Thread replies: 322
Thread images: 45
Thread images: 45
Massive CloudFlare HTTPS leaks
>Between 2016-09-22 - 2017-02-18 encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests, and other sensitive data were leaked by Cloudflare to random requesters
>Cloudflare's network has the highest number of connections to Internet exchange points of any network worldwide
>ALL CloudFlare proxy customers have been vulnerable to having data leaked
Impacted sites include:
>4chan.org
>uber.com
>thepiratebay.org
>pastebin.com
>multiple porn sites
Complete site list (milliosn of sites):
https://github.com/pirate/sites-using-cloudflare
CHANGE ALL PASSWORDS
ROTATE ALL API KEYS
ENABLE 2FA (WHERE AVAILABLE)
-
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/
http://www.zdnet.com/article/cloudflare-found-leaking-customer-https-sessions-for-months/
https://news.ycombinator.com/item?id=13718752
>>
>If you were behind Cloudflare and it was proxying sensitive data (the contents of HTTP POSTs, &c), they've potentially been spraying it into caches all across the Internet; it was so bad that Tavis found it by accident just looking through Google search results.
>This is approximately as bad as it ever gets. A significant number of companies probably need to compose customer notifications; it's, at this point, very difficult to rule out unauthorized disclosure of anything that traversed Cloudflare.
>In case you're wondering how this could be worse than Heartbleed: Yes, apparently the allocation patterns inside Cloudflare mean TLS keys aren't exposed to this vulnerability. But Heartbleed happened at the TLS layer. To get secrets from Heartbleed, you had to make a particular TLS request that nobody normally makes.
>Cloudbleed is a bug in Cloudflare's HTML parser, and the secrets it discloses are mixed in with, apparently, HTTP response data. The modern web is designed to cache HTTP responses aggressively, so whatever secrets Cloudflare revealed could be saved in random caches indefinitely.
- Y Combinator
>>
>>59095044
So much data, how are they even gonna dig through it and sort shit from not shit
>multiple porn sites
Someone needs to call the bank and block that credit card.
Aayyy
>>
I told you about cloudflare bro
>>
What's worse having all your 4chan posts exposed our your entire porn history?
>>
That's what you get for using a SSL botnet
>>
>>59095440
Lel who cares.
It's so big the posts are like drops in an ocean.
Someone has to go through all the data and "expose" people but they won't it's just a credit card data mining operation
Most of these sites have transactions on them with names and data, that's what they are after.
Manneeyy. Nobody cares you called someone a faggot on february 19th 2017 at 17:46 pm
The same way nobody cares about your porn habits , you probably have bad taste
Be reasonable
>>
The CIA did this to destroy 4chan, they're scared of our power.
>>
So I'm not familiar with how Cloudflare works but I thought it was like a proxy server of sorts routing traffic from the clients to web server thus protecting the web server from DDoS attacks and large amounts of traffic.
If this is right how would encrypted passwords and information be in danger, the cloudflare servers don't decrypt the information right?
>>
>>59095573
I think it also saves caches of said websites, whether that is decrypted or not I don't know.
>>
>>
>>59095675
Wow
>>
>>
uuuhh guys
>>
File: c3563e71-9c74-47d2-8710-a1e72a0f28f6..gif (374KB, 1200x900px) Image search:
[Google]
374KB, 1200x900px
Yeah but how does the leaked data connect, say, a 4chan post to a particular person's name?
it's just an IP address right? There won't be searchable database that can single out shitposters as far as I can tell.
>>
I was on freenode through SSL on my home server shell when this happened, am I fucked?
>>
>>59095831
>every cloudflare-connected site leaking client data like IP
>link IP and other client data to every other kind of cloudflare-connected site
a possible doxing of every single 4chan user cannot be ruled out
>>
>>59095831
>ISP's dhcp keeps log of who had what ip when
>???
>PROFIT
>>
>>59095831
In cases it is entire HTTP requests, which can include enough headers to reasonably uniquely identify you.
>>
>>59095850
(you)ing myself
The blog at least has a mention about client SSL certificates not being leaked, wouldn't really trust them before we know more on this though.
>>
shit nigga
gonna start using a password manager because this shit happens way too often
lastpass or dashlane?
>>
>>59095920
definitely not lastpass, use keepass
>>
>when you try to centralize the internet but don't give a shit at all about the security
>then refuse to tell anyone for 5 months you fucked up
top kek. Mega corps will never learn.
>>
>>59095044
there was a thread here last weekend that showed the tweet from a google employee wanting to contact cloudflare and everyone was shitting bricks
https://twitter.com/taviso/status/832744397800214528
this guy
>>
File: e9e7c78c-ccfb-42ed-b86e-2ad27a64806b..gif (1003KB, 500x262px) Image search:
[Google]
1003KB, 500x262px
>>59095863
That would absolutely destroy so many people it's not even funny. that would be relationship and job ending for many thousands if all that was easily accessible to normies.
>>
>>59096059
good thing I'm a neet with literally 0 friends
get rekt normies
>>
>>59096059
it would be very funny
>>
Hmmm maybe hosting all your content on third party servers wasn't a good idea after all
>>
>>59095044
>4chan.org
oh shit, gotta change my tripcode :^)
>>
>>59095573
>>59095595
Cloudflare to work need the SSL private keys of the sites sitting behind its proxy.
