Need further verification that sites are truly unaffected #87
Comments
|
Agreed but I will say Cloudflare are contacting those affected one-to-one and mass emailing those they have flagged as being unaffected. Namecheap may be working with Cloudflare and have realised that they weren't leaking data |
|
Seems like you could refine this a bit by scraping headers for sites on this list and ruling them out.
Example some random picks from your list that I was interested in: I'd make an educated guess the ones that return cloudflare-nginx have a much better chance of being a concern than ones that come back other servers (or without the cloudflare- prefix on nginx) |
|
@mmiller7 it's a good suggestion, but I have domains which come back with |
|
@caleuanhopkins If there's some alternative to get a better measure for any sites that have not made any statements I'd love to know about it. |
|
@mmiller7 Based upon my scenario, I probably can't submit anything better. I'm trusting the information from Cloudflare about my domains being unaffected is correct. I think your suggestion is good for those waiting to hear from Cloudflare as it at least gets the owners thinking about a plan of action in case their site has been affected. |
|
As it stands we're not trusting cloudflare's "you were not affected" emails, since it appears their only data is based on whether search engines cached leaked info or not. It's entirely possible that HTTP(s) proxy customers had data leaked that did not end up in search engine caches. |
|
Could someone provide a copy/link to a "you were not affected" notification from CloudFlare? Various companies are using this notification as confirmation that they were not affected (e.g: https://twitter.com/23andMe/status/835206141818765312, https://support.betterment.com/customer/portal/articles/2752560-was-my-information-affected-by-the-cloudflare-vulnerability-). I wonder if the notification is really only saying that they couldn't find any information in public search engine caches. I'm not sure how CloudFlare would have any idea whether a particular site's information was leaked if it didn't show up in a public search engine cache (e.g. if someone was actively exploiting this bug before it was announced). |
|
Someone on Hacker News posted a pastebin |
|
Thanks. So yeah -- it seems like all of these companies are just saying that they were not affected because CloudFlare couldn't find any of their data in public search engine caches. They actually have no idea if their data was leaked or not. |
|
The procedure of removing has been defined in #132 (comment). Therefore, this issue can be closed. |
|
I think that Cloudflare is able to tell if somebody is NOT affected because they probably have logs that tell which request was served by each proxy server. Because the leak was only triggered by 770 separate URLs they can list proxy requests that were served by the same proxy process before triggering the bug. If you were lucky enough to not being ever served by the same process that was handling one of the triggering URLs, you're not affected. (This works because the bug was triggered by serving one affected URL and caused leaking part of RAM of said process. It's not possible to leak if that process never served any of the affected URLs or if your request was served only after the bug was triggered.) There's no way anybody else but Cloudflare can tell the same thing because you would need Cloudflare's internal proxy logging to figure out if you were affected or not. |
and others
I'm referring to this statement by Namecheap: https://status.namecheap.com/archives/30660
Not sure if I'm reading this wrong, but it sounds like Namecheap did use Cloudflare as reverse proxy and therefore could be potentially affected. IMO, we need a clear message like Fastmail before we can conclude a site is unaffected.
The text was updated successfully, but these errors were encountered: