are several (as described below under “Methodology”), but what it means for key business decision makers around the globe is unmistakable: Iceland is the best country in the world to secure their data. What it means for the clients of companies like OrangeWebsite, located in Reykjavík, Iceland, is added reassurance that their data is safe and protected.

Why Is Remote Data Storage Important?

For companies large and small, unplanned downtime is a cost of doing business. That doesn’t mean, of course, that businesses should (or do) passively acquiesce to the eventuality of downtime. In fact, American businesses spend millions implementing strategies to avoid downtime, from moving operations to the cloud or data centres to training employees to ignore suspicious emails and documents.

What Is the Cost to Business of Downtime?

There’s a good reason businesses spend so much time and money preventing downtime episodes. Downtime means a loss or revenues during the period their systems are down, in addition to lost productivity and damage to their reputations. According to the Data Center Journal, revenue losses due to downtime episodes are increasing exponentially. The average cost per minute of downtime is $7,900, an increase of 41% over a one-year period. The average downtime episode lasts 86 minutes. Doing the math, that’s a cost—on average—of almost $700,000 for every incident of downtime.

What Systems Are Most Affected by Downtime?

Downtime can affect every aspect of business operations, but the two at the top of the list are business applications and technology services. Business applications are those operations which employees access through the company’s internal server to do their jobs. Technology services include email operations, as well as internet and intranet access. Loss of either business or technology applications impacts productivity—and costs money.

The loss of business applications can affect the productivity of every employee, from financial services to marketing to information systems. For example, downtime can bring down CRM operations, making customer communications disorganized at best, or lost entirely at worst. It can also mean the loss of ERP capabilities, eliminating the flow of business information and preventing data-driven decision making.

The loss of technology services, like email and internet access, means employees have reduced access to non-mobile phone and fax machines service. It also compromises use of a company’s intranet, which employees rely on to access and share documents.

The Pervasiveness of Remote Data Storage

Understanding the risks associated with in-house data storage, an increasing number of businesses are looking at remote data storage options, such as remote data centers and cloud computing. For example, a study by RightScale reports that 93 percent of businesses now use cloud services. In another study, Emergent Research predicted that twice as many small businesses will move all business operations to the cloud within 6 years.

Other companies, particularly those which run a wider variety of business applications and have more complex workloads, are opting to store data at remote data centres. Those data centres offer more customized solutions and greater control over their data and equipment, better meeting the needs of large, complex businesses.

The complication for business decision makers is that remote data centers are, themselves, at some risk for downtime episodes. In order to help business owners decide which data centers are at least risk, Cushman & Wakefield each year publishes its annual Data Centre Risk Index. In its 2016 report, Cushman & Wakefield describe the importance of their analysis:

“The index ranks key established and emerging locations by the most appropriate risks affecting data centre operations in today’s current climate. It has been designed primarily to support data centre due diligence and senior decision making when considering global investment and deployment activities.”

Data Risk Index 2016: Methodology

Cushman & Wakefield’s analysis surveys more than 4,000 clients worldwide to rate the relative security of 37 countries along 10 key factors related to data centre risk. These include factors like ease of doing business, natural disaster, energy security and corporation tax, among others. Each factor is weighted based on its relative importance to potential risk, with natural disaster (15.38%) and political stability (12.82%) at the top of the list, and GDP per capital (5.77%) and corporation tax (6.41%) at the bottom.

The methodology employed shifts each year to reflect changing conditions. This year’s report reflects the growing concern among businesses related to political stability, natural disaster and energy security, which have surpassed concerns related to cost and connectivity. As they explain in their introduction:

“Natural disaster and a location’s coping capability ranked as the most important risk factors while political stability ranked second this year, collectively accounting for one third of overall decision making and implying a level of emotional sentiment throughout the survey following a number of major incidents over the past few years.”

