The "Cloudbleed" issue: keeping you safe
-
@yngve: BleepingComputer's article says that the three options I mentioned had to be enabled for the issue to effect a domain protected by Cloudflare, and I don't know any security experts who are saying that you could find information from one domain in HTTP headers for another domain protected by Cloudflare. I'll have to take some time to go over the vulnerability report, the data made public by Cloudflare, and analysis of that data by other security experts to validate whether or not that is the case.
-
@yngve: So far the only things I am seeing that suggest that data from one domain could end up in the HTTP headers for a page at another domain is the following:
A statement in the Cloudflare report that said "Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site."
Google's Tavis Ormandy said "because reverse proxies are shared between customers, it would affect all Cloudflare customers" in his original report on his discovery.
The second statement could simply be the researcher saying that every website using Cloudflare could be vulnerable to this, and may not mean that he was seeing data from one domain in headers from pages at another domain. There is nothing else in his vulnerability report that indicates that he was seeing information from one domain in headers for pages at another domain, and his screenshots appear to only show information from single domains and not multiple domains.
As for the first statement, it does clearly say "an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site." Note it says could, and as opposed to did. That's not to say it didn't happen (obviously it could happen), but at the same time no one is clearly saying that it did happen.
I'll continue reading to see if anyone has data showing that such a thing actually happened. Obviously in the absence of any real evidence it is safer to just assume the worst.
-
Thank you Team Vivaldi for preserving i_ri' account.
Thank You Gaelle for your recent solution has i_ri signed-in. -