_Windows
Club 4000 Member
Posts: 7,881
| Likes: 9,611
|
Post by _Windows on Feb 24, 2017 12:43:22 GMT
|
|
_xBarkPuppy1_
Full Member
Twitter Handle: @barkpuppy1z And I have A lot of posts!
Posts: 268
| Likes: 44
|
Post by _xBarkPuppy1_ on Feb 24, 2017 15:42:09 GMT
i got mentioned like on 10 discord servers about this. this it like getting all the attention of discord
|
|
|
Post by Polaris Seltzeris on Feb 24, 2017 17:31:35 GMT
Lmfao, that's why you don't use shitty Cloudflare. They've always been a shitty company.
|
|
Lucas
Veteran Member
fucking gross
Posts: 2,495
| Likes: 6,019
|
Post by Lucas on Feb 24, 2017 18:03:50 GMT
I've never liked CloudFlare, it's godawful and useless.
|
|
|
Post by Polaris Seltzeris on Feb 24, 2017 18:09:07 GMT
CloudFlare is also normally used to hide the IP address of the server, but a 6 year old could social engineer Cloudflare out of the IP address. It's the easiest thing in the world.
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on Feb 24, 2017 21:10:44 GMT
Any website using CloudFlare could theoretically be affected ( download for all 4.2+ million domain names), but data has only been found lingering around on the internet for a few of them so far, none directly related to this server. ProBoards is also not affected: support.proboards.com/post/6930611/thread. Note that it was not possible to target specific things even if you knew how the exploit worked, so there are no expected mass breaches. I'll also put the word Cloudbleed in this post for future forum searches.
|
|
mibbzz
Club 4000 Member
Posts: 9,109
| Likes: 12,246
|
Post by mibbzz on Feb 25, 2017 5:39:57 GMT
Any website using CloudFlare could theoretically be affected ( download for all 4.2+ million domain names), but data has only been found lingering around on the internet for a few of them so far, none directly related to this server. ProBoards is also not affected: support.proboards.com/post/6930611/thread. Note that it was not possible to target specific things even if you knew how the exploit worked, so there are no expected mass breaches. I'll also put the word Cloudbleed in this post for future forum searches. To your first point, that's probably because "The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests)". I doubt there was a ton out there in the first place, let alone with search engines working with them to help remove it.
|
|
blackedout
Veteran Member
Posts: 2,884
| Likes: 1,405
|
Post by blackedout on Feb 25, 2017 9:42:39 GMT
When I go to totalfreedom.boards.net it does say protected by cloudflare
|
|
_xBarkPuppy1_
Full Member
Twitter Handle: @barkpuppy1z And I have A lot of posts!
Posts: 268
| Likes: 44
|
Post by _xBarkPuppy1_ on Feb 25, 2017 16:14:21 GMT
When I go to totalfreedom.boards.net it does say protected by cloudflare because of proboards
|
|
WioZ
Full Member
Posts: 159
| Likes: 48
|
Post by WioZ on Feb 25, 2017 16:15:58 GMT
|
|
|
Post by Polaris Seltzeris on Mar 5, 2017 19:43:57 GMT
Cloudflare is an essential utility for thwarting off high bandwidth intensive robots and preventing small business and enthusiastic from being subjected to excessive surplus charges from their providers. Although I do host two websites which implemented CloudFlare long ago, I have no intention of changing away from CloudFlare. It's not economical-- I cannot afford to switch away from CloudFlare. Both of my services are unaffected. The first service, an academic portfolio, does not request, use, or store any information in regards to passwords or HTTP POSTs (think kaboom.pw)-- it did, however, store a "__cfduid" cookie which is used for CloudFlare Analytics. The second service, an academic blogging platform for an organization I assist with, does not appear to be compromised due to its usage of HSTS SSL[1] and using Google Sign-In[2] rather than conventional database storing. However, the use of cookies is apparent with Google Analytics, Google Sign-In, and lastly CloudFlare Analytics. Regardless, I have contacted all bloggers and requested for them to change their Google password for enhanced security and good security practice. [1] - "For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug." blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/[2] - "Enable Google Sign-In with only a few lines of code" developers.google.com/identity/sign-in/web/Why would you trust a third party with all of your customer's information?
|
|
|
Post by Polaris Seltzeris on Mar 5, 2017 19:52:14 GMT
Why would you trust a third party with all of your customer's information? "customer's information" -- no. We don't sell, period. We're an informational website. Similar to depts.washington.edu/engl/askbetty/ (except not from the 90s) -- I'd share the actual link, but it'd leak my actual information and it's already 'high' traffic. I'm talking about Google Sign-In
|
|
|
Post by Polaris Seltzeris on Mar 5, 2017 20:33:36 GMT
I'm talking about Google Sign-In Something I learned long ago, don't create your own database as it will be obsolete and insecure within a couple of years. I thought about using OpenID, don't doubt that. However, I decided to use Google Sign-In due to the semi-inability for users to change their information (i.e. name) without going through the university first and I figured the university would do a somewhat decent job at checking to see if the user actually changed their name to "Very Fake News" or they just want to call themselves "Very Fake News". At the same time, it allows for easier implementation to their name. Rather than forcing users to modify every single entry if they change the name, they just contact the university and provide the legal documentation and, as their Google account is modified, all posts are modified too. The reason why I even care about if a person changes their name is due to marriage. People get married, and typically people change their names when they get married. It also weeds out potential fakes and allows for easier, impersonal, verification that the person is who they say they are. The service itself is only accessible to my own university at the moment (for publishing, not reading), and my own university provides an academic Google account. In the future, the service may expand to publishing with any '.edu' address (or possibly 'elite' edu addresses-- no community colleges), but, I'm probably going to be gone before then... My university provides a Google account for life, which is why this works. It's extremely easy to create your own database, the only security you ever have to worry about is what type of database, SQL injection if it's SQL (bad), and password hashing. All of those are extremely easy to resolve, use MariaDB instead of SQL and avoid PHP and its bad practices, and just use SHA3-512 for hashing and it can never be cracked.
|
|