CloudBleed

gg

Wow

Old

uuuhh guys

Yeah but how does the leaked data connect, say, a Sup Forums post to a particular person's name?

it's just an IP address right? There won't be searchable database that can single out shitposters as far as I can tell.

I was on freenode through SSL on my home server shell when this happened, am I fucked?

>every cloudflare-connected site leaking client data like IP

>link IP and other client data to every other kind of cloudflare-connected site

a possible doxing of every single Sup Forums user cannot be ruled out

>ISP's dhcp keeps log of who had what ip when
>???
>PROFIT

In cases it is entire HTTP requests, which can include enough headers to reasonably uniquely identify you.

(you)ing myself

The blog at least has a mention about client SSL certificates not being leaked, wouldn't really trust them before we know more on this though.

shit nigga
gonna start using a password manager because this shit happens way too often
lastpass or dashlane?

definitely not lastpass, use keepass

>when you try to centralize the internet but don't give a shit at all about the security
>then refuse to tell anyone for 5 months you fucked up

top kek. Mega corps will never learn.

there was a thread here last weekend that showed the tweet from a google employee wanting to contact cloudflare and everyone was shitting bricks

twitter.com/taviso/status/832744397800214528

this guy

That would absolutely destroy so many people it's not even funny. that would be relationship and job ending for many thousands if all that was easily accessible to normies.

good thing I'm a neet with literally 0 friends
get rekt normies

it would be very funny

Hmmm maybe hosting all your content on third party servers wasn't a good idea after all

>Sup Forums.org
oh shit, gotta change my tripcode :^)

Cloudflare to work need the SSL private keys of the sites sitting behind its proxy.
So yes, cloudflare decrypt all the SSL traffic going through its servers.

Cloudflare isn't a server service, it's a proxy

>Fakku affected
Get fucked Jewcob

Does this effect the panda?

If this can happen, the internet was made stupid.

no, cloudflare was stupid, you stupid fuck

trust no one, not even yourself

how does it check if a website uses cloudflare if it doesn't use cloudflare?

why do people use Cloudflare as an entire loadbalancer solution and not as a CDN only?

Who is the asshole that keeps naming bugs?

So the bug has only existed since the end of September 2016? Or is that a guess?

>none of the other sites I go on uses cloudflare
so is there anything to even be worried about then? i assume the issue would be if people could cross reference your Sup Forums shitposting with a social media account but it seems like none of them use cloudflare.

...

So I don't have to worry about my credit card if I bought my GoyPass™ before September?

all cloudflare-connected sites have been compromised, so every cloudflare-connected site that has handled your cc has eventually leaked your details numerous times

so you should actually be very, very worried

this is probably going to be known as the biggest cybersecurity failure ever

Doesn't Patreon handle SSNs?

>Cloudflare to work need the SSL private keys of the sites sitting behind its proxy
Bullshit. They decrypt the content they are receiving from your server as any client would and then re-encrypt it using their own cert+key.

Who gives a fuck about patreon? Lol

It's funny because like 90 percent of the sites people are crying about being leaked have already been hacked (see: patreon)

btw if you have ever seen a doctor your ssn is likely for sale for under $10.

Its on the list newfag.

github.com/pirate/sites-using-cloudflare

I assume cached information usually lasts for an hour up to a few days after the request?

What is the timeline of the age of cached information that was leaked along with new requests?

People like this have fallen so far from reality they try to bring others down with them.

So, if I were logged into my gmail and was browsing a site that used Cloudflare, it's possible that my email account info was compromised?

I know its on the list retard, I just want to know how fucked those furry porn artists are

If nothing you use (or have used in the past 6 months) used Cloudflare, then you're probably ok.

Some of the sites I use that use Cloudflare are humblebundle, discord, gab.ai, pokemonshowdown, hackernews, and a few others

They MITM all the traffic going through their servers, that's why they use their own SSL certificate for the sites they proxy.

Since they are fur fags they have more sex than anyone on this website, but yeah they are fucked.

Same reason web devs do other stupid shit - laziness. I only serve immutable images through CF, because their availability can be shit at times, their websocket proxy is unstable, they can cause clients to retain stale assets and they shit on my ETag scheme.
It's configurable and depends on cache headers. Anywhere between a few minutes and forever.
Yes, but they don't need your private SSL key (if you have SSL on your server), only the public one.