So yes, cloudflare decrypt all the SSL traffic going through its servers.
>>
>>59096114
Cloudflare isn't a server service, it's a proxy
>>
>>59095044
>Fakku affected
Get fucked Jewcob
>>
Does this effect the panda?
>>
If this can happen, the internet was made stupid.
>>
>>59096264
no, cloudflare was stupid, you stupid fuck
>>
File: Screen Shot 2017-02-24 at 8.10.55 AM.png (92KB, 838x559px) Image search:
[Google]
92KB, 838x559px
trust no one, not even yourself
>>
>>59096392
how does it check if a website uses cloudflare if it doesn't use cloudflare?
>>
why do people use Cloudflare as an entire loadbalancer solution and not as a CDN only?
>>
>>59095044
Who is the asshole that keeps naming bugs?
>>
So the bug has only existed since the end of September 2016? Or is that a guess?
>>
>>59096392
>none of the other sites I go on uses cloudflare
so is there anything to even be worried about then? i assume the issue would be if people could cross reference your 4chan shitposting with a social media account but it seems like none of them use cloudflare.
>>
File: 1487591718821.png (1MB, 1177x1560px) Image search:
[Google]
1MB, 1177x1560px
>>59096479
>>
So I don't have to worry about my credit card if I bought my GoyPassâ„¢ before September?
>>
>>59096523
all cloudflare-connected sites have been compromised, so every cloudflare-connected site that has handled your cc has eventually leaked your details numerous times
so you should actually be very, very worried
this is probably going to be known as the biggest cybersecurity failure ever
>>
File: _20170223_161755.jpg (110KB, 948x964px) Image search:
[Google]
110KB, 948x964px
Doesn't Patreon handle SSNs?
>>
>>59096181
>Cloudflare to work need the SSL private keys of the sites sitting behind its proxy
Bullshit. They decrypt the content they are receiving from your server as any client would and then re-encrypt it using their own cert+key.
>>
>>59096688
Who gives a fuck about patreon? Lol
It's funny because like 90 percent of the sites people are crying about being leaked have already been hacked (see: patreon)
btw if you have ever seen a doctor your ssn is likely for sale for under $10.
>>
>>59096688
Its on the list newfag.
https://github.com/pirate/sites-using-cloudflare
>>
I assume cached information usually lasts for an hour up to a few days after the request?
What is the timeline of the age of cached information that was leaked along with new requests?
>>
>>59096760
People like this have fallen so far from reality they try to bring others down with them.
>>
So, if I were logged into my gmail and was browsing a site that used Cloudflare, it's possible that my email account info was compromised?
>>
File: 1487783275925.jpg (64KB, 1280x720px) Image search:
[Google]
64KB, 1280x720px
>>59096762
I know its on the list retard, I just want to know how fucked those furry porn artists are
>>
>>59096479
If nothing you use (or have used in the past 6 months) used Cloudflare, then you're probably ok.
Some of the sites I use that use Cloudflare are humblebundle, discord, gab.ai, pokemonshowdown, hackernews, and a few others
>>
>>59096698
They MITM all the traffic going through their servers, that's why they use their own SSL certificate for the sites they proxy.
>>
>>59096822
Since they are fur fags they have more sex than anyone on this website, but yeah they are fucked.
>>
>>59096440
Same reason web devs do other stupid shit - laziness. I only serve immutable images through CF, because their availability can be shit at times, their websocket proxy is unstable, they can cause clients to retain stale assets and they shit on my ETag scheme.
>>59096774
It's configurable and depends on cache headers. Anywhere between a few minutes and forever.
>>59096837
Yes, but they don't need your private SSL key (if you have SSL on your server), only the public one.
>>
>aliexpress uses cloudflare
welp
I have ordered some questionable things.
>>
>>59096392
Where can I find this checker?
>>
File: 1422542357075.jpg (63KB, 640x436px) Image search:
[Google]
63KB, 640x436px
>>59096889
>>
>>59095947
What's wrong with lastpass?
>>
>>59096827
I use a few of those. So what should I do? Change passwords?
>>
>>59096916
Yes
>>
>>59095920
I've thought about using one for a long time now but my problem is that I want to be able to use my logins on other machines that aren't necessarily mine. How do you deal with this? Do you just store your password safe on USB or somewhere online?
>>59096899
The URL is the one in the picture
>>
>>59096970
Doesn't seem to work for me
>>
>1 in 3.3 million chance that a HTTP request would result in random uninitialised memory being leaked
it's literally nothing unless somebody is willing to sift through the internet for cached data and hoping that you will get some useful sensitive information
>>
>>59097070
There's always some russian guy willing to do that.
>>
>>59096407
I think maybe it checks to see if it resolves using Cloudflare DNS, although I'm not 100% sure.
>>59096899
http://www.doesitusecloudflare.com/
>>
File: yandex.webm (759KB, 1280x860px) Image search:
[Google]
759KB, 1280x860px
>>59097070
Or you know, use a search engine that isn't removing cached information.
>>
Why is such a large operation run so incompetently?
