Three take aways to understand Cloudflare's apocalyptic-proportions mess
It turns out that Cloudflare's proxies have been dumping uninitialized memory that contains plain HTTPS content for an indeterminate amount of time. If you're not familiar with the topic, let me summarize it: this is the worst crypto news in the last 10 years.
As usual, I suggest you read the HN comments to understand the scandalous magnitude of the bug.
If you don't see this as a news-opening piece on TV it only confirms that journalists know nothing about tech.
How bad is it, really? Let's see
I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything
If the bad guys didn't find the bug before Tavis, you may be on the clear. However, as usual in crypto, you must assume that any data you submitted through a Cloudflare HTTPS proxy has been compromised.
Three take aways
A first take away, crypto may be mathematically perfect but humans err and the implementations are not. Just because something is using strong crypto doesn't mean it's immune to bugs.
A second take away, MITMing the entire Internet doesn't sound so compelling when you put it that way. Sorry to be that guy, but this only confirms that the centralization of the Internet by big companies is a bad idea.
A third take away, change all your passwords. Yep. It's really that bad. Your passwords and private requests may be stored somewhere, on a proxy or on a malicious actor's servers.
Well, at least change your banking ones, important services like email, and master passwords on password managers -- you're using one, right? RIGHT?
You can't get back any personal info that got leaked but at least you can try to minimize the aftershock.
Update: here is a provisional list of affected services.
Download the full list, export your password manager data
into a csv file, and compare both files by using grep -f sorted_unique_cf.txt your_passwords.csv
.
Afterwards, check the list of potentially affected iOS apps
Let me conclude by saying that unless you were the victim of a targeted attack it's improbable that this bug is going to affect you at all. However, that small probability is still there. Your private information may be cached somewhere or stored on a hacker's server, waiting to be organized and leaked with a flashy slogan.
I'm really sorry about the overly dramatic post, but this time it's for real.