LinuxMusicians

https://github.com/pirate/sites-using-c ... /README.md

Hmmm... Should we all change our passwords?

Wouldn't hurt. Also, here's some good reading: http://cryto.net/~joepie91/blog/2016/07 ... a-problem/

Yes.

Did I miss something? Does linuxmusicians.com use cloudflare?

Yes, we use cloudflare, and yes, you should probably reset your password.

More details are at https://blog.cloudflare.com/incident-re ... arser-bug/ .

AFAIK there's no evidence this leak has been actively abused, and I've received a notification from cloudflare that no leaked data was found in caches like Google. Given relatively low number of leaked requests and the modest volume this site gets it's highly unlikely any linuxmusicians users have been affected - but better safe than sorry.

How does LM use cloudflare?

If I look up the IP of LM I get 95.143.172.223, and the authoritative nameservers seem to be:
ns1.jonaspasche.com internet address = 95.143.172.27
ns2.jonaspasche.com internet address = 82.98.82.9
ns3.jonaspasche.com internet address = 185.26.156.6

None of these seem related to cloudflare.

tux99 wrote:How does LM use cloudflare?

If I look up the IP of LM I get 95.143.172.223, and the authoritative nameservers seem to be:
ns1.jonaspasche.com internet address = 95.143.172.27
ns2.jonaspasche.com internet address = 82.98.82.9
ns3.jonaspasche.com internet address = 185.26.156.6

None of these seem related to cloudflare.

Ha, you're absolutely right. I'm using the CF nameservers (viewtopic.php?f=13&t=15287&p=68607&hili ... are#p68607), but indeed planned to use CF caching but never got around to it.

(you'll see "dig ns linuxmusicians.com" points to the CF DNS servers, but those simply point to the uberspace host we use ('dig -x 95.143.172.223' will show you 'grus.uberspace.de')

In other words, we're definitely not affected by the CF breach, though updating your password every once in a while still can't hurt

$ dig linuxmusicians.com NS

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> linuxmusicians.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36316
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;linuxmusicians.com. IN NS

;; ANSWER SECTION:
linuxmusicians.com. 86400 IN NS kay.ns.cloudflare.com.
linuxmusicians.com. 86400 IN NS skip.ns.cloudflare.com.

;; ADDITIONAL SECTION:
skip.ns.cloudflare.com. 83339 IN A 173.245.59.233
skip.ns.cloudflare.com. 83118 IN AAAA 2400:cb001::adf5:3be9
kay.ns.cloudflare.com. 81221 IN A 173.245.58.125
kay.ns.cloudflare.com. 38137 IN AAAA 2400:cb001::adf5:3a7d

;; Query time: 189 msec
;; SERVER: 10.60.1.1#53(10.60.1.1)
;; WHEN: Mon Feb 27 12:39:12 BRT 2017
;; MSG SIZE rcvd: 186

Luc wrote:$ dig linuxmusicians.com NS

;; ANSWER SECTION:
linuxmusicians.com. 86400 IN NS kay.ns.cloudflare.com.
linuxmusicians.com. 86400 IN NS skip.ns.cloudflare.com.

Jup, this means we use the CF DNS, but we don't use the CF caching routers, and the breach was in the caching routers.

Ok, I see, thanks.
IMHO it would be better if LM does not start using the cloudflare caching servers , I find cloudflare very concerning from a privacy point of view, especially due to the fact that so many sites use them. That gives clouflare great snooping and data collecting powers over what people do on the web (apart from security risks as we have just seen).

Of course using only the nameservers is not a problem.

tux99 wrote:IMHO it would be better if LM does not start using the cloudflare caching servers , I find cloudflare very concerning from a privacy point of view, especially due to the fact that so many sites use them. That gives cloudflare great snooping and data collecting powers over what people do on the web (apart from security risks as we have just seen).

Point well taken. Also I don't really perceive big performance problems anymore (I think that has been worse in the past), so there is no real need to move to the caching service anyway.

tux99 wrote:Of course using only the nameservers is not a problem.

In theory they could still attack us (as they control the nameservers), but doing so would be technically somewhat challenging and obviously-malicious, so I guess we're relatively OK for now .