{"id":382,"date":"2017-04-14T17:05:15","date_gmt":"2017-04-14T17:05:15","guid":{"rendered":"https:\/\/www.orangewebsite.com\/articles\/?p=382"},"modified":"2025-12-29T02:29:20","modified_gmt":"2025-12-29T02:29:20","slug":"can-learn-cloudflare-leak","status":"publish","type":"post","link":"https:\/\/www.orangewebsite.com\/articles\/can-learn-cloudflare-leak\/","title":{"rendered":"What Can We Learn from the Cloudflare Leak?"},"content":{"rendered":"<div class=\"et_pb_section_0 et_pb_section et_section_regular et_block_section\"><div class=\"et_pb_row_0 et_pb_row et_block_row\"><div class=\"et_pb_column_0 et_pb_column et_pb_column_4_4 et-last-child et_block_column et_pb_css_mix_blend_mode_passthrough\"><div class=\"et_pb_text_0 et_pb_text et_pb_bg_layout_light et_pb_module et_block_module\"><div class=\"et_pb_text_inner\"><h1 style=\"text-align: center;\"><strong>What Can We Learn from the Cloudflare Leak?<\/strong><\/h1>\n<p>Cloudflare calls itself the \u201cweb performance and security company,\u201d so it was a serious blow to its reputation when researchers discovered that it had a <a href=\"https:\/\/www.wired.com\/2017\/02\/crazy-cloudflare-bug-jeopardized-millions-sites\/\" target=\"_blank\" rel=\"noopener noreferrer\">security bug<\/a> that made sites' data visible on other sites. What was really disturbing was that supposedly secure data from HTTPS requests leaked out this way. Passwords, session cookies, credit card information, and other sensitive data simply showed up in random places.<\/p>\n<p>Google researcher Tavis Ormandy discovered this problem on February 17, and tech media have attached the name \u201cCloudbleed\u201d to it. Cloudflare provides services to millions of websites, and any of them could have suffered a loss of confidential data. Many of them have urged users to change their passwords. The risk to any individual is low, but the effect was so widespread that personal data could have been stolen from a significant number of people.<\/p>\n<p>Cloudflare has fixed the bug, but the leaked data could still be lurking in the caches of search engines and edge servers, and data thieves now know to look for it.<\/p>\n<p><a href=\"https:\/\/blog.cloudflare.com\/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cloudflare's incident report<\/a> explains that the problem stemmed from a buffer overrun bug. For efficiency reasons, low-level system software is often written in programming languages, such as C, which don't automatically guard against accessing memory structures outside their limits. An HTML parser had a bug of this type, resulting in its picking up data from whatever was past the end of a memory buffer. It could be anything, and sometimes it was private data from another website.<\/p>\n<p><strong>The risk in third-party services<\/strong><\/p>\n<p>Any website can have bugs in its software that open security holes. That's one reason HTTPS connections aren't 100% secure. Old versions of SSL (TLS) have problems. The <a href=\"http:\/\/heartbleed.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">\u201cHeartbleed\u201d<\/a> bug in older versions of the widely used OpenSSL software showed it was possible to exploit the weaknesses. The latest version fixes the problem, but there's no guarantee that it's completely bug-free. Many websites still use old versions of OpenSSL, with known weaknesses.<\/p>\n<p>When a site uses a third-party service such as a caching proxy or a content delivery network, it can gain or lose security. A top-quality CDN has better security measures than most do-it-yourself sites, and it filters requests to the sites' servers. It can absorb DDoS attacks that would kill a one-machine server. Cloudflare features a web application firewall (WAF) that protects sites at the application level from many kinds of attacks.<\/p>\n<p>This comes at a price, though.<\/p>\n<p>To get the full range of services from Cloudflare, a website has to hand over its most precious secret: its private SSL key. Without that datum, Cloudflare couldn't do anything with HTTPS requests and responses but pass them through. It wouldn't be able to see anything except what server and port number they were going to.<\/p>\n<p>The fact that the breach included HTTPS data underscores this issue. If Cloudflare didn't have sites' private keys, it could never have leaked passwords that were properly sent through HTTPS. By the same token, it couldn't have provided a useful WAF to protect servers that use secure communication. Sharing a private key with a CDN creates a potential risk, even if there's an overall gain in security.