General consensus on the issue (by everyone who isn't Cloudflare) seems to be that this is an exceptionally serious vulnerability that may have compromised substantial user information from almost any site that uses Cloudflare.
The current suggestion is to rotate all of your passwords for sites that may have been affected.
Examples of data that have been leaked through this vulnerability include GPS positions from Uber, authorization tokens from Fitbit mobile applications (I think?), chat messages from a popular chat client (hypothesized to be Discord), and private messages from dating sites (OKCupid).
-cloudflare completely breaks SSL
Standard SSL handshake User -> website's key -> website User <- User's key <- website
Only the User and the website can read or write data transferred over the HTTPS connection. Authenticity, integrity, confidentiality guarenteed by cryptography.
cloudflare's SSLmao fuarrrk not User -> cloudflare's key -> cloudflare -> website's key -> website User <- User's key <- cloudflare <- cloudflare's key <- website
cloudflare outright decrypts ALL CIPHERTEXT THAT PASSES THROUGH IT. cloudflare has COMPLETE ACCESS TO ALL PLAINTEXT. In other words, cloudflare in a Man-in-the-Middle (MitM) attack.
-cloudflare (untraceably) conducts internet surveillance -cloudflare (untraceably) steals passwords: online banking, e-voting, internet connected devices, medical implants. If you have used a web frontend for server admin such as PHPMyAdmin, then cloudflare has your server's login password. -cloudflare (untraceably) steals data: every file uploaded through cloudflare can be read by cloudflare. -cloudflare can (untraceably) censor content -cloudflare can implement an Acceptable Content Policy, denying access to any site that does not conform and censor content. -Word filter -Copyright detection -Deep-packet inspection -Per-user censorship -cloudflare can (untraceably) tamper with content -JS exploit injection -Altering downloaded executables -Misattributing words -Framing users for sending data that they did not send.
Untraceably, because unlike a standard MitM, which can always be detected by saving and comparing public keys between sessions, cloudflare is always in the middle and is always either forging a fake public key or even TAKING YOUR PRIVATE KEY.
-cloudflare centralizes the internet, creating a single point of failure. If cloudflare goes down, every server routing through them goes down.
-cloudflare does not actually protect against hacking. They can be bypassed using any proxy other than Tor, let alone nation-state botnets of hundreds of millions of compromised systems.
-cloudflare costs money. You are paying for the privilege of giving away your domain, SSL key and server traffic to a third party.
The rational conclusion to the above would be that cloudflare is attempting to consume the entire internet, like cancer.
As cloudflare is a US corporation, which appeared out of nowhere with more bandwidth and better hardware than most ISPs and has rapidly spread across the internet, it is highly likely they are an NSA front designed to completely take over the internet. Use cloudflare or be DDoS'd, that is the definition of a protection racket. Do not let them succeed, if you value the internet.
I'm with >>4391 on this one, but more carefully worded on some points. Still absolutely no sympathy from me.
Let me tell you that, on Friday the 13rd January someone some houses down the road (not traveling, position by GPS) of a Hospital in a bigger city of age 21 with the gender 0 looking for the gender 1 was browsing with his/her LG-H815 via wifi on tinder. Did some swipes but also clicked buttons to look at friends of some people, one like. No super likes though.
I too saw some bits that very strongly suggested discord. I wonder how much google and bing actually had to purge from their caches. Anyone finding and farming this beforehand will have had a field day.
>>4391 >that progressed into impossible CAPTCHAs (CAPTCHAs that would reject all answers) Despite how much I use Tor, I have never encountered a captcha like this that was part of Cloudflare's service. >and finally outright blocks in the case of archive.is I don't use archive.is, but I have seen blocks by Cloudflare unless you enable JS which is enough to make me go elsewhere. >-cloudflare (untraceably) conducts internet surveillance >-cloudflare (untraceably) steals passwords: online banking, e-voting, These should include the word "can", unless you have actual evidence.
>>4396 >Despite how much I use Tor, I have never encountered a captcha like this that was part of Cloudflare's service. I get this on cloudflare sites when using a tor proxy regularly. Though I think it can go away if you refresh the page a few times till you get an unfucked captcha.
The CEO of Cloudflare posted on Hacker News blaming Google for not cleaning their caches fast enough. The Google research who discovered the issue replied with links showing bing still contains caches with these leaks. It really seems Cloudflare is trying to play down this whole thing, they are only contacting customers who were discovered in these caches. Who knows who else has caches of these leaks. It possible it has been leaking since they introduced the feature that causes this back in September.
>>4391 Good strong points. >As cloudflare is a US corporation, which appeared out of nowhere with more bandwidth and better hardware than most ISPs and has rapidly spread across the internet, it is highly likely they are an NSA front designed to completely take over the internet. Use cloudflare or be DDoS'd, that is the definition of a protection racket. Do not let them succeed, if you value the internet. I've wondered about the orgins of cloudflare myself. They did seem to come out of nowhere with way too many resources. I don't trust it, all these internet centralization projects seem to lead to down the path to easy censorship which I'm not fond of in any way shape or form.