Data Risk Index 2016: Key Findings

Among this year’s most significant takeaways are the following:

Iceland was rated the world’s safest data centre location, followed by Norway and Switzerland The United States dropped from the number one to the number 10 position, scoring particularly low in “corporation tax (36th out of 37)” and “international bandwidth (15th of 37).” European countries offer on average the lowest risk environment, taking the top 5 index positions because of low risk for natural disaster and strong energy security ratings Singapore, South Korea and Hong Kong rated highly based on proximity to market, ease of doing business and IT infrastructure, and despite poor ratings for risk of natural disaster The 10 safest countries in the report are:

  • Iceland
  • Norway
  • Switzerland
  • Finland
  • Sweden
  • Canada
  • Singapore
  • Republic of Korea
  • United Kingdom
  • United States

The top 5 riskiest markets for data centers, according to C&W, are:

  • Nigeria
  • India
  • China
  • Turkey
  • Indonesia

Conclusion Businesses which are considering moving their data to a data centre, or moving from one data centre to another, should carefully weigh the conclusions of the most recent Data Centre Risk Index, and especially the particular factors which informed those conclusions.

Founded in 2006 and located in Reykjavík, OrangeWebsite is one of Iceland’s leading web hosting companies, a 100% green company offering top-quality and secure web hosting solutions for clients around the globe. Their servers are in Iceland, and all of their data is stored and protected in Iceland. To learn more about the ways we can keep your company’s data safe and secure, contact us today.

What Is Two Factor Authentication (2FA)

two factor authentication 2fa
two factor authentication 2fa

What Is Two Factor Authentication (2FA), And How Does It Benefit Companies?

Identity theft, hacking and phishing attacks are all on the rise, and costing individuals and businesses billions each year.  A successful hacking attack typically costs the businesses which are its victims more than money.  There is the additional expense, more difficult to quantify, in damaged reputation, as customers lose confidence in the ability of the company to keep their data private and secure.

The Impact of Hacking Attacks on Business

According to a recent study by Lloyd’s of London, global hacking attacks cost businesses more than $400 billion each year.  Those costs are multiplied by the expensive measures companies take to ensure the security of their data. Each year, for example, companies spend more than $75 billion each year on cybersecurity. 

Small Businesses Are Not Safe From Hacking 

Until recently, those attacks were targeted primarily against multi-national corporations, but increasingly cybercriminals are going after small businesses.  In 2013, 44% of small businesses reported at least one hacking attack, according to the National Small Business Association.  While large corporations can absorb the losses associated with a hacking or phishing attack, for small businesses, such attacks can be devastating in terms of both financial losses and damage to their reputation.

Identity Theft Affects Millions, and Is Increasing Every Year

It’s not only businesses which are the victims of cybercrimes.  In 2014, more than 17 million individuals were victims of identity theft, according to the US Bureau of Justice, mainly through the hacking of their credit or debit card accounts.  According to Business Insider, identity theft cost individuals almost $25 billion in 2013, $10 billion more than property theft.

The increase in recent years of both hacking attacks on business and identify theft aimed at individuals has many companies wondering if there is anything they can do to protect their data.  Fortunately, there is a way for businesses to protect the privacy of their customers and the security of their personal information.

What Is Two Factor Authentication (2FA)?

Two factor authentication, the latest advancement in information security systems, makes it more difficult for thieves to access customer data.  Most security systems are based on customers verifying their identity by providing a password and User ID. 

Two factor authentication provides an added layer of security by requiring system users to enter additional information which only the user has, such as something only the user knows, like a PIN or answer to a security question; something they have in their possession, like a mobile phone or ID card; or a physical characteristic, like their fingerprint or your voice.

Experts Agree:  Two Factor Authentication Protects Data Better

Following the 2013 hacking attack on the Saudi oil giant, Saudi Aramco, on Twitter. experts agreed that it was time for Twitter to join other social media sites like Google in implementing two factor authentication.  In an article with the title, “Following breaches, experts call for two-factor authentication on Twitter,” Chester Wisniewski, a senior security adviser for the security firm, Sophos, wrote:

“It is high time Twitter implement something to augment account security. Two-factor authentication would be a great option for protecting high-profile brands, celebrities and those who simply want that extra layer of security for their online identity.”

