vmail
Open image in a new tab.
Posts: 457 
Likes: 217
|
Post by vmail on Feb 26, 2017 11:50:29 GMT
How long will it take for SS to inform investors about the Cloudbleed data breach? On the 17th February 2017 Tavis Ormandy from Google's Project Zero security team discovered a major vulnerability with Cloudflare (Ragel) that allows search engines to store session tokens, API keys, cookies and passwords. This major vulnerability has been present since 22nd September 2016.  Attachments:
|
|
cooling_dude
Bye Bye's for the PPI
Posts: 2,853
Likes: 4,298
|
Post by cooling_dude on Feb 26, 2017 11:57:59 GMT
I don't think there is anything to be concerned about, but a password change should be in order every time any news like this comes to light I've been reading about this over the past couple of days - the likelihood the SS site has been affected in minimal. Only 3,400 websites are believed to have had the Cloudbleed bug, and considering millions use the service, the chances SS are one of them is minimal So my answer is "never" because it is likely SS have nothing to announce With all due respect vmail - if you going to start a thread, where the topic is complex and likely to cause unnecessary worry amongst some you should at the very least provide a link  www.cnet.com/uk/how-to/cloudbleed-bug-everything-you-need-to-know/Edit - Noted that you have changed your thread title and added massive image |
|
cooling_dude
Bye Bye's for the PPI
Posts: 2,853
Likes: 4,298
|
Post by cooling_dude on Feb 26, 2017 12:42:53 GMT
vmail That screenshot is BS - it simply informs you that the site uses a Cloudflare server (millions of websites use the service), and then if it does gives you a "was subject to cloudbleed" warning. This is incorrect scaremongering - not every site that uses Cloudflare was infected; there were only c3000 customers that had the bad Cloudflare settings
|
|
vmail
Open image in a new tab.
Posts: 457
Likes: 217
|
Post by vmail on Feb 26, 2017 13:04:38 GMT
If SS was not affected then they should still put an announcement out to reassure investors. It would be nice to use this as scaremongering but it does not seem to have an affect on the SM. As for the large screenshot, that is the native resolution on my 1080p phone. I don't think this forum can resize images.
|
|
cooling_dude
Bye Bye's for the PPI
Posts: 2,853
Likes: 4,298
|
Post by cooling_dude on Feb 26, 2017 13:21:53 GMT
If SS was not affected then they should still put an announcement out to reassure investors. It would be nice to use this as scaremongering but it does not seem to have an affect on the SM. As for the large screenshot, that is the native resolution on my 1080p phone. I don't think this forum can resize images. I think it would be responsible for SS to examine the subject before making any announcement, and also wait for further details Cloudflare end. A simple announcement can be counterproductive and misinterpreted You say "It would be nice to use this as scaremongering"... I don't think scaremongering is nice nor appropriate in this environment You can resize the image before uploading it!
|
|
ilmoro
Member of DD Central
'Wondering which of the bu***rs to blame, and watching for pigs on the wing.' - Pink Floyd
Posts: 11,329
Likes: 11,549
|
Post by ilmoro on Feb 26, 2017 13:41:20 GMT
Would have thought you can resize it my looking at the BBcode view and changing the width %. Its an attachment so not sure if that makes a difference for OP.
I havent seen any potentially affected site communicate on the matter, except MT, so dont think you can really pick on SS specifically yet. Any comms from any banks? At least one major one appears to be on the list of users.
|
|
drgonzo
Member of DD Central
Posts: 82
Likes: 95
|
Post by drgonzo on Feb 26, 2017 15:15:14 GMT
Very slim chance, statistically speaking, that SavingStream would have been affected by this bug. If they had been, they would have been specifically informed.
I have a number of sites using Cloudflare services, and below is the notification I received from them:
|
|
twoheads
Member of DD Central
Programming
Posts: 1,089
Likes: 1,192
|
Post by twoheads on Feb 27, 2017 11:04:09 GMT
I do not think that this issue affects the Saving Stream site. For any memory leak to occur, a specific set of circumstances is required, key aspects of which are unlikely to apply to the SS website.
Blue text is from the Cloudflare blog, my comments are in green:
In order for the memory to leak the following had to be true:
The final buffer containing data had to finish with a malformed script or img tag - Cloudflare reckon 0.06% of sites have HTML ending with such broken tags; the selection of SS pages I have viewed as HTML certainly do not have these issues
The buffer had to be less than 4k in length (otherwise NGINX would crash)
The customer had to either have Email Obfuscation enabled (because it uses both the old and new parsers as we transition) - unlikely, no reason for SS to enable this,
… or Automatic HTTPS Rewrites (unlikely, not widely used)/Server Side Excludes (which use the new parser) in combination with another Cloudflare feature that uses the old parser. … and Server-Side Excludes only execute if the client IP has a poor reputation (i.e. it does not work for most visitors).
That explains why the buffer overrun resulting in a leak of memory occurred so infrequently.
Additionally, the Email Obfuscation feature (which uses both parsers and would have enabled the bug to happen on the most Cloudflare sites) was only enabled on February 13 (four days before Tavis’ report).
The three features implicated were rolled out as follows. The earliest date memory could have leaked is 2016-09-22.
2016-09-22 Automatic HTTP Rewrites enabled
2017-01-30 Server-Side Excludes migrated to new parser
2017-02-13 Email Obfuscation partially migrated to new parser
2017-02-18 Google reports problem to Cloudflare and leak is stopped
The greatest potential impact occurred for four days starting on February 13 because Automatic HTTP Rewrites wasn’t widely used and Server-Side Excludes only activate for malicious IP addresses.
Furthermore, when a memory leak occurs, it is a matter of chance what data is actually leaked; it will depend on the implementation details of the web service. Often the leaked data is of no importance. Only occasionally will the leaked data contain 'useful' information such as some detail about a user.
People often wonder if they should you change their password. This depends upon whether your password can be leaked. Most sites do not store your password and therefore cannot leak it (*). What they store is a coded form and the coding system 'one-way' so that, given the coded form, you cannot (without a lot of time) recover the original password. When you enter your password, the coding is applied and the result is checked against the stored coded form. This is why most sites will not tell you your forgotten password (they cannot because don't know it); instead they will send you a new temporary password and ask you to change it immediately to something of your own choosing.
* Of course, the password is transmitted when you enter it but this should always be done securely.
|
|
