Cloudbleed, in Plain Language

High drama in the web security world, summarized by this tweet from Ryan Lackey: “essentially any traffic which passed through Cloudflare (even https) recently might be public.” — 23 Feb 2017

The public Cloudbleed show started with this tweet last week, from Tavis Ormandy: “Could someone from cloudflare security urgently contact me.” — 17 Feb 2017

Tavis works for Google’s Project Zero, and he’s a genius at finding bugs and security flaws, wherever they may be. Tavis was careful not to say what the problem was (so it couldn’t be taken advantage of by bad guys), but he really really really needed to talk to someone at Cloudflare, an Internet infrastructure company, right away. Cloudflare, to their credit, was very responsive in getting back in touch with Tavis, and worked swiftly to stop the bleeding once they knew about it.

Things had been mopped up enough by last night so that Tavis could post the details publicly: “Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://bugs.chromium.org/p/project-zero/issues/detail?id=1139” — 23 Feb 2017

In practice, the amount of data exposed is relatively very small, so I believe the matter doesn’t have to rise to the level of general alarm. But it’s a good reminder, for everybody, that given the depth of infrastructure we depend on, there’s always a small chance some part of it will break, and even things that are “known to be safe” may not be.

In this case, the primary problem would be that the lock icon on your web browser that you depend on to make sure your information (passwords, credit card numbers, etc.) may have been unlocked by Cloudflare, if the site you were posting to uses Cloudflare. It could have then been copied up by web search engine spiders and made available for public searches.

Again, although the data has been leaking for months, the relative amount of data exposed is very small.

What should you do?

The very paranoid — er, prudent :-) — will change passwords on all of their medium- and high-value sites.

The generally prudent will know that even though their potential exposure is small, it would still not be a bad thing to take the opportunity to change passwords on their really high-value sites, especially if they’re on this list: “List of Sites possibly affected by Cloudflare’s #Cloudbleed HTTPS Traffic Leak”. Look at the “Notable Sites” section, and also scan through the “Alexa Top 10,000 affected sites” section.

For systems geeks, the Cloudflare incident report and Tavis’ vulnerability report both make for great reading.

And why the name “Cloudbleed”? It’s a combination of the name of the company, Cloudflare, and “Heartbleed”, the name of another high-profile security flaw that had to do with the same kind of secured data.