Cloudflare Vulnerability

Eorzea Time
 
 
 
言語: JP EN FR DE
日本語版のFFXIVPRO利用したい場合は、上記の"JP"を設定して、又はjp.ffxivpro.comを直接に利用してもいいです
users online
フォーラム » FFXIAH.com » News » Cloudflare vulnerability
Cloudflare vulnerability
Administrator
Offline
Posts: 5344
By Rooks 2017-02-24 08:04:35  
Yesterday, a vulnerability in Cloudflare, a popular caching and proxy service, was revealed to have had a major vulnerability in leaking user session information, even over https. FFXIAH uses Cloudflare (as does bg-wiki I believe, but I could be wrong). The exact nature of what could be discovered with the vulnerability was fairly random, so any individual piece of data is likely safe; but as with anything along these lines, it is better to be safe than sorry, especially given how long this vulnerability was in the field.

Taviso's announcement: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Partial list of sites affected: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
More reading: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165

tl,dr: you should strongly consider changing your password, pretty much everywhere
[+]
 Valefor.Sehachan
Guide Maker
Offline
サーバ: Valefor
Game: FFXI
user: Seha
Posts: 24206
By Valefor.Sehachan 2017-02-24 17:36:15  
Think it's worth bumping.
[+]
 Ragnarok.Hevans
Offline
サーバ: Ragnarok
Game: FFXI
user: Hev
Posts: 14225
By Ragnarok.Hevans 2017-02-24 18:02:29  
my password here is password... you're saying i'm now vulnerable?
[+]
 Fenrir.Celdwn
Offline
サーバ: Fenrir
Game: FFXI
Posts: 42
By Fenrir.Celdwn 2017-02-24 18:26:15  
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.
By Jetackuu 2017-02-24 18:37:11  
Fenrir.Celdwn said: »
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.

No.
 Valefor.Prothescar
Guide Master
Offline
サーバ: Valefor
Game: FFXI
Posts: 16199
By Valefor.Prothescar 2017-02-24 18:53:03  
I mean I guess if you make all your passwords the same and thus your XI password is the same as your XIAH/BG/Reddit/etc password..
 Siren.Mosin
Offline
サーバ: Siren
Game: FFXI
user: BKiddo
By Siren.Mosin 2017-02-24 19:02:23  
Even a desperate russian teenager would give my identity back if it was stolen
[+]
 
Offline
Posts:
By 2017-02-24 19:09:00
 Undelete | Edit  | Link | 引用 | 返事
 
Post deleted by User.
[+]
 Phoenix.Dabackpack
MSPaint Winner
Offline
サーバ: Phoenix
Game: FFXI
Posts: 1743
By Phoenix.Dabackpack 2017-02-24 19:09:31  
Thanks for spreading the message. This is the biggest security vulnerability since Heartbleed (perhaps even worse), so please take it seriously everyone
[+]
 Phoenix.Dabackpack
MSPaint Winner
Offline
サーバ: Phoenix
Game: FFXI
Posts: 1743
By Phoenix.Dabackpack 2017-02-24 19:10:03  
Fenrir.Celdwn said: »
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.

this literally has nothing to do with ffxi
 Bismarck.Patrik
Offline
サーバ: Bismarck
Game: FFXI
user: Patrik
Posts: 1325
By Bismarck.Patrik 2017-02-24 19:15:18  
Transferwise uses cloudflare... I use that to send money to US bank account. I hope someone hacks it and sends me money...
Administrator
Offline
Posts: 5344
By Rooks 2017-02-24 20:01:07  
Phoenix.Dabackpack said: »
Thanks for spreading the message. This is the biggest security vulnerability since Heartbleed (perhaps even worse), so please take it seriously everyone

Yeah. FFXIAH's window of vulnerability is actually so small as to basically be non-existent - we don't use it for anything other than a glorified CDN for static assets. But this is widespread enough that I felt it merited a post.
[+]
Offline
Posts: 280
By Sidiov 2017-02-24 22:51:38  
Web needs more 2fa
 Valefor.Sehachan
Guide Maker
Offline
サーバ: Valefor
Game: FFXI
user: Seha
Posts: 24206
By Valefor.Sehachan 2017-02-25 12:19:09  
If you're not sure if a website you use is affected you can use this useful tool: http://www.doesitusecloudflare.com/
By Jetackuu 2017-02-25 13:19:30  
Valefor.Sehachan said: »
If you're not sure if a website you use is affected you can use this useful tool: http://www.doesitusecloudflare.com/



notsureifthatworkssowell.
[+]
 Asura.Chiaia
VIP
Offline
サーバ: Asura
Game: FFXI
user: Demmis
Posts: 995
By Asura.Chiaia 2017-02-25 13:41:38  
idiot boy said: »
(as does bg-wiki I believe, but I could be wrong)
We do! The server admin has already contacted Cloudflare neither bg forums nor bgwiki were hit.

Official post by him here.

Edit: I'd still recommend changing your password if you were using the same one on another site. Won't get into why that is already a horrible idea to start with though.
 
Offline
Posts:
By 2017-02-25 14:05:25
 Undelete | Edit  | Link | 引用 | 返事
 
Post deleted by User.
[+]
Offline
サーバ: Excalibur
Game: FFXIV
user: misacat
Posts: 2961
By Nadleeh Sakurai 2017-02-25 15:18:32  
oh noes. my msp pixels!



all seriousness, thanks for the warning
Administrator
Offline
Posts: 5344
By Rooks 2017-02-25 15:48:59  
Jetackuu said: »
notsureifthatworkssowell.

Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.

The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)
[+]
 Lakshmi.Zerowone
Offline
サーバ: Lakshmi
Game: FFXI
user: Zerowone
Posts: 6923
By Lakshmi.Zerowone 2017-02-25 15:58:32  
idiot boy said: »
Jetackuu said: »
notsureifthatworkssowell.

Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.

The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)

Is there reason you're not outright saying sites/apps like TeamSpeak, Discord, Fedoraland (Reddit, though I think they changed their CDN before this), Uber etc. use it in some capacity?

Since chances are people on this site use those sites/services.
Administrator
Offline
Posts: 5344
By Rooks 2017-02-25 16:05:57  
Lakshmi.Zerowone said: »
idiot boy said: »
Jetackuu said: »
notsureifthatworkssowell.

Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.

The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)

Is there reason you're not outright saying TeamSpeak, Discord, Fedoraland (Reddit, though I think they changed there CDN before this), Uber use it in some capacity?

Since chances are people on this site use those sites/services.

I linked to a fairly complete list (and now there's a tool to check a site, that's handy). My concern with my Admin hat on is for this site (we're fine) and the sites we're closely aligned with (BG being the big one). But I guess I thought I had made the warning dire enough that people would investigate it a little more on their own and not need a full list from me.