two factor authentication 2fa

The Benefits of Two Factor Authentication

Two factor authentication is relatively inexpensive to implement and offers several important benefits to help businesses protect the security of their data.  Here are 4 of the most imporant benefits of two-factor authentication:

  1. Improved security:  passwords and user ID numbers are relatively easy for cyber thieves to access.  Many people, for example, are afraid of forgetting their passwords and write them down in one or more places which thieves can find.  Two factor authentication makes it more difficult for thieves to steal customer data with features such as one time passwords (OTPs) which are good for only one login,  information which only the user has, or personal characteristics like fingerprints which thieves can’t duplicate.
  2. Customer satisfaction:  customers are naturally attracted to businesses which are better able to secure their data.  When they see that a business requires additional security information, they feel protected, and feel more positively about that business for ensuring their information is secure. Those positive feelings add to customer trust and boost customer retention.
  3. Increased worker productivity:  because two factor authentication makes data more secure, companies are more confident about permitting their employees to work remotely.  According to the Harvard Business Review, when Chinese travel website, Ctrip, allowed its employees to work remotely from home, their productivity increased on average by more than 13% and the company was able to save almost $2,000 per employee while also increasing employee retention.
  4. Reduced operating costs:  two factor authentication makes businesses more efficient and reduces operating costs.  For example, because there are fewer password resets, customers don’t need to call help desks as frequently.  In addition, companies spend less time contacting customers about suspicious activity on their accounts.  Finally, companies spend less money on expensive fraud review systems.


Companies which fail to protect the personal information of their customers lose both money and reputation.  For smaller businesses, those losses can be catastrophic.  Fortunately, there are forward thinking web hosting providers which have developed innovative approaches to help businesses with their data and privacy concerns. 

Founded in 2006, OrangeWebsite is a recognized industry leader in providing safe and secure web hosting services. Our two factor authentication service includes a special one-time passcode, sent to users through SMS, which users submit to ensure a secure login.  The cost is an annual fee of just €94.80.

If you would like to know more about the ways we can make your website safer and more secure, or would like more information about our two factor authentication services, contact us today.

Boost your search rankings with an SSL

How to Boost Your Search Rankings With An SSL

How to Boost Your Search Rankings With An SSL

How to Boost Your Search Rankings With An SSL

Why You Should Have an SSL Certificate

Have you been thinking about adding SSL security to your website? Have you been hesitating because it seems too complicated and expensive? Really, it’s neither. Half the traffic on the Web now goes over HTTPS / SSL connections, and it’s constantly growing. It’s not terribly difficult, even for a small business.

History of SSL, TLS, and HTTPS

The Web was originally designed for communication, not security. A request and its response travel through multiple routers, which aren’t necessarily trustworthy. They can read and even alter anything that passes through them. They can steal passwords, add scripts, or censor information.

As the Web grew, it became obvious that secure communication was necessary. In 1994, Netscape created the Secure Sockets Layer (SSL) to support encrypted communication on the Web. It let a browser communicate securely with a server, even if the two parties didn’t know each other. The HTTPS protocol sends requests and responses over SSL, keeping them safe from any “man in the middle.”

SSL has gone through a series of revisions over the years to improve its security. In 1999 the Internet Engineering Task Force (IETF) took over the standard, renaming it Transport Layer Security (TLS). Strictly speaking, SSL is obsolete, but the term is still widely used. The data document which lets a site transfer data over TLS is still almost always called an “SSL certificate.” We’ll stick with that usage here.

Why SSL is important

The most obvious reason for using SSL (TLS) is to protect confidential information in transit. Snoopers shouldn’t be able to intercept passwords, credit card numbers, and other data that needs to be kept secret. With widespread use of public Wi-Fi, this is more important than ever. Anyone with some simple equipment can intercept communications near a public Wi-Fi hotspot. The hotspot itself may belong to a criminal using it to collect personal information. There’s no easy way to tell a legitimate one from a malicious one.

