Edit to README on teespring.com

pirate / sites-using-cloudflare

:broken_heart: Archived list of domains using Cloudflare DNS at the time of the CloudBleed announcement.

1.92k stars 320 forks source link

Edit to README on teespring.com #138

Closed ledwards closed 7 years ago

ledwards commented 7 years ago

I'm the VP of Engineering at Teespring. This is a statement I wrote for our social media and PR team about how the Cloudflare issue impacts our customers.

ddymko commented 7 years ago

@ledwards could you please send an email from a teespring email to verifydomain@sweeting.me to verify this

youngj commented 7 years ago

Even if a site's data was not found in search engine caches according to CloudFlare's notification, it doesn't mean the site was not affected. Data could have been leaked to other places without CloudFlare having any idea, for example if someone discovered the bug and exploited it before it was discovered by Project Zero.

See https://github.com/pirate/sites-using-cloudflare/issues/87

pirate commented 7 years ago

@ledwards confirmed I received the DKIM signed email from le****@teespring.com. @youngj is correct, I'm on the fence about removing this one, since it looks like you guys were proxy customers during the affected period.

youngj commented 7 years ago

I'm thinking for cases like this (and namecheap.com) we could add a link to their post that says something like "no evidence of compromised data" instead of "unaffected". Thoughts?

pirate commented 7 years ago

@youngj that seems like a good compromise, @ledwards would you be ok with that?

ledwards commented 7 years ago

Absolutely. You're correct, what we know so far is Teespring and Cloudflare's security teams haven't found any evidence of leaked information. If we find any, we'll update here as well as our social/PR channels.

ledwards commented 7 years ago

@Dorian Thanks for the report, reaching out to you via email to get more information so we can investigate.

Zenexer commented 7 years ago

Re: https://github.com/pirate/sites-using-cloudflare/pull/138#issuecomment-282456327 Ping: @abalabahaha @coderobe @ddymko @pathmissing @Phineas @pirate @tonyztan @youngj

Allegedly: Cloudflare told Teespring they weren't able to find any evidence of leaks for Teespring
Verifiably: data-api.teespring.com leak appears in DuckDuckGo cache

Here's what I take away from that:

Cloudflare is probably only checking one or two search engine caches. I thought I heard they were only checking Google for this purpose, but I can't recall where I heard that. (Unrelated to clearing caches.)
When Cloudflare says they have no evidence a site has been compromised, they mean exactly that: they have no evidence. That should be taken at face value.

abalabahaha commented 7 years ago

Based on the Reddit post in this PR, they were going off of the blanket email sent in the morning. This just show some how misleading that email can be, and how "not found on popular search engines" does not mean "not affected".

We were also notified this morning by Cloudflare that we are not in the list of affected customers

Zenexer commented 7 years ago

Based on this, #153/#155 might not have been a significant enough change.