Should you be worried about CloudBleed?

You might have noticed a security bug called "CloudBleed" on news services or social media over the weekend. What exactly is it? Does it affect you or your website visitors? What do you do about it?

What happened?

The issue concerns a service called CloudFlare which provides a "content distribution" service to many websites. This gives them better performance, reliability and security by essentially distributing copies of the site across CloudFlare's global network. When things go well, website users never notice CloudFlare is even there – the internet just works better.

Unfortunately, over the last week, things have not gone well. According to CloudFlare, Tavis Ormandy from Google’s Project Zero contacted them around Friday 17 February to let them know of a security vulnerability in the servers. This so-called "CloudBleed" vulnerability has allowed (as Adam Clark Estes at Gizmodo puts it) "an unknown quantity of data — including passwords, personal information, messages, cookies, and more — to leak all over the internet."

The vulnerability arose from a tiny typo – a single, incorrect character – in one library CloudFlare use to do the job they do. This tiny problem allows hackers to break CloudFlare software in a such a way that it exposes confidential information as a side effect.

Are you at risk?

CloudFlare have done a great job, they patched the issue very quickly and they've been notifying all their clients whether or not they're likely to have been affected. The trouble is that they have no real idea what data may have been leaked. Because of how many large websites use CloudFlare, sites like "Patreon.com, Medium.com, 4chan.com, Yelp.com, Zendesk.com, Uber.com, thePirateBay.org, pastebin.com, petapixel.com, feedly.com and change.org" (Cult of Mac) … may all be vulnerable.

But that's all maybes. It's going to take a while for the full consequences of this issue to be known.

Bottom Line: If your site doesn't use CloudFlare, your users aren't at risk. If it does and you got an "all clear" email from CloudFlare, you're still good.

What do I do?

If you have heard from CloudFlare that your site may be at risk, and you haven't already contacted us, get in touch and we'll help you work out how to fix it.

Also, it's time to update your passwords. Many of the websites you use rely on CloudFlare's infrastructure (you can check specific sites here) and you should change your passwords on those sites as soon as possible.

There are also Firefox and Chrome extensions that will search your browser history and report sites you have visited which use Cloudflare.

Because of issues like this, it's good practice to change your passwords on most sites every few months regardless. At The IC, we use a tool called 1Password which saves all your passwords, helps create more secure ones and keeps track of what's due for an update. 1Password also has a feature (called "watchtower"), which checks the sites you have passwords on for security alerts. We've got no connection – we're just happy customers.

Issues like CloudBleed are hard to understand – even for some technically-minded folk – and the consequences are potentially catastrophic for you and your users. If you lose sleep over stuff like this and you want to make sure your website is kept up to date and safe, consider whether our SiteCare product makes sense for your organisation.

We've already been working with our SiteCare clients who use CloudFlare on the websites we manage to minimise their exposure. This could be you!