An astounding amount of websites use reverse proxies and DDoS mitigation services such as Cloudflare (e.g. Reddit) to protect them from major catastrophes and keep the lights on consistently. These services often market themselves as providers of security and performance enhancement.
Yet, in direct contradiction to this, on the 17th of February 2017, a major bug in Cloudflare’s software caused a massive amount of private data from millions of websites to be accessible at any point in time. Some of this data even appeared on cached copies of websites that showed up in Google’s search results. This particular event, which came to be known as Cloudbleed, has presented a valuable opportunity for a discussion on the safe use of technology.
What Is All This?!
For the uninitiated, Cloudflare is a service that acts as a middleman between your website and the wider Internet. When you go to a site that uses the service, you are actually connecting to Cloudflare which connects to the site and relays its output to you. It will cache some of the more frequently visited pages so that the site doesn’t have to reply every single time someone connects, thereby reducing the impact that large amounts of traffic have on the local server. This also helps reduce the impact that distributed denial of service (DDoS) attacks have on your site since there’s a middleman that can thwart the brunt of these attacks, acting as a sort of traffic light that lets legitimate visitors through and stops bots in their tracks. Cloudflare and other reverse proxy services (like Incapsula and Akamai) will often market themselves as purveyors of website security.
What Is Cloudbleed?
Cloudbleed is an event in which a bug was discovered in Cloudflare’s software by a member of Google’s Project Zero team that uncovered private messages from major websites, online password manager data, and full HTTPS requests from several other servers. Cloudflare’s response to connection requests would often overrun their allocated buffer space and present data from any other customers accessing websites at that point in time. It leaves everything out in the open and presents a catastrophic security risk for anyone using or owning websites that rely on the service.
The bug was patched towards the end of February, although the service admits that data leaks may have been going on as early as the introduction of its new HTML parser on 22 September 2016.
If you’ve been reading our stories for a while, you may remember a very similar event known as Heartbleed back in 2014 in which websites using OpenSSL were vulnerable to an exploit that could expose fragments of private data to snooping parties. This together with the more recent Cloudbleed kerfuffle teaches us one valuable lesson: nothing is one hundred percent reliable, not even the services with the explicit purpose of protecting you.
This is not meant to bash Cloudflare. The bug could have happened to any service. The point here is that the Internet is not a place where you should expect a guaranteed level of safety. You could do everything possible to protect yourself and still be left out in the open by a situation that you have no control over.
What Should You Do?
The truth is, as Inc.Com’s Joseph Steinberg writes, “The current risk is much smaller than the price that would be paid in increased ‘cybersecurity fatigue,’ leading to much bigger problems in the future.” What he means to say here is that the nature of the bug makes the chances that your password leaked so astronomically low that changing it will only have the effect of wearing you down. When a real crisis hits, you may be too exhausted by all the noise, panic and hype that you may ignore a call to change your password in a crucial moment. Cloudbleed isn’t that moment. But by all means, if you really feel the need to do so, change your password.
Other than that, just remain vigilant and do not ignore emails from the services you love. The moment a crisis hits, they’ll most likely send you a friendly letter with everything you need to know about it and might even provide suggestions on what you should do to ensure you aren’t affected.
Do you think that cybersecurity fatigue exists as Steinberg suggests? Should people be in a constant state of alert even when there isn’t a strong enough justification for panic? Tell us what you think in a comment!