Cloudflare Reverse Proxies are Dumping Uninitialized Memory

[dark_moon]

# https://bugs.chromium.org/p/project-zer ... il?id=1139
# https://blog.cloudflare.com/incident-re ... arser-bug/

# https://arstechnica.com/security/2017/0 ... omer-data/
# http://www.zdnet.com/article/cloudflare ... or-months/

Pale Moon forum use Cloudflare, or?
The bug exist for months, but is now fixed.

Should we change our login passwords?

[tuxman]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

[dark_moon]

And here a list of affected domains:
https://raw.githubusercontent.com/pirat ... que_cf.txt (Its a big txt file, so that freeze maybe your browser )
Here the main site: https://github.com/pirate/sites-using-cloudflare

[dave on linux]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

Still works as CDN. But secure connections through CDNs may as well be unencrypted. I wish it would be easier to see if a secure connection is actually to the originating server one trusts.

[Moonchild]

The forum, nor any other critical encrypted site with user data (e.g. Sync), are on Cloudflare. Only common web resources are that do not store or transfer private information.
That's been a conscious design decision on my end.

Even so, CloudFlare's security awareness is good overall. Of course opponents of it will want to play up the issue, but a few months for an unknown issue is nothing compared to KNOWN issues not going fixed for YEARS which we've seen with other companies. Their turnaround from a report a week ago to having a solution rolled out everywhere and tested is pretty quick considering the number and size of their network, and they are fully transparent about these things, too.

[Moonchild]

Follow-up from cloudflare for my domains:

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data.

[dark_moon]

Nice

[John connor]

I use CloudFlare and got that E-mail as well and I'm not affected.

[redblade7]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.

[Moonchild]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.

Let's not start that discussion-without-end again.

[redblade7]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.

Let's not start that discussion-without-end again.

Sorry for bringing it up, I didn't think my personal boycott was that popular.

[half-moon]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.

Off-topic:
If only it was that easy....

[redblade7]

I can't understand why anyone would want to use Cloudflare. In fact, they had several security and availability issues in the past.

I refuse to read news sources which use Cloudflare, and in general always try to find equivalent Web sites that don't use CloudFlare when possible, as part of my opposition to their making Tor users' lives a living hell.

Off-topic:
If only it was that easy....

It's easy for me, only 5 sites (3 blogs, another site, and palemoon.org) I regularly visit use CloudFlare, having found replacements for everything else, and if anyone sends me something on Twitter I reply with something along the lines of "Sorry, I don't retweet #Cloudflare sites #tor #tbb #privacy #security" and look the information up somewhere else.

[Moonchild]

Off-topic:

I didn't think my personal boycott was that popular.

It isn't, but the few who do are rather loud and not willing to apply reason/common sense to the argumentation, so I'd rather avoid it.

I'll state this once more:
The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason. That reason being that, no matter how you look at it, over 95% of tor users are either (1) trying to get illegal material or bypassing regulation, (2) using it to commit criminal acts, or (3) want to hide behind anonymity to be a griefer/troll. The rest of "legitimate users" will have to live with the fact that they are, from a website's point of view, coming from a "bad neighborhood" and as such need to be handled with due care.
Due to tor's nature, it's not going to be possible to determine beforehand if a user is illegitimate or legitimate when coming from an exit node, so the only way to handle these is to treat everyone the same.
That isn't CF being discriminatory, it is CF doing what they are marketing themselves as: protecting website owners from known attacks and abuse. You can respond in turn to that response to abuse by boycotting the websites, but what you're really doing then is telling the website owners that they aren't allowed to protect themselves from abuse if they want your patronage.

[half-moon]

Off-topic:

I didn't think my personal boycott was that popular.

It isn't, but the few who do are rather loud and not willing to apply reason/common sense to the argumentation, so I'd rather avoid it.

I'll state this once more:
The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason. That reason being that, no matter how you look at it, over 95% of tor users are either (1) trying to get illegal material or bypassing regulation, (2) using it to commit criminal acts, or (3) want to hide behind anonymity to be a griefer/troll. The rest of "legitimate users" will have to live with the fact that they are, from a website's point of view, coming from a "bad neighborhood" and as such need to be handled with due care.
Due to tor's nature, it's not going to be possible to determine beforehand if a user is illegitimate or legitimate when coming from an exit node, so the only way to handle these is to treat everyone the same.
That isn't CF being discriminatory, it is CF doing what they are marketing themselves as: protecting website owners from known attacks and abuse. You can respond in turn to that response to abuse by boycotting the websites, but what you're really doing then is telling the website owners that they aren't allowed to protect themselves from abuse if they want your patronage.

Off-topic:
Except that's not really true at all. Also, there is no valid reason for blocking Tor users as a whole. There are better CDNs that don't block Tor as a whole and can filter out the bad apples.

[redblade7]

The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason.

Well if Cloudflare's captchas worked properly the first time you filled them out (though they have gotten better at fixing this bug) it would be a lot different.

And I doubt 95% of Tor activity is illegal. Maybe 95% of hidden service use, but 95% of Tor Browser users? Ridiculous!

[half-moon]

The truth of the matter is that CF has this WAF rule in place to challenge tor users for a reason.

Well if Cloudflare's captchas worked properly the first time you filled them out (though they have gotten better at fixing this bug) it would be a lot different.

And I doubt 95% of Tor activity is illegal. Maybe 95% of hidden service use, but 95% of Tor Browser users? Ridiculous!

Agreed.

[Moonchild]

Thread locked because it'd just turn into a "yes"/"no" game of tennis again between proponents of TOR and people using CF to protect themselves from TOR abuse.

As for the numbers...

The researchers found that a majority of Tor hidden service traffic—the traffic to the 40 most visited sites, in fact—were actually communications from “botnet” computers infected with malware seeking instructions from a hacker-controlled server running Tor. Most of those malware control servers were offline, remnants of defunct malware schemes like the Skynet botnet whose alleged operator was arrested last year.

But take out that automated malware traffic, and 83 percent of the remaining visits to Tor hidden service websites sought sites that Owen’s team classified as related to child abuse. Most of the sites were so explicit as to include the prefix “pedo” in their name. (Owen asked that WIRED not name the sites for fear of driving more visitors to them.) The researchers’ automated web crawler downloaded only text, not pictures, to avoid any illegal possession of child pornographic images or video. “It came as a huge shock to us,” Owen says of his findings. “I don’t think anyone imagined it was on this scale.”

Whistleblower sites like SecureDrop and Globaleaks, which allow anonymous users to upload sensitive documents to news organizations, accounted for 5 percent of Tor hidden service sites, but less than a tenth of a percent of site visits.

So yeah. Make of that what you will. legitimate traffic on the TOR network is minimal compared to abusive/criminal traffic. I don't pluck these numbers out of thin air, and of course the TOR website itself is downplaying it as if it was the other way around. Being a server admin myself and having been so for many years, I know first hand the traffic that comes out of TOR exit nodes to servers, so it's just underlined by personal experience. Sticking your head in the sand doesn't make this abuse any less.