Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Cloudflare Reverse Proxies are Dumping Uninitialized Memory
# https://bugs.chromium.org/p/project-zer ... il?id=1139
# https://blog.cloudflare.com/incident-re ... arser-bug/
# https://arstechnica.com/security/2017/0 ... omer-data/
# http://www.zdnet.com/article/cloudflare ... or-months/
Pale Moon forum use Cloudflare, or?
The bug exist for months, but is now fixed.
Should we change our login passwords?
# https://blog.cloudflare.com/incident-re ... arser-bug/
# https://arstechnica.com/security/2017/0 ... omer-data/
# http://www.zdnet.com/article/cloudflare ... or-months/
Pale Moon forum use Cloudflare, or?
The bug exist for months, but is now fixed.
Should we change our login passwords?
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
And here a list of affected domains:
https://raw.githubusercontent.com/pirat ... que_cf.txt (Its a big txt file, so that freeze maybe your browser )
Here the main site: https://github.com/pirate/sites-using-cloudflare
https://raw.githubusercontent.com/pirat ... que_cf.txt (Its a big txt file, so that freeze maybe your browser )
Here the main site: https://github.com/pirate/sites-using-cloudflare
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Still works as CDN. But secure connections through CDNs may as well be unencrypted. I wish it would be easier to see if a secure connection is actually to the originating server one trusts.tuxman wrote:I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
The forum, nor any other critical encrypted site with user data (e.g. Sync), are on Cloudflare. Only common web resources are that do not store or transfer private information.
That's been a conscious design decision on my end.
Even so, CloudFlare's security awareness is good overall. Of course opponents of it will want to play up the issue, but a few months for an unknown issue is nothing compared to KNOWN issues not going fixed for YEARS which we've seen with other companies. Their turnaround from a report a week ago to having a solution rolled out everywhere and tested is pretty quick considering the number and size of their network, and they are fully transparent about these things, too.
That's been a conscious design decision on my end.
Even so, CloudFlare's security awareness is good overall. Of course opponents of it will want to play up the issue, but a few months for an unknown issue is nothing compared to KNOWN issues not going fixed for YEARS which we've seen with other companies. Their turnaround from a report a week ago to having a solution rolled out everywhere and tested is pretty quick considering the number and size of their network, and they are fully transparent about these things, too.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Follow-up from cloudflare for my domains:
In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
I use CloudFlare and got that E-mail as well and I'm not affected.
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.tuxman wrote:I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Let's not start that discussion-without-end again.redblade7 wrote:I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.tuxman wrote:I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Sorry for bringing it up, I didn't think my personal boycott was that popular.Moonchild wrote:Let's not start that discussion-without-end again.redblade7 wrote:I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.tuxman wrote:I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
redblade7 wrote:I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.tuxman wrote:I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.
Off-topic:
If only it was that easy....
If only it was that easy....
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
It's easy for me, only 5 sites (3 blogs, another site, and palemoon.org) I regularly visit use CloudFlare, having found replacements for everything else, and if anyone sends me something on Twitter I reply with something along the lines of "Sorry, I don't retweet #Cloudflare sites #tor #tbb #privacy #security" and look the information up somewhere else.half-moon wrote:redblade7 wrote:I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.tuxman wrote:I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.Off-topic:
If only it was that easy....
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Off-topic:
I'll state this once more:
The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason. That reason being that, no matter how you look at it, over 95% of tor users are either (1) trying to get illegal material or bypassing regulation, (2) using it to commit criminal acts, or (3) want to hide behind anonymity to be a griefer/troll. The rest of "legitimate users" will have to live with the fact that they are, from a website's point of view, coming from a "bad neighborhood" and as such need to be handled with due care.
Due to tor's nature, it's not going to be possible to determine beforehand if a user is illegitimate or legitimate when coming from an exit node, so the only way to handle these is to treat everyone the same.
That isn't CF being discriminatory, it is CF doing what they are marketing themselves as: protecting website owners from known attacks and abuse. You can respond in turn to that response to abuse by boycotting the websites, but what you're really doing then is telling the website owners that they aren't allowed to protect themselves from abuse if they want your patronage.
It isn't, but the few who do are rather loud and not willing to apply reason/common sense to the argumentation, so I'd rather avoid it.redblade7 wrote:I didn't think my personal boycott was that popular.
