Community

PSA: change all your passwords today

stevejalim (Steve Jalim) 2017-02-24 07:50:32 UTC #1

Cloudflare has had a megabug.

CHANGE ALL YOUR PASSWORDS EVEN IF IT TAKES YOU HOURS.

Read this security write-up, it's really worth it: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

As a genuinely wise person on HN (https://news.ycombinator.com/item?id=13718752) said:

If you were behind Cloudflare and it was proxying sensitive data (the contents of HTTP POSTs, &c), they've potentially been spraying it into caches all across the Internet; it was so bad that Tavis found it by accident just looking through Google search results.

In a line: your secrets cached via cloudflare may have been leaking.

ALSO, if you use cloudflare in your own stack, please cycle (regenerate and swap) your secret keys. You should also consider what user data may have been made vulnerable and communicating this to users.

I'm off to start work on a log cabin in Greenland.

mattpointblank (Matt Andrews) 2017-02-26 09:21:01 UTC #2

Sometimes I worry that the tech we've created for the web is too complicated for it to ever be safe to use...

stevejalim (Steve Jalim) 2017-02-26 09:28:56 UTC #3

I think we're pushing the web way harder than it was intended originally. It's impressive that so much of it still stands up to that pressure, via low-level swap-outs of old tech or a pile of turtles higher up in the stack, but - fundamentally - I think a do-over would probably be better, even if that'll never happen - because shareholders/private capital.

auxbuss (Marc Cooper) 2017-02-26 13:17:09 UTC #4

I doubt the internet would have happened if the politicos and Big Biz had grasped what was happening. We should embrace the chaos, keep iterating, and stay ahead of the authoritarians who seek to control it, and by proxy, us.

That said, ubiquitous ssh auth (and its ilk) would solve a lot of issues.