[jkells]

My first thought was relief, thank god I'm not using Cloudflare.

Where would you even start to address this? Everything you've been serving is potentially compromised, API keys, sessions, personal information, user passwords, the works.

You've got no idea what has been leaked. Should you reset all your user passwords, cycle all or your keys, notify all your customers that there data may have been stolen?

My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?

What an epic mess. This is the problem with centralization, the system is broken.

[nikisweeting]

We're compiling a list of domains using several scrapers and updating it here: https://github.com/pirate/sites-using-cloudflare

You can start by cross referencing your password manager with this list, and working your way out from there.

[AndrewKemendo]

As an aside, I found this really interesting:

ashleymadison.com

ashleyrnadison.com

I find it really interesting that they registered that particular misspelling and they both point to the same servers. I can see doing this for some obvious domains like gogle.com, but the distinction there is simply that r+n looks like m.

Probably a really obvious answer here, but my guess is that they are trying to help people throw off the scent of someone browsing a history.

[cardern]

I think it's more likely that they bought the domain to prevent scammers from trying to bait users onto a fake site and enter login info, and since they have it why not redirect traffic.

[jwcrux]

You don't have to use scrapers, just use copies of the TLD zone files looking for cloudflare nameservers.

[imperalix]

This will not cover all sites[1].

1. https://support.cloudflare.com/hc/en-us/articles/202320534-C...

[jwcrux]

Huh TIL. Good call!

[Elizzy]

Not everyone uses Cloudflare for their proxying service. I use them purely for my DNS, but don't have the MITM proxy enabled at all. His scraping is a better idea probably.

[joepie91_]

> My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?

Yes. Right now. Don't wait for the vendor to notify you.

> What an epic mess. This is the problem with centralization, the system is broken.

Yep.

[SomeCallMeTim]

My password manager has > 500 entries. Changing all the passwords....isn't going to happen any time soon.

If it only took 60 seconds per site, it would still take eight hours to change them all.

Might change a few key passwords, though. Couldn't hurt. I only have a couple of bank/financial passwords at this point. And my various hosting service access passwords.

Anything else is not worth the hassle -- and mostly would have 2FA anyway.

[DINKDINK]

Your argument essentially revolves around "what are the chances I'll be compromised!?" rather than focusing on "What's the potentially affect of getting compromised" Most people with data or access rights which have several orders of magnitude of value relative to 8 hours worth of labor.

The decision to wear a seatbelt isn't driven by the probability of needing it, the decision is drive by the magnitude of exposure to an event where you would need it.

[SomeCallMeTim]

> Your argument essentially revolves around "what are the chances I'll be compromised!?" ...

You misunderstand. My argument is explicitly around "What is the potential effect?" That's why I listed changing financial passwords is on my list of things that I might do. (Though see below for why I won't.)

If I only change passwords where someone can do real damage (my primary social media accounts, my accounts that have a current, saved credit card, and any hosting-related accounts) then I've already hit the 98th percentile in damage avoidance. And as I pointed out above, most (all?) of those accounts are unaffected because they don't use CloudFlare at all.

If someone has stolen my password to the Woodworking Forums, and they ... what, post rabid alt-right spam in my name and get me banned? Oh well, either tell them that it was hacked, or if they don't believe me, let that account die and create a new one, if I ever decide to go back and post something again. No big deal. I haven't used it in years anyway, and I can create unlimited new (wildcard-based) email addresses on any of several domains I own.

Aside from the top 10-15 sites I use, I rarely have logins that are that important, anyway. So I'm totally basing this on worst-case damage assessment, not on "how likely it is I'm attacked."

AND...I just looked through all of the top sites I use, and according to the HTTP header, none of them is served using CloudFlare at all (I only checked the index page of each, but none have the telltale CF-Cache-Status headers). No financial sites, no shopping sites that have my credit card, no social media sites. So where's the fire exactly?

[SomeCallMeTim]

OK, I found ONE site that uses CloudFlare that I use regularly, and I've changed its password.

Which one is it? Hacker News.

[Aeolun]

In the case of seat belts that's probably because the cost of your life is infinity.

The same isn't quite true for my blogger account.

[chimeracoder]

> In the case of seat belts that's probably because the cost of your life is infinity.

The cost of your life is much higher than your blogger account, but it's not literally infinite, even from your own perspective.

If it were truly infinite, then it would be irrational for you ever to take any action that were not 100% motivated by the desire to protect your life. (Not just "never take any risks", but literally irrational not to actively spend every waking second solely on that goal).

[Anderkent]

Lastpass knows how to change your passwords for many popular sites, and can automate it away for you.

[SomeCallMeTim]

I have been reluctant to use a service that keeps my passwords for me in the cloud.

Instead I'm using KeePass. KeePass is open source and has its "full stack" of encryption available for review. For LastPass I need to trust they're doing everything right, and that a government actor hasn't asked for some kind of backdoor. It's so easy to screw up security that I'm more comfortable trusting two levels of security: That KeePass has its encryption done right, and that Google Drive keeps my KeePass file out of the hands of bad-guys.

LastPass would become a single point of failure compared to what I'm doing: They just need to make one mistake and suddenly any bad guy gets all of my passwords.

Nice feature for LastPass, though.

[benjaminl]

LastPass uses local encryption to enable LastPass to have Zero knowledge of users passwords. This means that user's passwords aren't passed in the clear even inside a TSL session.

So LastPass isn't the password manager mentioned in the post.

[chinathrow]

But the server might have sprayed out your login credentials while travelling through Cloudflare.

[Elizzy]

I think he's recommending it, more so than assuming it's what he uses.

[rmc]

You use 500 sites which use 2FA?

[SomeCallMeTim]

No, the ones I consider to be "important" have 2FA.