>>
>>59095675
/thread/
>>
>>59097070
for the 1/3.3 million chance to look at some random memory for the 1/whatever chance that it will be sensitive and then what? you get somebody's password? if you want that you can just look up one of those x million pw leaks LMAO
>>
>>59095675
What a morbid symbol
>>
https://github.com/pirate/sites-using-cloudflare
I don't think I even have an account on these sites
>>
File: smiling frog.jpg (34KB, 680x734px) Image search:
[Google]
34KB, 680x734px
These kind of leaks are same type that push me closer to suicide, if I am unable to sort my information and end up compromising all that I own
>>
>>59096889
>>aliexpress uses cloudflare
AHHHHHH MY BOOTLEG FIDGET CUBE, JAMMER, RFID CLONER
I'm not fussed
>>
>>59096871
Originally cloudflare required the client to share both public and private SSL keys, Cloudflare keyless SSL or whatever they call it is a new option they offer.
I don't use their services and I didn't know that keyless SSL was a thing.
Still, even if they don't have the private key of the client they still decrypt and eventually re-encrypt all the the traffic going through their servers.
>>
oh no patreon is affected. now people will know i commissioned porn a few times!
at least my anime figure websites weren't affected
>>
File: 1456062089621.jpg (28KB, 600x450px) Image search:
[Google]
28KB, 600x450px
>tfw 4chan uses cloudflare
>tfw i can't change my 4chan pass password
S H I E T
>>
>>59096889
I don't think it does actually
>>
I hope whoever got them enjoys our anime lewds.
>>
File: youdonthatemondays.jpg (63KB, 526x526px) Image search:
[Google]
63KB, 526x526px
>>59097168
Testing and code reviews "waste" money and time. Unpaid interns are cheap.
>>
So after changing passwords on affected sites, what else is there to worry about? I've never posted anything crazy on here.
>>
File: 1487234862234.jpg (62KB, 500x469px) Image search:
[Google]
62KB, 500x469px
Does this affect the rare Pepe market?
>>
>>59097168
Large operations are run by businessmen, not engineers.
>>
>>59097299
thanks for the cooldow free shitposting senpai :^)
>>59097309
the best lewds
>>
>>59097337
>He doesnt keep all his rare pepes buried in the backyard so nobody ever sees them
You done goof'd long before this kid
>>
>>59097320
>Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
That tells a lot desu
>>
>>59097070
How many billions of requests are made though?
>>
>Normies who make accounts (botnet cattle tags) on websites are going to get their shit slapped
Delicious schadenfreude.
>>
>>59097330
2fa, API keys, also log out and log back in because cookies may have leaked
>>
>>59096088
4 u
>>
It was probably some Pajeet
>>
>>59097390
Based tavis wasn't having any shit from cloudflare
>>
>>59096407$ curl -I 'http://boards.4chan.org/g/thread/59095044'
HTTP/1.1 200 OK
Date: Fri, 24 Feb 2017 15:22:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: __cfduid=d5a111bea78fb5e4ced032414f963d4df1487949758; expires=Sat, 24-Feb-18 15:22:38 GMT; path=/; domain=.4chan.org; HttpOnly
Last-Modified: Fri, 24 Feb 2017 15:20:59 GMT
Vary: Accept-Encoding
ETag: W/"58b04f5b-4c35"
Expires: Fri, 24 Feb 2017 15:22:40 GMT
Cache-Control: max-age=2
Server: cloudflare-nginx
CF-RAY: 3363ea06472f5996-VIE
>>
File: cloudflare_ancap.png (199KB, 600x600px) Image search:
[Google]
199KB, 600x600px
>>59095963
Here's your dank meme, anon.
t. pass user who logged out and back in
>>
>>59096407
check for _cfuid cookies since it's impossible to remove if you're using cloudflare.
>>
File: 1475191853926.gif (508KB, 200x178px) Image search:
[Google]
508KB, 200x178px
>>59095044
How bad did this hit Uber?
Did they really just get their whole drivers' and customers' data thrown into the internet?
Also
>mfw motherless and pornmd aren't there. Wew lads, I'm safe from having my fetishes known.
>>
>>59097390
It's cute they think exploit devs and pentesters who all make 70k at the least are going take so much time for a t shirt
>>
How would you get your shit linked to you unless your ISP uses the leak?
It's not like anyone else can do that, at best they find your IP and cross check but they still wouldn't have any means to contact/blackmail you.
>>
So everything is fucked and we should just kill ourselves now?
>>
So, how does this affect pass users
>>
>>59095044
>HTTP
Is my usage of HTTPS Everywhere of any influence on this?
>>
If I haven't used the site from September to Feb do I still have to change the password?
>>
DID DROPBOX GET HIT?
I NEED TO KNOW THIS!
>https://www.nowsecure.com/blog/2017/02/23/cloudflare-cloudbleed-bugs-impact-mobile-apps/
Indicates that their app might have been hit.
>>
>>59095675
What site is this
>>
>>59097716
No, thanks to Cloudflare fake HTTPS.
>>
>>59097723
Cuckflare.xxx
>>
>Goypass buyers can't change their passwords
Thanks ChinaMoot
>>
File: firefox_2017-02-24_12-33-25.png (42KB, 1103x728px) Image search:
[Google]
42KB, 1103x728px
>>59097718
>>
/pol/ is so fucked
>>
File: 1447144275961.jpg (17KB, 399x388px) Image search:
[Google]
17KB, 399x388px
>porntube.com
RRRRRRRRRRRRREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
>>
>>59097727
Pls explain in pc-iliterate lango
>>
>>59096059
Actually, I want this to happen just because of the shitstorm it would create.
