Hacker News new | ask | show | jobs
by joepie91_ 3406 days ago
> My second thought after relief was the realization that even as a consumer I'm affected by this, my password manager has > 100 entries what percentage of them are using CloudFlare? Should I change all my passwords?

Yes. Right now. Don't wait for the vendor to notify you.

> What an epic mess. This is the problem with centralization, the system is broken.

Yep.
4 comments
SomeCallMeTim 3406 days ago
My password manager has > 500 entries. Changing all the passwords....isn't going to happen any time soon.

If it only took 60 seconds per site, it would still take eight hours to change them all.

Might change a few key passwords, though. Couldn't hurt. I only have a couple of bank/financial passwords at this point. And my various hosting service access passwords.

Anything else is not worth the hassle -- and mostly would have 2FA anyway.

link
DINKDINK 3406 days ago
Your argument essentially revolves around "what are the chances I'll be compromised!?" rather than focusing on "What's the potentially affect of getting compromised" Most people with data or access rights which have several orders of magnitude of value relative to 8 hours worth of labor.

The decision to wear a seatbelt isn't driven by the probability of needing it, the decision is drive by the magnitude of exposure to an event where you would need it.

link
SomeCallMeTim 3405 days ago
> Your argument essentially revolves around "what are the chances I'll be compromised!?" ...

You misunderstand. My argument is explicitly around "What is the potential effect?" That's why I listed changing financial passwords is on my list of things that I might do. (Though see below for why I won't.)

If I only change passwords where someone can do real damage (my primary social media accounts, my accounts that have a current, saved credit card, and any hosting-related accounts) then I've already hit the 98th percentile in damage avoidance. And as I pointed out above, most (all?) of those accounts are unaffected because they don't use CloudFlare at all.

If someone has stolen my password to the Woodworking Forums, and they ... what, post rabid alt-right spam in my name and get me banned? Oh well, either tell them that it was hacked, or if they don't believe me, let that account die and create a new one, if I ever decide to go back and post something again. No big deal. I haven't used it in years anyway, and I can create unlimited new (wildcard-based) email addresses on any of several domains I own.

Aside from the top 10-15 sites I use, I rarely have logins that are that important, anyway. So I'm totally basing this on worst-case damage assessment, not on "how likely it is I'm attacked."

AND...I just looked through all of the top sites I use, and according to the HTTP header, none of them is served using CloudFlare at all (I only checked the index page of each, but none have the telltale CF-Cache-Status headers). No financial sites, no shopping sites that have my credit card, no social media sites. So where's the fire exactly?

link
SomeCallMeTim 3405 days ago
OK, I found ONE site that uses CloudFlare that I use regularly, and I've changed its password.

Which one is it? Hacker News.

link
Aeolun 3405 days ago
In the case of seat belts that's probably because the cost of your life is infinity.

The same isn't quite true for my blogger account.

link
chimeracoder 3405 days ago
> In the case of seat belts that's probably because the cost of your life is infinity.

The cost of your life is much higher than your blogger account, but it's not literally infinite, even from your own perspective.

If it were truly infinite, then it would be irrational for you ever to take any action that were not 100% motivated by the desire to protect your life. (Not just "never take any risks", but literally irrational not to actively spend every waking second solely on that goal).

link
Anderkent 3406 days ago
Lastpass knows how to change your passwords for many popular sites, and can automate it away for you.
link
SomeCallMeTim 3405 days ago
I have been reluctant to use a service that keeps my passwords for me in the cloud.

Instead I'm using KeePass. KeePass is open source and has its "full stack" of encryption available for review. For LastPass I need to trust they're doing everything right, and that a government actor hasn't asked for some kind of backdoor. It's so easy to screw up security that I'm more comfortable trusting two levels of security: That KeePass has its encryption done right, and that Google Drive keeps my KeePass file out of the hands of bad-guys.

LastPass would become a single point of failure compared to what I'm doing: They just need to make one mistake and suddenly any bad guy gets all of my passwords.

Nice feature for LastPass, though.

link
benjaminl 3405 days ago
LastPass uses local encryption to enable LastPass to have Zero knowledge of users passwords. This means that user's passwords aren't passed in the clear even inside a TSL session.

So LastPass isn't the password manager mentioned in the post.

link
chinathrow 3405 days ago
But the server might have sprayed out your login credentials while travelling through Cloudflare.
link
Elizzy 3405 days ago
I think he's recommending it, more so than assuming it's what he uses.
link
rmc 3405 days ago
You use 500 sites which use 2FA?
link
SomeCallMeTim 3405 days ago
No, the ones I consider to be "important" have 2FA.

