What the Cloudbleed Leaks Tell Us About Online Security

An astounding amount of websites use reverse proxies and DDoS mitigation services such as Cloudflare (e.g. Reddit) to protect them from major catastrophes and keep the lights on consistently. These services often market themselves as providers of security and performance enhancement.

Yet, in direct contradiction to this, on the 17th of February 2017, a major bug in Cloudflare’s software caused a massive amount of private data from millions of websites to be accessible at any point in time. Some of this data even appeared on cached copies of websites that showed up in Google’s search results. This particular event, which came to be known as Cloudbleed, has presented a valuable opportunity for a discussion on the safe use of technology.

For the uninitiated, Cloudflare is a service that acts as a middleman between your website and the wider Internet. When you go to a site that uses the service, you are actually connecting to Cloudflare which connects to the site and relays its output to you. It will cache some of the more frequently visited pages so that the site doesn’t have to reply every single time someone connects, thereby reducing the impact that large amounts of traffic have on the local server. This also helps reduce the impact that distributed denial of service (DDoS) attacks have on your site since there’s a middleman that can thwart the brunt of these attacks, acting as a sort of traffic light that lets legitimate visitors through and stops bots in their tracks. Cloudflare and other reverse proxy services (like Incapsula and Akamai) will often market themselves as purveyors of website security.

cloudbleed-privacy

Cloudbleed is an event in which a bug was discovered in Cloudflare’s software by a member of Google’s Project Zero team that uncovered private messages from major websites, online password manager data, and full HTTPS requests from several other servers. Cloudflare’s response to connection requests would often overrun their allocated buffer space and present data from any other customers accessing websites at that point in time. It leaves everything out in the open and presents a catastrophic security risk for anyone using or owning websites that rely on the service.

The bug was patched towards the end of February, although the service admits that data leaks may have been going on as early as the introduction of its new HTML parser on 22 September 2016.

cloudbleed-heartbleed

If you’ve been reading our stories for a while, you may remember a very similar event known as Heartbleed back in 2014 in which websites using OpenSSL were vulnerable to an exploit that could expose fragments of private data to snooping parties. This together with the more recent Cloudbleed kerfuffle teaches us one valuable lesson: nothing is one hundred percent reliable, not even the services with the explicit purpose of protecting you.

This is not meant to bash Cloudflare. The bug could have happened to any service. The point here is that the Internet is not a place where you should expect a guaranteed level of safety. You could do everything possible to protect yourself and still be left out in the open by a situation that you have no control over.

The truth is, as Inc.Com’s Joseph Steinberg writes, “The current risk is much smaller than the price that would be paid in increased ‘cybersecurity fatigue,’ leading to much bigger problems in the future.” What he means to say here is that the nature of the bug makes the chances that your password leaked so astronomically low that changing it will only have the effect of wearing you down. When a real crisis hits, you may be too exhausted by all the noise, panic and hype that you may ignore a call to change your password in a crucial moment. Cloudbleed isn’t that moment. But by all means, if you really feel the need to do so, change your password.

Other than that, just remain vigilant and do not ignore emails from the services you love. The moment a crisis hits, they’ll most likely send you a friendly letter with everything you need to know about it and might even provide suggestions on what you should do to ensure you aren’t affected.

Do you think that cybersecurity fatigue exists as Steinberg suggests? Should people be in a constant state of alert even when there isn’t a strong enough justification for panic? Tell us what you think in a comment!

11 comments

  1. “Do you think that cybersecurity fatigue exists as Steinberg suggests?”
    Outside the computer world, it is called “The boy that cried wolf” and is a problem for any entity that makes potentially dire predictions. For example, earthquakes or volcano eruptions.

        • You’re right on point. There seems to be an excessive amount of panic when these kinds of things happen, which makes users across the web grow a bit tired. Of course, there is a need to be as prudent as possible when it comes to our online security, but then again, at what point are we making too much of a fuss about it?

          Perhaps this may be a bit controversial, but I am thinking there should be more discussion on this particular subject from both sides of the aisle.

          • “at what point are we making too much of a fuss about it?”
            Would you be so sanguine if burglars constantly tried to break into your house? When it comes to security, either you have it or you don’t. It’s black or white. There are no shades of gray. It’s like being pregnant, either you is or you ain’t.