>>
>>59097747
Wouldn't only their ip addresses be leaked? If they don't have a 4chan pass they should be ok
>>
I've been checking the list of affected websites and i found a few sites i use.
They were all websites where i don't have a account so am i safe password wise?
>>
Can't affected sites just clean up, as well as all that cache shit?
>>
>>59097756
CHANGE YOUR PASSWORDS NOW
>>
>>59097390
The Treasure of Melee Islandâ„¢
>>
>>59097765
plenty of people with a static IP and /pol/ has gotten the attention of every single three letter company during the elections.
>>
>>59097718
Maybe, but you should be safe.
www.dropbox.com is on their own network.
cfl.dropboxstatic.com serves sources (icons, fonts etc.) for the web frontend and is behind Cloudflare. It doesn't seem to serve any kind of user data, though.
dl.dropboxusercontent.com and other domains that are used for file transfer are directly on Amazon EC2.
>>
File: 1245125341.png (46KB, 838x623px) Image search:
[Google]
46KB, 838x623px
>>59097746
explain
>>
>Still no 4chan statement about passes
>>
>>59097772
nope, cloudflare works as a reverse proxy. hosts cant control what cloudflare fucked up.
even though its fixed from cloudflares side, any leaked data in caches cant be invalided by anyone but the holder of said cache.
>>
>>59097835
What, do you expect a refund, goyim?
>>
>>59097843
I expect a new pass with a new code at the least
>>
Alright niggers recommend me some KeePass plugins. I can't be assed to memorize a bunch of new passwords so im taking the plunge.
>>
>>59097816
reddit now uses fastly.
>>
>>59097705
I'm wondering this too. Someone please respond ;_;
>>
Should I deactivate my debit card or is that not worth worrying about?
>>
does this mean my 4channer account will get hacked? how fucked am i?
>>
>>59097835
Why are you expecting such a fast response? Hiro is probably whacking off right now and he'll post something vague about it 4 months from now, then disappear for another 6 months minimum.
>>
No there was no "big data leak" faggots.
The chances of anyone getting access to any of your information are extremely tiny.
What happened is that in some edge cases cloudflare would print possibly private information from memory due their to autocompiler using == instead of >=.
Some private data was then cached by search engines and maybe someone somehow found someone's dog's name.
This was already fixed ages ago before anyone besides cloudflare/google/etc even knew about it.
>>
>>59097899
>This was already fixed ages ago
Except the biggest period of leaks was from 13-18 of Feb.
With 1 in every 3.3M request being leaked.
>>
>>59097924
>13-18 of Feb.
Wait, that's it?
Shit, it's nothing.
>>
>>59097939
>biggest
lern 2 reed
This was an issue since September last year.
>>
>>59097939
>lol 1 in every 3.3m being leaked for 5 days is nothing for 5.4m sites worldwide
>>
>>59095044
>cloudbleed
Why not cloud burst or some weather related name
>>
>>59097968
because le heartbleed reference
>>
>>59097899
But on certain sites, this edge case occurred every single time it was computer by cloudflare. So new data got leaked any time one of these was computed.
And this has been a thing since September, so they have constantly cached data since then.
It's improbable that any one person might have their data exposed, but it's probably worth swapping out some passwords just in case.
>>
>>59097968
bleed is the new "gate" for website leaking related problems.
>>
>>59097977
Well it's similar to heartbleed in that random data on the server is accidentally accessible to anyone; the comparison isn't surprising.
>>
File: f374c70903d341fb8635447b46aa268ae9a9a000_hq.jpg (54KB, 1024x576px) Image search:
[Google]
54KB, 1024x576px
>>59095044
Y'all thought this shit was a joke. Nah senpai.
It's happening.
>>
>>59097705
>>59097874
>>59097882
As the pass login is valid for a whole year (i.e., you're not logging into 4chan all the time with your password), the only realistic chances are your pass cookie for sys(.)4chan (which itself is only used for posting, reporting and the janitor board) leaked after the same node processed a broken site.
That's easily fixed by logging out and logging back in.
>>
>>59095440
>implying you never clicked on loli
>implying it didn't put you on watchlists
>>
>one web service designed specifically to strip encryption from massive websites
No way the NSA is involved
>They fuck up and spew private info everywhere
This is why backdoors are dumb.
>>
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
This is huge. I mean, seriously, this is REALLY HUGE.
>>
>>59098027
Thanks man.
>>
Cloudflare has gotten slower over the years anyway. A lot of crappy web developers also use it to "secure" their poorly coded web application.
They also want $200/month minimum if you want to use your own SSL certificate. Which is a complete ripoff as other services charge $20/month if you want to use your own cert.
>>
File: thinking-face[1].png (53KB, 256x256px) Image search:
[Google]
![thinking-face[1].png](https://i.imgur.com/qtwIEaS.png "thinking-face[1]")
53KB, 256x256px
does this mean that we can actually discover if there were CTR or Russian shills forcing memes to influence the election
>>
So what is the best Password Wallet? I'm willing to pay a bit for itt
I am not manually changing and memorizing 20+ secure passwords ever again
>>
>>59098394
Keepass.
>>
>>59098394
A notebook on your desk
>>
When is it safe to change my password? Did they patch or fix it.