I'll state this once more:
The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason. That reason being that, no matter how you look at it, over 95% of tor users are either (1) trying to get illegal material or bypassing regulation, (2) using it to commit criminal acts, or (3) want to hide behind anonymity to be a griefer/troll. The rest of "legitimate users" will have to live with the fact that they are, from a website's point of view, coming from a "bad neighborhood" and as such need to be handled with due care.
Due to tor's nature, it's not going to be possible to determine beforehand if a user is illegitimate or legitimate when coming from an exit node, so the only way to handle these is to treat everyone the same.
That isn't CF being discriminatory, it is CF doing what they are marketing themselves as: protecting website owners from known attacks and abuse. You can respond in turn to that response to abuse by boycotting the websites, but what you're really doing then is telling the website owners that they aren't allowed to protect themselves from abuse if they want your patronage.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Moonchild wrote:Off-topic:It isn't, but the few who do are rather loud and not willing to apply reason/common sense to the argumentation, so I'd rather avoid it.redblade7 wrote:I didn't think my personal boycott was that popular.
I'll state this once more:
The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason. That reason being that, no matter how you look at it, over 95% of tor users are either (1) trying to get illegal material or bypassing regulation, (2) using it to commit criminal acts, or (3) want to hide behind anonymity to be a griefer/troll. The rest of "legitimate users" will have to live with the fact that they are, from a website's point of view, coming from a "bad neighborhood" and as such need to be handled with due care.
Due to tor's nature, it's not going to be possible to determine beforehand if a user is illegitimate or legitimate when coming from an exit node, so the only way to handle these is to treat everyone the same.
That isn't CF being discriminatory, it is CF doing what they are marketing themselves as: protecting website owners from known attacks and abuse. You can respond in turn to that response to abuse by boycotting the websites, but what you're really doing then is telling the website owners that they aren't allowed to protect themselves from abuse if they want your patronage.
Off-topic:
Except that's not really true at all. Also, there is no valid reason for blocking Tor users as a whole. There are better CDNs that don't block Tor as a whole and can filter out the bad apples.
Except that's not really true at all. Also, there is no valid reason for blocking Tor users as a whole. There are better CDNs that don't block Tor as a whole and can filter out the bad apples.
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Well if Cloudflare's captchas worked properly the first time you filled them out (though they have gotten better at fixing this bug) it would be a lot different.Moonchild wrote:The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason.
And I doubt 95% of Tor activity is illegal. Maybe 95% of hidden service use, but 95% of Tor Browser users? Ridiculous!
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Agreed.redblade7 wrote:Well if Cloudflare's captchas worked properly the first time you filled them out (though they have gotten better at fixing this bug) it would be a lot different.Moonchild wrote:The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason.
And I doubt 95% of Tor activity is illegal. Maybe 95% of hidden service use, but 95% of Tor Browser users? Ridiculous!
Re: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
Thread locked because it'd just turn into a "yes"/"no" game of tennis again between proponents of TOR and people using CF to protect themselves from TOR abuse.
As for the numbers...
As for the numbers...
The researchers found that a majority of Tor hidden service traffic—the traffic to the 40 most visited sites, in fact—were actually communications from “botnet” computers infected with malware seeking instructions from a hacker-controlled server running Tor. Most of those malware control servers were offline, remnants of defunct malware schemes like the Skynet botnet whose alleged operator was arrested last year.
But take out that automated malware traffic, and 83 percent of the remaining visits to Tor hidden service websites sought sites that Owen’s team classified as related to child abuse. Most of the sites were so explicit as to include the prefix “pedo” in their name. (Owen asked that WIRED not name the sites for fear of driving more visitors to them.) The researchers’ automated web crawler downloaded only text, not pictures, to avoid any illegal possession of child pornographic images or video. “It came as a huge shock to us,” Owen says of his findings. “I don’t think anyone imagined it was on this scale.”
So yeah. Make of that what you will. legitimate traffic on the TOR network is minimal compared to abusive/criminal traffic. I don't pluck these numbers out of thin air, and of course the TOR website itself is downplaying it as if it was the other way around. Being a server admin myself and having been so for many years, I know first hand the traffic that comes out of TOR exit nodes to servers, so it's just underlined by personal experience. Sticking your head in the sand doesn't make this abuse any less.Whistleblower sites like SecureDrop and Globaleaks, which allow anonymous users to upload sensitive documents to news organizations, accounted for 5 percent of Tor hidden service sites, but less than a tenth of a percent of site visits.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite