https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 So tptacek's comment summarizes it well: https://news.ycombinator.com/item?id=13718752
I just hate all the cloudflare I get hit with daily. I generally won't type credentials if cloudflare is involved. I have to pass cloudflare just to read articles so I am not too exposed on such "reads".
The sentiment on HN seemed generally pretty cynical about Cloudflare's initial reassurances. Also, I think that it's too early to relax. There are just so many places that web content gets cached. And I'm sure that jerks are busily collecting caches, and mining for credentials and other salable stuff.
I didn't know this bug was so serious? I'm also guessing this will be a good opportunity for competing services, because this really is a big blunder.
Well, it was a huge blunder, and it lasted for about six months. And because Cloudflare handles so much of the web, in one way or another, impact was pervasive. But really, Cloudflare is just fundamentally broken, from a security perspective. You have sites that pretend to be highly secure HTTPS. But the backend can be totally insecure, with secure HTTPS just between Cloudflare and browsers.
Most everybody on these security forums focuses completely upon local host security - and I suppose that is to be expected. However, just about everyone one these forums is also blind to the fact the virtually the entire back-bone of the web - servers - are misconfigured in one form or another and inherently insecure. I keep saying it: your biggest worry should not be the security of your PC, but instead all your personal data that you've put out there that now resides on 2nd, 3rd, 4th,... party systems. This is where the identity theft occurs, this is where the larger money losses happen, and so on, and so on. As a hacker or malc0der I'm not going to waste my time targeting your personal home system, but instead your doctor's system, the coffee shop that you visit's system, the local community college that you attend's system, your place of employment's system, your insurance company's system,... and a lot of them will let me right in... or as the case of Cloudfare, essentially hand it out to anyone who bothers to look.
Those are good points. It'd be interesting to see a breakout of pwnage by mechanism. Ransomware pwnage, for example. What percentage got pwned via email, porn sites, pwned sites, Google ads, other ads, etc, etc?
Those kinds of statistics are very difficult to come-by. Some reports are out there - and I've seen them priced as high as $5,000 - and I'm not even sure exactly what the data reports as they won't even give a snippet out for free - so you can determine if it contains statistics that you are looking for.
Right. Like, who would have those statistics Bot herders probably do, I'm guessing. Or maybe surveys by AV firms?
That's true. But members on this forum can't do much about security of servers and whole net. So worrying about it wouldn't be really productive. All a user can do is to control what data is shared with whom - to some extent - and don't use 123456 as a password to access online service.
Consumers should be demanding better data protections that are mandated by regulations. In the digital economy there are just tiny islands where better than "reasonable efforts" are required. For the most part, if you haven't noticed, required data protections are so weak that it has been open season on consumer data for over two decades. It's like the digital wild-wild west. SONY, for example, got the case against it by employees who had their identities stolen because it had applied "reasonable efforts" to protect those employees' data - despite the fact that SONY's "reasonable efforts" were wholly negligent by any IT security standards. SONY was insulated from most negligence in that its "reasonable efforts" met the letter of the (bogus) legal requirements. In the end, SONY settled for millions but it was probably a huge amount less than in the case where the court would have found it completely negligent - which, in terms of IT security standards, it should have been. There's stuff consumers can do. They just don't do it. And so it is like leading the sheep to the slaughter. Anyone can open a server farm - and pretty much configure and protect them as they see fit. Significant data losses might result in lawsuits or they might not - and even if it does happen, there's a good chance the suits will be dismissed or greatly minimized. Only when you get into healthcare and financial data covered by the SEC and such does one face any requirements - and those standards are low. I'm a cheap operator, so as far as I'm concerned Windows Defender is good enough. Oh wait, can't use that --- don't worry about it --- don't need it anyway. Plus, I'll hire the cheapest people to configure and maintain my systems. In fact there will be no maintenance unless a unit goes down completely. Security audit - what's that ? That's nonsense - never heard of such a thing. Network security ? - meh, just get the things online and start sending out the invoices. If you don't think it is this bad, think again - it is, and worse, especially at small and medium sized businesses. As for most any of the small businesses we all do business with on a regular basis, on average it is beyond comprehension. There basically is no minimum consumer data protection standards that must be met by all businesses that utilize digital devices and media - so just about every business in operation today. Huge problem with no easy answers due to the complexities, but mostly the bottom line is that it comes down to one thing and one thing only - money. And as long as the industry lobbyists have greater influence than consumers - change will never come to pass. Generally, what most people are interested in on these forums is "Which is best AV ?," fanboyism and flaky back-and-forth inaccurate debates.
As happened before: Google as the protector of privacy and security: anymore complaints of Google bashing privacy paranoid members
@Lockdown You make some incredibly solid points here with regard to protection of our online data (which is stored quite literally everywhere) on servers that are not as well protected or encrypted as should be the standard. The reality here is that the organizations involved in these massive breaches (eg. Target, health insurance firms, etc.) need to be held accountable at much higher levels. They need to take the security and privacy of data stored on these servers and PoS systems more seriously and put more money and knowledgeable experts on the job to protect against these breaches (or blunders in this case).