Even owners of sites that don’t deal in personal information should consider using SSL. There are actually four benefits that it offers:

  • Authentication. It confirms that the response actually comes from the site it claims to come from (i.e., that no one else has hijacked the connection).
  • Non-repudiation. A third party can confirm that a message came from a given source without the originator’s cooperation.
  • Integrity. The information can’t be altered in transit without making the attempt obvious.
  • Confidentiality. No one else can read the information transferred.

Integrity is important even if confidentiality isn’t. An intermediary can alter data over an insecure connection. This is a concern for every site, whether they handle confidential data or not There can be several motives for modifying data in transit:

  • Censoring information. An autocratic government may want to block unfavorable news.
  • Adding false information or other content. Someone might want to deceive the recipient, engage in “hacktivism,” or damage a site’s reputation.
  • Inserting malicious scripts. Unauthorized JavaScript can make viewers download malware or redirect them to another site.
  • Modifying links. Changing a link on a page could send the user to a malicious site or steal form data.
How to Boost Your Search Rankings With An SSL

How it works

An SSL certificate is a small data file which establishes a site’s cryptographic identity. More formally, it’s called an X.509 certificate. It uses the Public Key Infrastructure (PKI) to set up secure communication with a browser. This approach uses two digital keys which are paired together. The private key is stored only on the website’s host. The public key is included in the certificate, which is available to anyone to view.

To get a certificate, a website’s owner has to generate a private key and a certificate signing request (CSR). From here there are two options.

The cheap option is to self-sign the certificate. This costs nothing and it allows encryption, but it provides no authentication. Someone coming in with a browser has no assurance that someone else hasn’t taken over your domain or intercepted and changed the data packets. Anyone else can create a self-signed certificate and claim it’s from your domain. It’s of little value outside of personal and test sites.

The useful option is to get a signed certificate. This requires submitting the CSR to a certificate authority (CA), which will generate a digitally signed certificate. It says that the CA has confirmed that the certificate actually belongs to your domain. A signed certificate provides authentication as well as encryption.

But wait. How do you know that the CA is who it claims to be? The answer is that the CA can have its own certificate signed. All certificates, to be generally accepted, have to follow a chain of certificates back to a trusted (root) CA. A trusted CA’s certificate is widely available, and browsers ship with a set of root certificates from them.

Setting up the server

To use the certificate, a site needs an SSL-capable server. Most modern server, including Apache, Nginx, and IIS, support SSL. Each one has its own method of installing the certificate.

It’s vital to keep the private key strictly confidential. Anyone who grabs it can intercept all secure communications. At the same time, it needs to be safely backed up, in case it ever needs to be restored.

SSL will protect only information that’s accessed through an HTTPS URL. If a site was previously using HTTP URLs, it’s necessary to change them to use HTTPS. The old URLs should forward to the new ones, both to avoid breaking links and to help people who are too lazy to type “https://”.

The server needs to use an up-to-date version of TLS — and here, the difference between SSL and TLS is important. The old versions, designated as SSL, have known weaknesses. So does TLS 1.0, which is basically the same as SSL 3.0. An attacker with enough computing resources can break the encryption. A website needs to use TLS 1.1 or later to have good security.

How to Boost Your Search Rankings With An SSL

Getting your certificate

Obtaining an SSL certificate isn’t complicated or expensive when you get it from us. OrangeWebsite’s options range from the simple, economical RapidSSL to strongly validated, multidomain certificates. Whether you use our domain hosting or another host, we offer installation service and stand by our certificates. You can get a validated certificate at annual prices starting from:

  • RapidSSL Standard (simple and available in minutes): €29.80 / $31.92
  • Comodo InstantSSL (business validation): €73.60 / $78.84
  • Comodo Multidomain EV (extended validation): €565.00 / $749.00
  • RapidSSL Wildcard (unlimited subdomains): €134.70 / $144.29
  • Comodo EV (single domain, extended validation, $250,000 warranty): €298.80 / $320.07

Prices may vary with currency fluctuations. Contact us if you have any questions.

Understanding the Right for Privacy on the Internet

An image of young girl working on laptop at home covering man's face with hand.
An image of young girl working on laptop at home covering man's face with hand.

