Cloudflare security breach

How can I make this site better? Let me know what you'd like to see!

Moderators: MattKingUSA, khz

Post Reply
Luc
Established Member
Posts: 741
Joined: Fri Mar 27, 2015 1:04 pm
Been thanked: 1 time

Cloudflare security breach

Post by Luc »

https://github.com/pirate/sites-using-c ... /README.md

Hmmm... Should we all change our passwords?
Lyberta
Established Member
Posts: 681
Joined: Sat Nov 01, 2014 8:15 pm
Location: The Internet
Been thanked: 1 time

Re: Cloudflare security breach

Post by Lyberta »

Wouldn't hurt. Also, here's some good reading: http://cryto.net/~joepie91/blog/2016/07 ... a-problem/
tnovelli
Established Member
Posts: 277
Joined: Wed Apr 20, 2011 4:52 pm

Re: Cloudflare security breach

Post by tnovelli »

Yes.
tux99
Established Member
Posts: 346
Joined: Fri Sep 28, 2012 10:42 am
Contact:

Re: Cloudflare security breach

Post by tux99 »

Did I miss something? Does linuxmusicians.com use cloudflare? :?
User avatar
raboof
Established Member
Posts: 1855
Joined: Tue Apr 08, 2008 11:58 am
Location: Deventer, NL
Has thanked: 50 times
Been thanked: 74 times
Contact:

Re: Cloudflare security breach

Post by raboof »

Yes, we use cloudflare, and yes, you should probably reset your password.

More details are at https://blog.cloudflare.com/incident-re ... arser-bug/ .

AFAIK there's no evidence this leak has been actively abused, and I've received a notification from cloudflare that no leaked data was found in caches like Google. Given relatively low number of leaked requests and the modest volume this site gets it's highly unlikely any linuxmusicians users have been affected - but better safe than sorry.
tux99
Established Member
Posts: 346
Joined: Fri Sep 28, 2012 10:42 am
Contact:

Re: Cloudflare security breach

Post by tux99 »

How does LM use cloudflare?

If I look up the IP of LM I get 95.143.172.223, and the authoritative nameservers seem to be:
ns1.jonaspasche.com internet address = 95.143.172.27
ns2.jonaspasche.com internet address = 82.98.82.9
ns3.jonaspasche.com internet address = 185.26.156.6

None of these seem related to cloudflare.
User avatar
raboof
Established Member
Posts: 1855
Joined: Tue Apr 08, 2008 11:58 am
Location: Deventer, NL
Has thanked: 50 times
Been thanked: 74 times
Contact:

Re: Cloudflare security breach

Post by raboof »

tux99 wrote:How does LM use cloudflare?

If I look up the IP of LM I get 95.143.172.223, and the authoritative nameservers seem to be:
ns1.jonaspasche.com internet address = 95.143.172.27
ns2.jonaspasche.com internet address = 82.98.82.9
ns3.jonaspasche.com internet address = 185.26.156.6

None of these seem related to cloudflare.
Ha, you're absolutely right. I'm using the CF nameservers (viewtopic.php?f=13&t=15287&p=68607&hili ... are#p68607), but indeed planned to use CF caching but never got around to it.

(you'll see "dig ns linuxmusicians.com" points to the CF DNS servers, but those simply point to the uberspace host we use ('dig -x 95.143.172.223' will show you 'grus.uberspace.de')

In other words, we're definitely not affected by the CF breach, though updating your password every once in a while still can't hurt :)
Luc
Established Member
Posts: 741
Joined: Fri Mar 27, 2015 1:04 pm
Been thanked: 1 time

Re: Cloudflare security breach

Post by Luc »

$ dig linuxmusicians.com NS

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> linuxmusicians.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36316
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;linuxmusicians.com. IN NS

;; ANSWER SECTION:
linuxmusicians.com. 86400 IN NS kay.ns.cloudflare.com.
linuxmusicians.com. 86400 IN NS skip.ns.cloudflare.com.

;; ADDITIONAL SECTION:
skip.ns.cloudflare.com. 83339 IN A 173.245.59.233
skip.ns.cloudflare.com. 83118 IN AAAA 2400:cb00:2049:1::adf5:3be9
kay.ns.cloudflare.com. 81221 IN A 173.245.58.125
kay.ns.cloudflare.com. 38137 IN AAAA 2400:cb00:2049:1::adf5:3a7d

;; Query time: 189 msec
;; SERVER: 10.60.1.1#53(10.60.1.1)
;; WHEN: Mon Feb 27 12:39:12 BRT 2017
;; MSG SIZE rcvd: 186
User avatar
raboof
Established Member
Posts: 1855
Joined: Tue Apr 08, 2008 11:58 am
Location: Deventer, NL
Has thanked: 50 times
Been thanked: 74 times
Contact:

Re: Cloudflare security breach

Post by raboof »

Luc wrote:$ dig linuxmusicians.com NS

;; ANSWER SECTION:
linuxmusicians.com. 86400 IN NS kay.ns.cloudflare.com.
linuxmusicians.com. 86400 IN NS skip.ns.cloudflare.com.
Jup, this means we use the CF DNS, but we don't use the CF caching routers, and the breach was in the caching routers.
tux99
Established Member
Posts: 346
Joined: Fri Sep 28, 2012 10:42 am
Contact:

Re: Cloudflare security breach

Post by tux99 »

Ok, I see, thanks.
IMHO it would be better if LM does not start using the cloudflare caching servers , I find cloudflare very concerning from a privacy point of view, especially due to the fact that so many sites use them. That gives clouflare great snooping and data collecting powers over what people do on the web (apart from security risks as we have just seen).

Of course using only the nameservers is not a problem.
User avatar
raboof
Established Member
Posts: 1855
Joined: Tue Apr 08, 2008 11:58 am
Location: Deventer, NL
Has thanked: 50 times
Been thanked: 74 times
Contact:

Re: Cloudflare security breach

Post by raboof »

tux99 wrote:IMHO it would be better if LM does not start using the cloudflare caching servers , I find cloudflare very concerning from a privacy point of view, especially due to the fact that so many sites use them. That gives cloudflare great snooping and data collecting powers over what people do on the web (apart from security risks as we have just seen).
Point well taken. Also I don't really perceive big performance problems anymore (I think that has been worse in the past), so there is no real need to move to the caching service anyway.
tux99 wrote:Of course using only the nameservers is not a problem.
In theory they could still attack us (as they control the nameservers), but doing so would be technically somewhat challenging and obviously-malicious, so I guess we're relatively OK for now :).
Post Reply