Your website is most likely not affected
We learned of the Cloudflare data leak (dubbed “Cloudbleed”) late last night, and have dug into the issue – long story short, I think it’s a non-issue for almost all sites at this point. Only every 1 in 3 million requests were affected, across a few thousand sites that run through Cloudflare, with network data being output on a few dozen sites that were indexed and cached by search engines. “With the help of Google, Yahoo, Bing, and others, we found 770 unique URIs that had been cached and which contained leaked memory,” said Cloudflare. “Those 770 unique URIs covered 161 unique domains.”
We’re taking proactive precautionary steps of invalidating all WordPress login cookies by changing all authentication keys and salt values across all sites on our servers, in the almost impossible case of any cookie values are being cached privately somewhere and being able to be linked back to a particular site. Users simply log back in, and their cookies are recreated automatically, and they are back to normal.
As an extra security precaution, changing your passwords for websites you have on Cloudflare can’t hurt, but we don’t think it’s needed.
If we learn of any real threat that crops up later, we’ll reach back out and take more action as needed.
We are still using and recommending Cloudflare
We are still using and recommending Cloudflare be used, now that this issue has caused them to audit their systems end to end, they have already improved security and will likely do even more in the coming days. The services Cloudflare provides help server performance, site performance, site security, site reliability, and free 15-year SSL certificates.
If you’re interested in getting your website on Cloudflare, reach out and we can help you get that set up.
Use a Password Manager
As reassurance, those using password managers LastPass (we use and recommend) and 1Password are safe, even though 1Password does run it’s site through Cloudflare:
https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/
and
https://blog.lastpass.com/2017/02/two-security-bulletins-sha-1-collision-attack-and-cloudflare-incident.html/
For those interested, technical details on the Cloudbleed data leak
Their looong blog post with code level explanations:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Within 7 hours of being notified they’ve fixed the bug causing the random data leak of a few thousand domains that happened over just a few days for the most part, and worked with search engines to purge caches of any data leaks that were indexed and cached.
Google found the problem and reported it to them, here’s their post:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Here’s a distillation of still-affected domains showing up in caches:
http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html
As a follow-up, here\’s the email sent out to Cloudflare customers from Cloudflare\’s CEO, Matthew Prince reassuring them \”Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches.\”:
Dear Cloudflare Customer:
Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare\’s systems. If you haven\’t yet, I encourage you to read that post on the bug:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers\’ sensitive information could still be available through third party caches, such as the Google search cache.
Over the last week, we\’ve worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.
In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare\’s customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.
To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.
Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don\’t hesitate to reach out.
Matthew Prince
Cloudflare, Inc.
Co-founder and CEO