>>
Tfw I've paid for subs to very niche and weird (but 100% legal) porn with my real name when drunk.
Wew lad pls no. I had to use a 3rd party payment processor so maybe...
>>
>>59098394
>best Password Wallet
Master Password by far. You don't even need to backup your passwords. Just remember your name and your master password.
>>
>>59098416
This. Literally the most securest option.
>>
Why isn't there a bigger fuss about this happening? Most of the shit I've seen is contained to /g/. Haven't even gotten any emails or anything.
>>
File: 1486108473340.png (268KB, 485x416px) Image search:
[Google]
268KB, 485x416px
>>59098638
they are trying to hide it
>>
>>59098685
Why would they? It's not like people aren't going to find out. MSM is going to dive on this right?
[spoiler]Right?[/spoiler]
>>
File: firefox_2017-02-24_19-03-50.png (56KB, 744x734px) Image search:
[Google]
56KB, 744x734px
>>59098710
I dont know
>>
>>59098685
>they
((()))
>>
File: 1461788177739.jpg (81KB, 630x623px) Image search:
[Google]
81KB, 630x623px
I GET ALL THESE EMAILS FROM VARIOUS SITES NOW
CLOUDFLARE SECURITY BREACH - CHANGE YOUR PASSWORD
I WANT TO KILL THE WHOLE INTERNET
>SHIT WEBSITE USES SHIT PROTECTION SERVICE CAUSE THEY PRETEND TO BE BIG DEALS THAT ARE UNDER EBIN DDOS ATTACKS
>ALL MY DATA GETS LEAKED
WOOOOOOOO
>>
>>59096905
It's proprietary.
>>
>>59095595
You can't cache gibberish so it was decrypted
>>
>>59098638
>>59098638
>Why isn't there a bigger fuss about this happening? Most of the shit I've seen is contained to /g/. Haven't even gotten any emails or anything.
It's literally on hundreds of websites
https://www.google.com/#q=cloudflare&tbm=nws&*
>>
>>59098791
so lets keep it 100, /g/
how likely is it that people will find out how disgusting of a person I am?
>>
>>59098847
>how likely is it that people will find out how disgusting of a person I am?
There's a secret Facebook group where they gossip about you and post secretly taken pictures, audio and video recordings
>>
>>59098847
How important are you? Why would Vlad are about searching for information specifically for you?
They're after your money.
Or at most your nudes.
>>
>>59098866
really?
>>
>>59098618
>>59098416
And if you're worried about it being destroyed from potential fire/water damage, get one of those tiny fire/water/etc-proof safes for cheap and you'll be good to go for a long, long time.
>>
>>59098892
It's what Normies entertain themselves with.
>>
>>59098915
well shit
>>
>>59098913
>>59098416
The most secure is Diceware method
http://world.std.com/~reinhold/diceware.html
Roll a real physical die 6 times and choose a password with it from the Diceware list or other list. Now you only need to store those 6 roll combinations on a tiny piece of paper you can carry around if you have to. After entering them numerous times into sites you use often you'll probably just remember them and not even need the paper anymore.
>>
How and when will I know if I'm in the clear? I've changed my passwords and everything. The worst part of this is not knowing if I'm hit or not.
>>
File: louis thinkpad.png (1MB, 1046x943px) Image search:
[Google]
1MB, 1046x943px
>CHANGE ALL PASSWORDS
>ROTATE ALL API KEYS
>ENABLE 2FA (WHERE AVAILABLE)
Can we add remove your site from kikeflare to the list? They couldn't prevent a fucking buffer overflow, what makes you think this won't happen again?
>>
File: IMG_5112.png (641KB, 542x598px) Image search:
[Google]
641KB, 542x598px
>I don't have any accounts on Cloudflare websites
>>
>>59099567
Yes you do, reddit :^)
>>
Does Cloudflare use Cloudflare?
>>
>>59099567
There are over 4 million cloudflare websites, i can bet my ass that you have an account on at least one of them.
>>
File: Screenshot from 2017-02-24 13-26-32.png (93KB, 1366x768px) Image search:
[Google]
93KB, 1366x768px
DRUMPF BTFO
>>
QUICK, HOW DO I MAKE A STARTUP CACHING SERVICE OVERNIGHT NOW THAT CLOUDFLARE IS DED?
>>
>>59095963
This. Fucking lousy megacorps will be the death of us all one day
>>
Does this only affect sites that have HTTPS?
>>
>>59096820
I don't think google would submit itself to cloudflare
>>
>>59096905
Enjoy not actually knowing any of your own passwords. What are you gonna do when you need to log in on something and it isnt available for whatever reason?
>>
>>59099913
Presumably it would affect both, just that the https instances are more severe (in the sense that what made them secure in the first place is now nullified).
Keep in mind this doesn't affect SSL certs, etc. Just what is stored in cache.
>>
>>59099913
nope
>>
>>59099942
what?
>>
ipfs will save us all in the end
>>
>tfw i just got hired by cloudflare london
>tfw thinking about dropping it
>>
>>59099567
This
>>
>>59100037
Password managers are bad because you won't know your own passwords. Do you really not see a problem with that?
