Ask HN: What are the implications of CloudFlare leak?

[ddito]

I'm having a hard time understanding the implications of this CloudFlare breach. As I understand it, although only the websites who have been using the combination of features from CloudFlare have triggered the leak, the leaked information is from any website which was using the service for MitMing their https for some feature. Am I correct? There is a lot of misinformation out there about the scope of this... Also, is it ok to suppose pretty much any smaller website has been using CloudFlare? Has our payment information been leaked? Should we request new credit cards?

I'm using a few passwords with differing complexity for various websites which have my credit cards stored unfortunately. I have so far been trying to use my strongest passwords exclusively with websites which have my most sensitive info but I still reused the same password for 4-5 websites each.

This fiasco has coincided with me moving over to 1password anyways but I'm worried a bit about my credit cards.

[onion2k]

Without wishing to sound too melodramatic, a complex problem like this one should be the least of your concerns online. Part of my job over the past twenty years has been auditing website code, and I can tell you there are online stores that do things that would absolutely terrify people if they knew what was happening to their data - on one site everyone's creditcard information was being emailed to the site owner's Hotmail account so he could put payments through the till system in his shop.

If you're worried about your credit card data just don't put it in to a website you don't know is secure. If it isn't Amazon, Stripe, Paypal, <your preferred payments provider> etc, just don't use it.

[remx]

+1 for mentioning offloading CC stuff to payment providers

[andyjh]

"...the leaked information is from any website which was using the service..."

Potentially, yes. Not just HTTPS, but those are obviously the more worrying cases.

It's not possible to know the totality of information that has been leaked, though efforts are being made to try and list affected / potentially affected sites.[1]

My advice would be: For any sites you're worried about (ie hosted on CF and you have an account), log out of all sessions on all devices, and reset your password. Don't share passwords between sites either; if you're using 1password now, you can use unique & complex passwords for everything.

[1] eg https://github.com/pirate/sites-using-cloudflare

[fsf]

You don't need to preemptively change your credit cards, but keep an eye on them. Your analysis of the potential leak is correct. It's possible that one of the bits of memory contained your credit card information, but changing your card just for that is kind of silly without some indication of illicit use.

After all, people happily hand their credit card to restaurant employees, pop it into gas station devices, etc. without worrying too much. Keep an eye on it, but don't fret.

You kind of goofed with the re-used passwords, though :). Kudos for switching to a password manager!

[remx]

I never trusted Cloudflare's TLS/HTTPS infrastructure. Consider any CC information that could have been in their servers as already compromised. Stuff like that should be on a dedicated payment provider, and insulated away as much as possible. Stripe and other providers are perfect for handling CC, because it's what they do as a service.

[lightedman]

"I'm having a hard time understanding the implications of this CloudFlare breach."

The implication is that people are still not very smart trusting anything to a 3rd party.

As the saying goes, "If you want it done right, do it yourself."