<\/p>\n<p><strong>Vulnerability to governments<\/strong><\/p>\n<p>However, giving a CDN a site's private key opens up one serious hole, which no software can guard against. A government can demand it, compel the CDN to stay silent, and have access to all of the site's SSL transactions. Government agents can spy on it indefinitely, and the site's owners won't have a clue that it's happening.<\/p>\n<p>In the United States, a National Security Letter can accomplish this. Anyone who receives one isn't allowed to say anything about it or challenge it in an open court hearing. The <a href=\"https:\/\/www.eff.org\/issues\/national-security-letters\" target=\"_blank\" rel=\"noopener noreferrer\">Electronic Frontier Foundation<\/a> has called the power to issue them \u201cone of the most frightening and invasive\u201d surveillance power created by the PATRIOT Act.<\/p>\n<p><a href=\"https:\/\/techcrunch.com\/2017\/01\/13\/cloudflare-and-credo-are-still-gagged-from-talking-about-national-security-letters\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cloudflare has received at least tw<\/a><a href=\"https:\/\/techcrunch.com\/2017\/01\/13\/cloudflare-and-credo-are-still-gagged-from-talking-about-national-security-letters\/\" target=\"_blank\" rel=\"noopener\">o NSLs<\/a> and possibly more. The FBI could have compelled it to turn over customers' private keys and not tell them. In a similar case, the FBI tried <a href=\"http:\/\/www.bankinfosecurity.com\/blogs\/lavabit-back-after-snowden-fbi-legal-battle-p-2377\" target=\"_blank\" rel=\"noopener noreferrer\">to compel Lavabit<\/a>, a confidential email service, to turn over keys that would give it access to every user's private mail, even though it was just after Edward Snowden. Founder Ladar Levison was under a gag order not to disclose this until recently.<\/p>\n<p>Other countries have similar or worse issues. The UK's Investigatory Powers Act gives law enforcement the authority to make telecommunication companies break their encryption. They would be under a compulsion of secrecy comparable to a National Security Letter. In the truly authoritarian states, the situation is even worse, with privacy being virtually non-existent.<\/p>\n<p>How many websites do governments have access to, without their knowledge, because CDNs had to give up their private keys? There's no way to know.<\/p>\n<p><strong>The OrangeWebsite Difference<\/strong><\/p>\n<p>At OrangeWebsite we take your privacy seriously. We don't share our private keys, or yours, with third-party services. Government agencies in North America or Europe can't demand anything from us. We maintain state-of-the-art server security, performing regular security audits and keeping system software up to date. Optional two-factor authentication is available.<\/p>\n<p>Nomad Capitalist has called Iceland the <a href=\"http:\/\/nomadcapitalist.com\/2013\/12\/15\/top-5-best-countries-host-website-data-privacy\/\" target=\"_blank\" rel=\"noopener noreferrer\">best host country for data privacy<\/a>. The Icelandic Modern Media Initiative, passed by our Parliament in 2010, commits the country to freedom of information and expression. We allow anonymous registration, so that even torture or telepathy wouldn't get us to disclose your identity. <a href=\"http:\/\/www.orangewebsite.com\/contact.php\">Contact us<\/a> to learn how to set up a secure, censorship-free website.<\/p>\n<\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":5,"featured_media":384,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-382","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts\/382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/comments?post=382"}],"version-history":[{"count":9,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts\/382\/revisions"}],"predecessor-version":[{"id":1635,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts\/382\/revisions\/1635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/media\/384"}],"wp:attachment":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/media?parent=382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/categories?post=382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/tags?post=382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}