>>
File: [Coalgirls]_Kara_no_Kyoukai_Remix_-_Gate_of_Seventh_Heaven_(1920x1080_Blu-ray_FLAC)_[ED5467ED].mkv_snapshot_00.30.13_[2016.12.18_01.42.45].jpg (236KB, 1920x1080px) Image search:
[Google]
![[Coalgirls]_Kara_no_Kyoukai_Remix_-_Gate_of_Seventh_Heaven_(1920x1080_Blu-ray_FLAC)_[ED5467ED].mkv_snapshot_00.30.13_[2016.12.18_01.42.45].jpg](https://i.imgur.com/IImlkJl.jpg "[Coalgirls] Kara no Kyoukai Remix - Gate of Seventh Heaven (1920x1080 Blu-ray FLAC) [ED5467ED].mkv snapshot 00.30.13 [2016.12.18 01.42.45]")
236KB, 1920x1080px
I don't have credit cards. I might have an account in a cloudflare site but at best it has my name and some gmail adress that maybe has a cellphone number.
I browse porn like everyone else though I doubt anyone's interested in that, I don't have an account in porn sites either.
Am I still fucked? what can they fuck me with? Can someone give me a quick explanation?
>>
share some cookies
>>
>>59100219
nothing significant will happen
at the height of the leaks, there was a 1 in 3.3 million chance your data might have been archived by a search engine, or some hypothetical malicious third party that knew of the bug, on top of that, the chances of the data archived being something sensitive are 1 in whatever
change your passwords if you are paranoid but tl;dr WOW LOOK NOTHING
>>
>>59095044
Is this why Google logged out so many users yesterday and notified of an account change?
>>
>>59100371
Unrelated. :^)
>>
>>59100391
whew! I was worried! :^)
>>
post yfw everyone on 4chan gets doxxed
>>
>>59100371
that happened to me on one of my three accounts, what happened there?
>>
>>59100343
Yeah I read that and it eased my worries a bit but i'm wondering in case something similar happens again.
What can these people fuck me with if I don't have credit cards or something like that around? is a cellphone number enough to do something? Is my IP(even though it changes like 2-3 times a day) enough to do something?
>>
Amusing how I still haven't gotten a single email from any site about this.
>>
>>59100413
people talked about 2fa being the issue
>>
>>59100425
no, you're good
>>
>>59100477
thanks
>>
>>59100183
Not only that, but LastPass is a proprietary password manager. You're literally handing your passwords out to a private company.
>>
>>59096114
But it saves me $5 of bandwidth every month!!
>>
I heard that some people are already planning to quit this clusterfuck of a company.
>>
>>59096760
LOL I JUST signed up on Patreon yesterday
oh nooo
>>
>>59100183
This isn't a problem when it comes to Master Password. You can just regenerate your passwords on a completely new and clean system.
>>
File: 1486028195043.png (323KB, 900x900px) Image search:
[Google]
323KB, 900x900px
So everyone that bought a pass since September has had their card details leaked right?
>top goy
>>
>>
File: 1486527185386.png (400KB, 450x720px) Image search:
[Google]
400KB, 450x720px
A few days ago on a different board someone mentioned there was a 4chan leak where the IPs of posters were visible. At the time I thought it was something related to 4chanX, but was it actually this?
>>
>>59099711
Oh no
>>
>>59100798
Sure thing Hiroshima
>>
>>59100814
no
can't any of you even read?
>>
>>59100825
this is an imageboard
I didn't think reading was a requirement
>>
>>59100823
there is a really low chance that any sensitive data leaked. and then it'd still have to fall into the hands of someone collecting it. So you can with high certainty say that not everyone who bought a pass since September has had their card details leaked.
Not to mention that 4chan doesn't even process the payments itself.
>>
>>59100825
It's always the animeposters who say dumb shit.
>>
>>59095044
>uber.com
Doesn't respect your freedoms. Good riddance.
>>
Oh fuck, I talk to one real life friend on Discord with my usual nickname. The idiot sends me pics of both of us over it once in a while. Now that shit is out there to aid in correlating everything. Worse, they can match the Discord IPs with 4chan ones. I've made some really fucking embarrassing posts over the years, some relatively recent /r9k/ and /jp/ ones can fuck my life up hard. And there are dedicated trolls who will waste months of their life to link 4chan posts to people.
Guess it's time to plan an emergency suicide just in case. T-thanks Cloudflare.
>>
>>59097691
You first!
>>
>>59095495
Is this what they call "Reddit formatting"?
>>
>>59100695
So any time you just happen to be somewhere and you just happen to have to do something real quick online and need to log in, you're gonna install lastpass and do the online import? You assume it'll even be possible/allowed?
>>
>>59101022
Only use generated passwords for important sites and ones that you would only log in from a personal computer.
>>
>>59101022
>import
>Master Password
What the hell is lastpass? One of those pleb tier pw managers that requires backup and shit?
http://masterpasswordapp.com
>>
>>59096903
Vintage
>>
>>59101060
This is basically what I've always done in my mind: a password pattern that uses the site itself as input. This just adds 1 more factor to differentiate between users and 1 more obfuscation factor.
Interesting find. It's been since ublock origin was revealed to me here that I've found an interesting gem on this shithole site. Thanks for breaking the spree, anon
>>
>>59101117
Find any other gems here?
privacytools.io
>>
>>59101060
I don't see the issue with password managers
>You have to keep a backup of your password database
So what? You should backup all your important data anyway. Having your PW database among it should be no issue. And with a sufficiently strong master password, it's safe enough to upload it on cloud storage providers.
