The big news this morning is #cloudbleed, a bug in Cloudflare’s web service that was discovered by a Google researcher to be leaking sensitive data, including authentication credentials in plaintext.
Due to the size of the Cloudflare user base, this affects a huge swath of the internet, including many easyDNS customers.
There are three main takeaways as this relates to easyDNS and it is important the differences between each one:
#1) easyDNS *does* use Cloudflare’s Virtual DNS enterprise product for DDoS mitigation across our dns1.easydns.com and dns2.easydns.net anycast constellations. We are *not* affected by this bug because we do not use Cloudflare’s web product at all.
#2) any easyDNS customer who uses cloudflare for web mitigation, reverse proxy, etc is theoretically at risk. If they are affected, they should be receiving or have received an email directly from Cloudflare advising them to their exposure. An excerpt from the email we received from Cloudflare this morning:
Your domain is not one of the domains where we have discovered exposed data in any third party caches….If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found. “
And finally,
#3) easyDNS, and any of our customers who have vendors who use Cloudflare’s web services should reset their passwords with those vendors. (A URL to a list of popular sites possibly affected follows in “Further Reading” section).
One way to find out if somebody is using Cloudflare is via a Whois lookup, if you see that the nameservers are set to hostnames under the cloudflare.com domain, they are using them and you should reset your passwords with that entity. i.e.
Name Server: SUE.NS.CLOUDFLARE.COM
Name Server: TODD.NS.CLOUDFLARE.COM
Most cloudflare customers use this method, however it is also possible that some customers remain on third-party nameservers (like ours 😉 ) and deploy out to Cloudflare using a CNAME, which you would see via a “dig” or “host” lookup:
$ host www.example.com
www.example.com is an alias for www.example.com.cdn.cloudflare.net.
www.example.com.cdn.cloudflare.net has address 104.20.83.232
www.example.com.cdn.cloudflare.net has address 104.20.82.232
In either case, you should reset your creds with any vendors or other websites found to be using them.
In general, we never miss an opportunity to remind people that they can vastly raise the bar on the security of their easyDNS accounts by doing the following in their account security settings.
- enable 2-factor authentication
- enable country level restrictions
- turn on all account event notifications
Overall we find Cloudflare’s response to this has been swift and communicative.
Further Reading
- https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
- https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/
- List of popular sites possibly affected
Leave a Reply