When I log into the Woodworking Forums, I have to use a password. If someone steals my Woodworking Forums authentication and posts as me there, um....Oh well. Sucks, and I'll clean up the mess.

Glancing through my password vault (kept in KeePass, for those wondering) I have some in there that I literally haven't used since before Cloudfare was founded, like the Creative Labs developer site.

link
tedunangst 3406 days ago
Note that for sites like HN, changing your password doesn't expire other sessions. You have to go find every browser with an HN cookie and logout.

(Where I mean some other sites that are not at all HN, but might plausibly exist.)

link
dang 3406 days ago
No, we log you out of all HN sessions when you change your password.
link
tedunangst 3406 days ago
Oh, cool. (This was not the case last time I did a reset.)
link
dang 3406 days ago
I'm pretty sure kogir came up with that one and he's been off working on his bug tracker for a while now.
link
bubblethink 3406 days ago
How do you check if a website uses cloudflare ? Any scripts that do that ?
link
manigandham 3406 days ago
Response headers will contain a "cf-ray" header or "server: cloudflare-nginx"
link
cancancan 3406 days ago
Both should be there, as well as 'Set-Cookie: __cfduid=...'

  $ curl -I okcupid.com
  Set-Cookie: __cfduid=...
  Server: cloudflare-nginx
  CF-RAY: 335f033b77742b76-AMS
EDIT: Better yet, make that 'curl -IL domain.com' to follow redirects because it may not show in the first response.
link
joepie91_ 3406 days ago
There is no reliable way to check. The problem is that even if you verify that a site isn't using CloudFlare now, that doesn't mean that they didn't use it in the past (and you'd still be affected).

In other words: Just assume that everything has been compromised. With how much of the web CloudFlare controls nowadays, you're not going to be far off anyway.

link
freakz 3406 days ago
Icon lights up if the current site is on Cloudflare proxy.

https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...

link
the_common_man 3406 days ago
$ host -t NS digitalocean.com

digitalocean.com name server walt.ns.cloudflare.com.

digitalocean.com name server kim.ns.cloudflare.com.

link
cancancan 3406 days ago
That may not necessarily work. Example:

  $ host -t NS okcupid.com
  okcupid.com name server nameserver2.okcupid.com.
  okcupid.com name server nameserver1.okcupid.com.
But if you check the response headers you'll see 'CF-RAY:...' and 'Server: cloudflare-nginx'
link
ing33k 3406 days ago
There's this browser addon

https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...

link
sparkling 3406 days ago
$ dig example.com

to get the A Record, then

$ whois 1.2.3.4|grep Cloudflare

Not 100% reliable, but should do the Job.

link
neuland 3406 days ago 

    whois $(dig +short yoursitehere.com) | grep -i 'Cloudflare' 1>/dev/null; if [[ $? -eq 1 ]]; then echo 'Didnt find CloudFlare'; else echo 'Found CloudFlare'; fi
Not at a terminal now, but this long one-liner should work.

Like you said, not 100% reliable though. For example, I'm pretty sure Reddit uses CloudFlare, but their whois mentions Fastly, which is a competitor.

link
gooeyblob 3405 days ago
We moved off of CloudFlare to Fastly before this vulnerability.
link
nikisweeting 3405 days ago
Confirmed, reddit.com was removed from the list. My mistake for not double checking this one.
link
nikisweeting 3406 days ago
If you find any domains with this please add them to the list:

https://github.com/pirate/sites-using-cloudflare

link
ing33k 3405 days ago
I know it's kinda late,but there is one more way to find if a site is using Cloudflare

append /cdn-cgi/trace to the URL and you will some debug info

Ex:

https://cloud.digitalocean.com/cdn-cgi/trace

https://news.ycombinator.com/cdn-cgi/trace

link
mcjiggerlog 3405 days ago
http://www.doesitusecloudflare.com/
link
adiabatty 3406 days ago
So it's fixed, then? (I haven't read the article yet.)
link
chrisper 3406 days ago
No, nothing is fixed. The leak has been plugged, but the water damage (and partly the water itself) is still there.
link
adiabatty 3406 days ago
Weird. I read the Cloudflare blog entry (<https://blog.cloudflare.com/incident-report-on-memory-leak-c...) at the bottom of the linked Chromium bug tracker page and they make it sound like it's fixed (the implication being that now would be the time to change all my passwords…)
link
shadowmint 3406 days ago
The problem is fixed in that as far as we know no new data is being made public.

...but since this bug has been out in the wild since perhaps 2016-09-22, now is indeed, the time to go and reset your active sessions and change all your passwords.

link