Limiting the amount of personal information on the internet can help to minimize the possible risks.

It seems like every time you check your newsfeed, there’s another story about someone’s privacy being violated online. Whether it was the GamerGate movement handing out Felicia Day’s personal information, the NSA collecting aggregate data from people online, or the hacktivist group Anonymous handing out information users thought was secure, it seems that online privacy is an easily-breached fence.

Just because privacy is regularly breached however doesn’t answer the bigger, more important question, do you have a right to privacy on the Internet?

What is Right to Privacy?

For those looking for the right to privacy in the American Constitution, stop searching because it’s not in print. The idea of the right to privacy is something that the U.S. Supreme Court has said is implied by other amendments in it, including the 4th, 5th, 6th, and 9th. The court argues that people have a right to keep their private lives private from the government. They have a right to not consent to unreasonable, warrantless searches, and to remain silent when they’re being asked questions without a representative.

What does It Mean on the Internet?

Most western governments have some sort of privacy law – but whether they’ve caught up with modern technology is another matter. The main issue when it comes to privacy on the internet isn’t only about government spying – by large, people’s information is not even being stolen from them, rather most people’s personal information is already out there for anyone who knows how to find it.

Let’s take an obvious example, Facebook. When you join the social network you agreed to its terms of service. This includes collecting your information, keeping records of everything that you post and keeping things you’ve deleted on file for 90 days or more in many cases. It also means that your information as a user – what you like, what you follow, your age, gender, pretty much of everything including your name and other personal details – can be sold to the highest bidder. This is called data mining and advertisers are typically use it to figure out what target audience likes, so they can create the best possible ads to entice those groups. Anyone who has ever seen an ad in their feed obviously targeted to them has probably figured this out by now.

That’s not all that is going on in a social network. For instance, you may have your privacy settings so that only friends can see your contents. But if just one of your friends likes or shared a post, then the control is out of your hand and now anyone in that friend’s network can see what happened. This was a major issue of a teacher whose pictures of herself at a brewery cost her job, even though she was certain none of her students could access her Facebook page or photos because of her privacy settings. They couldn’t, but it was a parent who found her page.

One Great Big Modern Mess

Just as British children today might not see why Brave New World is a terrifying book – since there are cameras everywhere and invasion of privacy is commonplace. It is often difficult for people to understand what they’re giving up in the age of the Internet. As soon as a picture, status or piece of personal information is put up somewhere on the web, it is actually been logged, archived and stored. If someone can legitimately find that information without violating any user agreements, that is not a violation of your privacy on the internet because you are the one who put it out there in the first place – it is also why law enforcement can use your Facebook feed to track you down and apprehend you. Same goes for corporate data mining – nothing you put up on a social network hosted by someone else is truly belongs to you anymore.

No Data Online is 100% Secure

An important thing for internet users is to understand that no data that is connected to world-wide-web is 100% secure. No matter if the service where the information is submitted, is using the latest security software and patches, hackers may still have their way to break in – and it has happened before numerous times with well-known internet services. If you have highly classified data, including pictures or documents you don’t want ANYONE to see, keeping those on offline storage is the only completely secure solution.

So What Can I Do?

For starters what you can do is limiting or stop putting your information out there if you don’t want the world to see it. Most of us are not willing to do that, so at the very least you should know how your information is being used and make sure you know what you’re actually agreeing to.

Finally, there are examples where invasion of privacy on the internet contributes a real crime. For instance, finding someone’s home address by checking public records is not illegal. Indiscriminately dispersing that information along with associated threat had constituted several crimes, like the rape and death threats faced by many online feminist activists. At a minimum level, threats like this should get the user banned and the individual may also be brought on charges like reckless endangerment, libel, or defamation of character, depending on the circumstances.

So even if you don’t always have a right to privacy on the internet, you do still have a right to safety. Many believed that is just not enough and numerous questions remain about digital law enforcement, at least it’s a good awareness to start with.

Find out more information about improving your privacy on the internet, please contact us. We will be happy to answer your questions and help you any way we can with this process.