/jeɪ/ one!

Cloudflare, that wünderkind of website security, has been leaking https session data. Probably for months.

What kind of risk is this? If you use or have used a web-based service which uses Cloudflare to provide them with security, your passwords, credit card numbers, etc. may have been leaked. Even if they were leaked, someone had to be actively attempting to slurp up this data, so it is likely that your actual risk is quite low.

That said, go out now and change your passwords on pretty much everything online: FitBit, OKCupid, Uber, 1Password, Change.org… and millions of other sites and services are affected.

The weakness in Cloudflare’s system, which they are describing as a “parser bug” and the rest of the interverse have dubbed “Cloudbleed”, was discovered by Google employee Tavis Ormandy. He was able to access passwords and encryption keys which were supposed to be private but found embedded in the html of pages.

Cloudflare did the right thing. They fixed the problem, then they told everybody what it was. For all intents and purposes it was a typo – someone typed ‘>’ instead of ‘=’. This meant Cloudflare’s program occasionally accidentally overwrote some adjacent memory, a classic ‘buffer overflow’ bug.

But let us get back to what this means for you: you have no idea if any of your data was leaked. There is no single thing to point to and say “change that password” and you will be protected. You need to look at everything as potentially compromised.

Used your credit card online in the past year or so? ask for a new card with a new ccv. Used your debit card as a credit card? ditto.

Web-mail? yep, change your e-mail passwords. Email via an android app? that could be web-mail, change ’em all. Moved a private key or security certificate to an online cloud service/dropbox? make new ones. Used an online password safe? Oh my goodness do I feel sorry for you, because EVERYTHING in that safe may have been compromised.

Heartbleed was worse, it really was, as far as your personal risk. But this, this is really bad if you have much or any digital life. Cloudflare is quite ubiquitous in the network infrastructure.

But <extremely smug grin, leans back in chair comfortably> I self-host most of my online services. I got no worries.

This time.