        • Sorry dragonmouth but I’m honest and tell the truth. You know your stuff and you know what you’re talking about. And unlike most people you have great points to backup anything you say. Most people don’t do this like you do

  2. I am of the belief that society has become too lax. That the average person is willing to rely on “someone else” to protect them, the problem isn’t the bad guys, the problem is the dumbing down and condescension of the computer user. The same way that the “old codger” has a rifle o protect what’s his, and the young couple both enroll in firearms safety in order to protect their soon-to-be-family…..why can’t computer users do all THEY can do…..to protect themselves? why is this responsibility being tossed onto the shoulders of companies who….in all actuality don’t really give a damn about you,….but who love you as long as continue to pay for their services? I have been using computers since the early eighties, and I’ve seen them evolve from “wish-list / nice-to-have” items…..to essential items that one cannot live without. You wouldn’t expect the mechanic down the block to be responsible for the cleaning of the interior of your car….so why do you expect a CLOUD-BASED company to protect your data with everything they’ve got? At the worst?…you get little to no protection….at best?…you get something a little better than mediocre but not quite stellar. I believe it befalls every computer using individual to all THEY can to protect their data, and I’m not talking about Symantec or McAfee……you can do more……set a regimen where you change your password every 6 months…..or every 12……..make backups of all your data that you want to protect….for God forbid you ever get hit with ransomeware and have nothing to fall back on. Maybe do a little light reading on password protocol and the various ways you can be safe when traversing the web…(VPN…password managers….encrypted files and folders etc) there’s so much more that a person can do to protect themselves besides click on an icon and wait for some other app to give you the level of security you need in order to be safe online. This way…..when the Heartbleeds and Cloudbleeds take place?….you won’t have to be in as much of a panic as the person who leaves their entire digital online life in the hands of someone else.

    • Unfortunately, most computer users – NO, make that most electronic device users – either don’t care or they don’t know what to do to protect themselves. Or, what’s even worse, they dismiss the threat. How many times, at the end of an article on security, have you read comments like “Anti-malware software is overrated. I’ve been using Windows since 3.1 and I’ve never encountered any malware” or “There’s nothing important on my computer”

      • Which is their own fault. but then if you REALLY delve into it Dragonmouth? You could blame the media, society, and the tech republic for the lack of interest by the average electronics user. How many commercials have we seen of some company or manufacturer offering “bullet-proof” security. (I cannot for the life of me understand why a company like LifeLock is still in business…does NO ONE remember them getting hacked and clients having their data exposed?…..wasn’t that the ENTIRE PREMISE/SELLING POINT of their company?…that your online identity and data would remain SAFE!?) Its companies like that…and the “false” sense of security that McAfee and Symantec give them that causes this lack of wanting to participate in their OWN safety. Its like….I’m just waiting for the day someone SUES Microsoft….or McAfee…or Symantec for having THEIR computer locked up with ransomware…or for being infected with a virus so bad that it locks up their machine permanently……who’s to blame really for that? The company that promised you “total security”? ….or the fool that believed them?
        Listen, I understand capitalism, and the need for a Buy-And-Sell culture in order to further profits for all. But at WHAT point do the masses wake up and realize that just because a company tells you that you’re data is safe DOESN’T MAKE IT TRUE!?….When will people stop believing everything they hear / see / read? Its almost annoying to a point. I guess people like you….me…and a vast majority of citizens on the planet….have enough tech-skills in order to protect ourselves and our loved ones…but its just downright frustrating to hear the guy at the Starbucks complaining about getting infected so badly that he had to return the laptop and buy something else. Or its maddening to read about someone who had so much “problems” with a Windows / Mac machine that they had to return it and ask for their money back….and then when you do a little digging into their story, you discover they were running the OS with no anti-virus or protection whatsoever.

        • We can go back and forth on this topic till the cows come home but the reality is that people want to believe that there is a magic bullet that will fix ALL their problems. And that goes not only for computer security but everything in life.

  3. I concur. Its just sad and disappointing. I thought Homo Sapiens would have turned out smarter than that. LoL!

Comments are closed.

Sponsored Stories