>>
>>59101250
>>You have to keep a backup of your password database
>and have it available whenever you need it
>and install the password manager on whatever pc you want to use it on
Nice cherrypicking of words
>>
>>
>>59101265
>>and have it available whenever you need it
Yeah, just like that masterpasswordapp
>>and install the password manager on whatever pc you want to use it on
Depends on your choice. For KeePass there are Android apps. So it's enough to have it on your smartphone. Would take a while to enter complex passwords into a login form, but who cares. But it's not a big deal.
Now, personally, I don't need to login to sites/services from any device but my owns. So it's not an issue for me to install it on all of them.
>>
>>59096889
>>59097274
What about the CC info you used to pay?
>>
is taviso /ourguy/?
>>
>data only leaked in about 0.00003% of requests.
And they fixed it before disclosing any information about this.
WOW, its fucking nothing
>>
>the jewflare is perfectly safe
>theres no way a huge corp could be compromised
>youre just a paranoid freetard
>jewflare being a powderkeg? nice conspiracy theory loser
sometimes it feels good to be right
>>
>>59101451
exactly
>>
>>59101478
So about every 10^7th or 10,000,000th request contained data that it wasn't supposed to. And WHAT that data was, was still up to chance.
Sensitive data only makes up a small percentage of internet traffic, so going all paranoid about this and asking everyone to change all their passwords seems a bit overdramatic.
>>
>>59095495
>17:46 pm
That's not how that works, faggot.
>>
>>59101541
Ehh, I just noticed I was off by a factor of 3. So about every 3,300,000th request. But that's still very low.
>>
File: attachment.png (85KB, 1173x1091px) Image search:
[Google]
85KB, 1173x1091px
>>59101478
>>59101541
And yet they were able to find very sensitive information.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Don't worry though guise, it's nothing! :^)
>>
File: 1486430884555s.jpg (8KB, 183x250px) Image search:
[Google]
8KB, 183x250px
>>59095044
See:
>>59101562
>>59101562
>>59101562
>>
it's literally fucking nothing
>>
>>
Test post, just reset all my passwords.
>>
>>59100913
I think you're overreacting a bit, Thomas.
>>
>>59098947
>use cracking program
>load up diceware list
>1 second later password is out
Make your own password you retarded cock sucking nigger
>>
>>59102057
>1 second later
Right, it takes a second to go over a vast number of possible combinations. Do you even think?
And if you follow the advice of the diceware password generation and include even one symbol somewhere in the combination, you'll grow old before you ever crack the password.
>>
ITT
>>
>>59097134
That's so fucking ridiculous
>>
>>59098947
Updated list: https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
>>
>>59102292
>Right, it takes a second to go over a vast number of possible combinations
Depends if it can be parallelized. Disc/file encryption can be.
>>
>>59096889
http://www.doesitusecloudflare.com/?url=aliexpress.com
no it doesn't
>>
>tfw nothing to hide
>>
>>59101022
I'll use lastpass on my phone and directly type in the password.
You being retarded on purpose or something?
>>
>>59102595
swear I saw it on some list
>>
>Paypal doesn't use Cloudflare
>Steam doesn't use Cloudflare
>Blizzard doesn't use Cloudflare
I'm safe. There's literally nothing anybody can do against me that would be harmful.
>>
So has the issue been fixed? Or is this like heartbleed where we should wait before changing passwords
>>
>>59101478
So some of my website passwords didn't get leaked?
>>
>>59103121
it has been fixed
how much has been leaked/accessed is currently unknown
>>
>>59103169
Pretty sure I managed to collect everything before it got wiped. Currently uploading on the darknet.
>>
>>59103194
Good luck with that anon I'm uploading falsified versions of the same data on the lightnet, take that!
>>
Anyone recommend last pass?
>>
>>59096059
What if it turned out that a massive percentage of the population uses 4chan? Imagine not needing to hide your powerlevel any more.
>>
I'm seriously thinking about getting one protonmail account for each website now.
>>
>>59103479
I recommend Master Password.
>>
>>59103550
How does that even fucking work?
Can I trust it?
>>
good thing I have no money and no life, thus nothing worth exploiting
>>
>>59103692
By generating passwords based upon your name, master password, and the name of whatever site you need a password for.
Since the passwords are generated, you don't need to worry about having your system wiped and shit, as long as you remember the master password.
It's excellent.
>>
>>59103765
I'm not nearly smart enough to understand the algorithm used, but since it's open source it can be trusted, right? Also, what if I need to change my password? Assuming this is the case:
>Name: John Smith
>Website: Gmail.com
>Master Password: Anusballs1
If I need a new password, won't it just generate the same one over and over again?
>>
>>59103800
You can change some options and generate more than one password per site, but the catch there is you'll have to remember the options and or what number password it is. As far as I understand anyway.
>>
>>59103841
Sounds like a pain in the ass. I like the concept though.
Either way I need to start managing passwords properly. I have 2 secure passwords that I use for E-Mail, PayPal and very important stuff. And then I have a bunch of old passwords that I just reuse on various sites since they're not important.
>>
>>59097988
>Bill Gates will never have his personal blog's unique software vulnerability exposed leading to gatebleed
>>
>>59103895
Keep in mind that it's enough to change either the password length, the password number, or version thingy. It's easy to test out.