When I log into the Woodworking Forums, I have to use a password. If someone steals my Woodworking Forums authentication and posts as me there, um....Oh well. Sucks, and I'll clean up the mess.

Glancing through my password vault (kept in KeePass, for those wondering) I have some in there that I literally haven't used since before Cloudfare was founded, like the Creative Labs developer site.

[tedunangst]

Note that for sites like HN, changing your password doesn't expire other sessions. You have to go find every browser with an HN cookie and logout.

(Where I mean some other sites that are not at all HN, but might plausibly exist.)

[dang]

No, we log you out of all HN sessions when you change your password.

[tedunangst]

Oh, cool. (This was not the case last time I did a reset.)

[dang]

I'm pretty sure kogir came up with that one and he's been off working on his bug tracker for a while now.

[bubblethink]

How do you check if a website uses cloudflare ? Any scripts that do that ?

[manigandham]

Response headers will contain a "cf-ray" header or "server: cloudflare-nginx"

[cancancan]

Both should be there, as well as 'Set-Cookie: __cfduid=...'

  $ curl -I okcupid.com
  Set-Cookie: __cfduid=...
  Server: cloudflare-nginx
  CF-RAY: 335f033b77742b76-AMS

EDIT: Better yet, make that 'curl -IL domain.com' to follow redirects because it may not show in the first response.

[joepie91_]

There is no reliable way to check. The problem is that even if you verify that a site isn't using CloudFlare now, that doesn't mean that they didn't use it in the past (and you'd still be affected).

In other words: Just assume that everything has been compromised. With how much of the web CloudFlare controls nowadays, you're not going to be far off anyway.

[freakz]

Icon lights up if the current site is on Cloudflare proxy.

https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...

[the_common_man]

$ host -t NS digitalocean.com

digitalocean.com name server walt.ns.cloudflare.com.

digitalocean.com name server kim.ns.cloudflare.com.

[cancancan]

That may not necessarily work. Example:

  $ host -t NS okcupid.com
  okcupid.com name server nameserver2.okcupid.com.
  okcupid.com name server nameserver1.okcupid.com.

But if you check the response headers you'll see 'CF-RAY:...' and 'Server: cloudflare-nginx'

[ing33k]

There's this browser addon

https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...

[sparkling]

$ dig example.com

to get the A Record, then

$ whois 1.2.3.4|grep Cloudflare

Not 100% reliable, but should do the Job.

[neuland]

    whois $(dig +short yoursitehere.com) | grep -i 'Cloudflare' 1>/dev/null; if [[ $? -eq 1 ]]; then echo 'Didnt find CloudFlare'; else echo 'Found CloudFlare'; fi

Not at a terminal now, but this long one-liner should work.

Like you said, not 100% reliable though. For example, I'm pretty sure Reddit uses CloudFlare, but their whois mentions Fastly, which is a competitor.

[gooeyblob]

We moved off of CloudFlare to Fastly before this vulnerability.

[nikisweeting]

Confirmed, reddit.com was removed from the list. My mistake for not double checking this one.

[nikisweeting]

If you find any domains with this please add them to the list:

https://github.com/pirate/sites-using-cloudflare

[ing33k]

I know it's kinda late,but there is one more way to find if a site is using Cloudflare

append /cdn-cgi/trace to the URL and you will some debug info

Ex:

https://cloud.digitalocean.com/cdn-cgi/trace

https://news.ycombinator.com/cdn-cgi/trace

[mcjiggerlog]

http://www.doesitusecloudflare.com/

[adiabatty]

So it's fixed, then? (I haven't read the article yet.)

[chrisper]

No, nothing is fixed. The leak has been plugged, but the water damage (and partly the water itself) is still there.

[adiabatty]

Weird. I read the Cloudflare blog entry (<https://blog.cloudflare.com/incident-report-on-memory-leak-c...) at the bottom of the linked Chromium bug tracker page and they make it sound like it's fixed (the implication being that now would be the time to change all my passwords…)

[shadowmint]

The problem is fixed in that as far as we know no new data is being made public.

...but since this bug has been out in the wild since perhaps 2016-09-22, now is indeed, the time to go and reset your active sessions and change all your passwords.

[corobo]

> You've got no idea what has been leaked

If your site is served through Cloudflare, assume it's all out there because it might be. Standard Big Red Button(tm) procedure.

I don't run any particularly impressive sites but I'll be resetting passwords today. Also cycling things I use behind Cloudflare like DigitalOcean passwords/API keys.

It's supposed to be read-only Friday, Cloudflare :(

[a3_nm]

I won't take the initiative of changing passwords, and I will only be doing it for services that ask me to do it.

In my opinion, if my accounts get compromised because the provider uses Cloudflare and leaks my data all over, it's their fault, not mine... It's not my job to guess which services are using Cloudflare, which ones were affected... and further, if my account gets compromised, others presumably will.

(PS: Of course you may need to change passwords if you reuse passwords from one service to the other, but obviously you shouldn't be doing that in the first place.)

[sbuttgereit]

If someone runs a red light, broadsides you while you're in the intersection, and leaves you paralyzed... it is their fault both morally and legally... but it still sucks to be you since you bear the consequences regardless of fault.

While this event is orders of magnitude less severe than my example, depending on the service that could be compromised there can be sufficient repercussions that you could not be made whole or avoid on-going inconvenience through the legal system or other acts of the genuinely responsible party.

I absolutely get and sympathize with where you're coming from... but you may want to check a few of your more important accounts none-the-less :-)

[adrianN]

The damage is still yours even if its not your fault

[maskz]

I second this, and you'll be even more furious if someone used that to compromise your data/accounts.

[martinvol]

They said https never broke, so if you were doing things right way you should not be affected at all. Do not overreact.

[Justin_K]

Wrong. You need to re-read the disclosure.