>aliexpress uses cloudflare

welp

I have ordered some questionable things.

Where can I find this checker?

...

What's wrong with lastpass?

I use a few of those. So what should I do? Change passwords?

Yes

I've thought about using one for a long time now but my problem is that I want to be able to use my logins on other machines that aren't necessarily mine. How do you deal with this? Do you just store your password safe on USB or somewhere online?

The URL is the one in the picture

Doesn't seem to work for me

>1 in 3.3 million chance that a HTTP request would result in random uninitialised memory being leaked

it's literally nothing unless somebody is willing to sift through the internet for cached data and hoping that you will get some useful sensitive information

There's always some russian guy willing to do that.

I think maybe it checks to see if it resolves using Cloudflare DNS, although I'm not 100% sure.

doesitusecloudflare.com/

Or you know, use a search engine that isn't removing cached information.

Why is such a large operation run so incompetently?

/thread/

for the 1/3.3 million chance to look at some random memory for the 1/whatever chance that it will be sensitive and then what? you get somebody's password? if you want that you can just look up one of those x million pw leaks LMAO

What a morbid symbol

github.com/pirate/sites-using-cloudflare
I don't think I even have an account on these sites

These kind of leaks are same type that push me closer to suicide, if I am unable to sort my information and end up compromising all that I own

>>aliexpress uses cloudflare
AHHHHHH MY BOOTLEG FIDGET CUBE, JAMMER, RFID CLONER
I'm not fussed

Originally cloudflare required the client to share both public and private SSL keys, Cloudflare keyless SSL or whatever they call it is a new option they offer.
I don't use their services and I didn't know that keyless SSL was a thing.
Still, even if they don't have the private key of the client they still decrypt and eventually re-encrypt all the the traffic going through their servers.

oh no patreon is affected. now people will know i commissioned porn a few times!

at least my anime figure websites weren't affected

>tfw Sup Forums uses cloudflare
>tfw i can't change my Sup Forums pass password

S H I E T

I don't think it does actually

I hope whoever got them enjoys our anime lewds.

Testing and code reviews "waste" money and time. Unpaid interns are cheap.

So after changing passwords on affected sites, what else is there to worry about? I've never posted anything crazy on here.

Does this affect the rare Pepe market?

Large operations are run by businessmen, not engineers.

thanks for the cooldow free shitposting senpai :^)

the best lewds

>He doesnt keep all his rare pepes buried in the backyard so nobody ever sees them

You done goof'd long before this kid

>Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt.
bugs.chromium.org/p/project-zero/issues/detail?id=1139

That tells a lot desu

How many billions of requests are made though?

>Normies who make accounts (botnet cattle tags) on websites are going to get their shit slapped
Delicious schadenfreude.

2fa, API keys, also log out and log back in because cookies may have leaked

4 u

It was probably some Pajeet

Based tavis wasn't having any shit from cloudflare

$ curl -I 'boards.Sup Forums.org/g/thread/59095044'
HTTP/1.1 200 OK
Date: Fri, 24 Feb 2017 15:22:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: __cfduid=d5a111bea78fb5e4ced032414f963d4df1487949758; expires=Sat, 24-Feb-18 15:22:38 GMT; path=/; domain=.Sup Forums.org; HttpOnly
Last-Modified: Fri, 24 Feb 2017 15:20:59 GMT
Vary: Accept-Encoding
ETag: W/"58b04f5b-4c35"
Expires: Fri, 24 Feb 2017 15:22:40 GMT
Cache-Control: max-age=2
Server: cloudflare-nginx
CF-RAY: 3363ea06472f5996-VIE

Here's your dank meme, user.

t. pass user who logged out and back in

check for _cfuid cookies since it's impossible to remove if you're using cloudflare.

How bad did this hit Uber?

Did they really just get their whole drivers' and customers' data thrown into the internet?

Also

>mfw motherless and pornmd aren't there. Wew lads, I'm safe from having my fetishes known.

It's cute they think exploit devs and pentesters who all make 70k at the least are going take so much time for a t shirt

How would you get your shit linked to you unless your ISP uses the leak?

It's not like anyone else can do that, at best they find your IP and cross check but they still wouldn't have any means to contact/blackmail you.

So everything is fucked and we should just kill ourselves now?