>>
>>59098027
>Janitor cookie leaked
This couldn't possibly go wrong
>>
>>59098638
normies don't understand modern internet technology
>>
What is the best password manager?
It needs to work between multiple linux and android devices.
>>
>>59104028
keepass with a file synchronization service of your choice
>>
>>59104028
keepass
>>
>>59104028
Master Password. You don't even need to backup anything.
>>
>>59104028
>>59104033
>>59104037
Wouldn't file syncing be unsafe?
>>
>>59098638
I got an email from cloudflare.
>>
>>59103479
KeePass is free. Both, as in beer and as in freedom.
It also has lots of 3rd party tools. Like Browser integration. Smartphone apps.
>>
>>59104068
keepass databases are stored encrypted with the main password
>>
>>59104068
You need a password to decrypt the file. So if it's sufficiently strong, it's not unsafe.
>>
>>59104068
No. Why would it be?
>>
>>59104028
Keepass. Can be used on almost anything.
>Create database
>Create master password (make it easy to remember and never use it anywhere else)
>Create passwords for accounts, websites etc.
>Save it
>Copy it to every device you want
>>
>>59098735
Says a lot about you actually.
I have received exactly zero emails.
>>
>>59098394
Your brain
>>
>>59104239
He asked for the best not the worst. Literally nothing else is less reliable.
>>
>>59104258
Any brain that would need a password could store it
>>
>>59096905
It's basically a tradeoff. Do you trust yourself to properly sync and back up your passwords, or do you want to entrust that to a company whose job description is "properly sync and back up your passwords".
I use LastPass for personal use and KeePass for work. I would recommend LastPass.
>>
File: HEY YOU.png (3KB, 555x122px) Image search:
[Google]
3KB, 555x122px
>>59097840
>cloudflare works as a reverse proxy
It's the most massive MITM operation. This very notion (MITM all traffic) was suggested years ago by some politician, well before Snowden, for the "safety of our citizens". No wonder Cloudflare were a road block to tor according to Jacob Applebaum.
>>
>>59104293
It's like Cloudflare, a disaster just waiting to happen.
We all learn about single points of failure but we never seem to care enough until shit hits the fan.
One day something big will happen, like a massive Google leak or something, and only then people will truly wisen up (I hope)
>>
>>59098394
>I am not manually changing and memorizing 20+ secure passwords ever again
Then you're gonna get fucked some day, no lube.
The only secure way is to keep your passwords on some device that isn't or can't be hooked to the net, use your memory, or write them down and put them in your safe.
>>
File: varg-vikernes.jpg (94KB, 500x750px) Image search:
[Google]
94KB, 500x750px
STOP CREATING ACCOUNTS ON WEB SITES
>>
>>59105198
Or use Master Password.
>>
>>59098394
I use KeePass (2 and 2Android) on my computers and phone, synced with Google Drive.
>>
>>59105285
>synced
>having to sync
>>
>>59105310
What else would you do?
I want the same database on my phone and computers.
>>
>>59095044
>trusting your own computer
>trusting the own computer of other people
>>
>>59105328
>trusting anything
>>
>>59095402
I TOLD YOU DOG
>>
>>59105314
Master Password.
>>
>>59105355
>remembering usernames to use for generation
I can't even do that, fuck Master Password.
>>
File: trustnobodynotevenyourselfnotevenyourselfsself.jpg (175KB, 1657x820px) Image search:
[Google]
175KB, 1657x820px
>>59105328
>>59105337
>>
Let this be a lesson for all retarded pajeets here who use == instead of >= for bound checking "because it normally only increments by 1 XD"
>>
>>59105381
Not even Cell himself
>>
>>59105368
Dafuq are you on about?
>>
>>59100409
It would be amazing.
>>
>>59105400
I'm content with KeePass and syncing.
Not hating and more power to you and Master Password.
>>
Did Uber leak any cc/banking info, both on drivers and users?
Was Lyft affected?
>>
File: 1478777372914.jpg (941KB, 3793x3011px) Image search:
[Google]
941KB, 3793x3011px
>>59095044
>Between 2016-09-22 - 2017-02-18
2016-09-22 First Yahoo breach announced (2014), then 1B accts in December (2013)
2016-10-21 Dyn attack cloudflare was congratulating themselves for being up
Dyn may have been a beaconized pre-emptive strike to open the breach to haul a specific target.
rabbit hole
>>
>>59095044
Shit now I have to change my 4chan password..
>>
>Everyone on 4chan is gonna get doxxed!!!
Oh no someone knows my IP address and therefore maybe the general area in which I live since my ISP provides that sort of info oh no what ever will I do?
I mean there's I guess a risk of Ledditors getting linked to things they've posted on other sites but that's about it really.
>>
>>59105229
Stop shitposting Varg.
>>
File: 1483036884797.gif (2MB, 384x216px) Image search:
[Google]
2MB, 384x216px
Kek at the idiots who posted in those 'Confess your secrets', and 'What is the gayest thing you've ever done' threads.
>>
>>59096392
Is this site trustworthy? Or is -this- the trap!
>>
>>59096059
>implying 4chan isn't 90% NEET and 10% liars anyway
>>
>>59104718
Life is a disaster waiting to happen. So should we sit inside all day and stay out of harms way?
Thread posts: 322
Thread images: 45
Thread images: 45