[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 4386



File: 1487925654096.png (48.32 KB, 300x285, attachment.png)

No.4386

Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Cloudflare Blog: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Hacker News thread: https://news.ycombinator.com/item?id=13718752
Sites using Cloudflare: https://github.com/pirate/sites-using-cloudflare

General consensus on the issue (by everyone who isn't Cloudflare) seems to be that this is an exceptionally serious vulnerability that may have compromised substantial user information from almost any site that uses Cloudflare.

The current suggestion is to rotate all of your passwords for sites that may have been affected.

Examples of data that have been leaked through this vulnerability include GPS positions from Uber, authorization tokens from Fitbit mobile applications (I think?), chat messages from a popular chat client (hypothesized to be Discord), and private messages from dating sites (OKCupid).

  No.4388

>>4386
This show just how dangerous it is for multiple websites to rely on just one service. I doubt anything will change, but it's interesting.

  No.4390

I'm kinda saddened by the branding for this vulnerability if that is what the logo looks like.

  No.4391

File: 1487935569956-0.png (401.52 KB, 118x200, 1469599643928-0.png)

Why cloudflare is cancer to the internet

-cloudflare makes it extremely difficult for Tor users and users who disable javascript. This difficulty was originally just a simple CAPTCHA, that progressed into impossible CAPTCHAs (CAPTCHAs that would reject all answers), and finally outright blocks in the case of archive.is; this effectively bans the most security and privacy-conscious users from your site.

-cloudflare arbitrarily bans whoever they want. Today, it is Tor users who disable javascript. Tomorrow, it could be all Firefox users, Linux users, VPN users, Brazillians, Germans, Snowden supporters, filesharers, anons, children, women, homosexuals, Christians. The exact criteria doesn't matter, because it is completely at the whim of cloudflare.

-cloudflare completely breaks SSL

Standard SSL handshake
User -> website's key -> website
User <- User's key <- website

Only the User and the website can read or write data transferred over the HTTPS connection. Authenticity, integrity, confidentiality guarenteed by cryptography.

cloudflare's SSLmao fuarrrk not
User -> cloudflare's key -> cloudflare -> website's key -> website
User <- User's key <- cloudflare <- cloudflare's key <- website

cloudflare outright decrypts ALL CIPHERTEXT THAT PASSES THROUGH IT. cloudflare has COMPLETE ACCESS TO ALL PLAINTEXT. In other words, cloudflare in a Man-in-the-Middle (MitM) attack.

-cloudflare (untraceably) conducts internet surveillance
-cloudflare (untraceably) steals passwords: online banking, e-voting, internet connected devices, medical implants. If you have used a web frontend for server admin such as PHPMyAdmin, then cloudflare has your server's login password.
-cloudflare (untraceably) steals data: every file uploaded through cloudflare can be read by cloudflare.
-cloudflare can (untraceably) censor content
-cloudflare can implement an Acceptable Content Policy, denying access to any site that does not conform and censor content.
-Word filter
-Copyright detection
-Deep-packet inspection
-Per-user censorship
-cloudflare can (untraceably) tamper with content
-JS exploit injection
-Altering downloaded executables
-Misattributing words
-Framing users for sending data that they did not send.

Untraceably, because unlike a standard MitM, which can always be detected by saving and comparing public keys between sessions, cloudflare is always in the middle and is always either forging a fake public key or even TAKING YOUR PRIVATE KEY.

-cloudflare centralizes the internet, creating a single point of failure. If cloudflare goes down, every server routing through them goes down.

-cloudflare does not actually protect against hacking. They can be bypassed using any proxy other than Tor, let alone nation-state botnets of hundreds of millions of compromised systems.

-cloudflare costs money. You are paying for the privilege of giving away your domain, SSL key and server traffic to a third party.

The rational conclusion to the above would be that cloudflare is attempting to consume the entire internet, like cancer.

As cloudflare is a US corporation, which appeared out of nowhere with more bandwidth and better hardware than most ISPs and has rapidly spread across the internet, it is highly likely they are an NSA front designed to completely take over the internet. Use cloudflare or be DDoS'd, that is the definition of a protection racket. Do not let them succeed, if you value the internet.

  No.4392

>>4391
>cloudflare makes it extremely difficult for Tor users and users who disable javascript
I have no problems with recaptcha on cloudflare with torbrouser and js disabled. Surprisingly it works fine without js.

>-cloudflare can (untraceably) tamper with content

Cloudflare can effectively destroy steganography in images. Each paid user has access to optimization option called "Polish" (coincidence?) what will recompress all images users download (and also cache them on CDN). This option applied to laincahn will instantly kill /layer/ board.

  No.4393

File: 1487940838716.png (8.84 KB, 200x199, oh_jesus.png)

I'm with >>4391 on this one, but more carefully worded on some points. Still absolutely no sympathy from me.

Let me tell you that, on Friday the 13rd January someone some houses down the road (not traveling, position by GPS) of a Hospital in a bigger city of age 21 with the gender 0 looking for the gender 1 was browsing with his/her LG-H815 via wifi on tinder. Did some swipes but also clicked buttons to look at friends of some people, one like. No super likes though.

I too saw some bits that very strongly suggested discord. I wonder how much google and bing actually had to purge from their caches. Anyone finding and farming this beforehand will have had a field day.

  No.4396

>>4391
>that progressed into impossible CAPTCHAs (CAPTCHAs that would reject all answers)
Despite how much I use Tor, I have never encountered a captcha like this that was part of Cloudflare's service.

>and finally outright blocks in the case of archive.is

I don't use archive.is, but I have seen blocks by Cloudflare unless you enable JS which is enough to make me go elsewhere.

>-cloudflare (untraceably) conducts internet surveillance

>-cloudflare (untraceably) steals passwords: online banking, e-voting,
These should include the word "can", unless you have actual evidence.

  No.4397

>>4396
>Despite how much I use Tor, I have never encountered a captcha like this that was part of Cloudflare's service.
I get this on cloudflare sites when using a tor proxy regularly. Though I think it can go away if you refresh the page a few times till you get an unfucked captcha.

  No.4423

The CEO of Cloudflare posted on Hacker News[0] blaming Google for not cleaning their caches fast enough. The Google research who discovered the issue replied with links showing bing still contains caches with these leaks. It really seems Cloudflare is trying to play down this whole thing, they are only contacting customers who were discovered in these caches. Who knows who else has caches of these leaks. It possible it has been leaking since they introduced the feature that causes this back in September.

[0]: https://news.ycombinator.com/item?id=13721644

  No.4426

>>4391
Good strong points.
>As cloudflare is a US corporation, which appeared out of nowhere with more bandwidth and better hardware than most ISPs and has rapidly spread across the internet, it is highly likely they are an NSA front designed to completely take over the internet. Use cloudflare or be DDoS'd, that is the definition of a protection racket. Do not let them succeed, if you value the internet.
I've wondered about the orgins of cloudflare myself. They did seem to come out of nowhere with way too many resources. I don't trust it, all these internet centralization projects seem to lead to down the path to easy censorship which I'm not fond of in any way shape or form.

  No.4452

01010101 010 10 1010 1010 10 1010 10 10 1
1
010
1 010 10 10 1010 1 010 101 0101 010 1

  No.4453

These days even security vulnerabilities need witty names, shiny logos and a sizeable marketing team.