Need further verification that sites are truly unaffected

[jasondinh]

I'm referring to this statement by Namecheap: https://status.namecheap.com/archives/30660

Not sure if I'm reading this wrong, but it sounds like Namecheap did use Cloudflare as reverse proxy and therefore could be potentially affected. IMO, we need a clear message like Fastmail before we can conclude a site is unaffected.

[caleuanhopkins]

Agreed but I will say Cloudflare are contacting those affected one-to-one and mass emailing those they have flagged as being unaffected. Namecheap may be working with Cloudflare and have realised that they weren't leaking data

[mmiller7]

Seems like you could refine this a bit by scraping headers for sites on this list and ruling them out.

curl -s -D - SomeHostHere.com -o /dev/null >&1 | grep Server

Example some random picks from your list that I was interested in: $ curl -s -D - authy.com -o /dev/null >&1 | grep Server Server: cloudflare-nginx $ curl -s -D - namecheap.com -o /dev/null >&1 | grep Server Server: nginx $ curl -s -D - fitbit.com -o /dev/null >&1 | grep Server Server: AmazonS3

I'd make an educated guess the ones that return cloudflare-nginx have a much better chance of being a concern than ones that come back other servers (or without the cloudflare- prefix on nginx)

[caleuanhopkins]

@mmiller7 it's a good suggestion, but I have domains which come back with Server: cloudflare-nginx and I've been informed that my domains were not leaking secure information. So it's good for those who are yet to hear, but doesn't mean all domains that return with Server: cloudflare-nginx have leaked. Also, are you suggestion the code as a rule of thumb as if you should look to roll new API's etc or a rule of thumb to if you're site has leaked data?

[mmiller7]

@caleuanhopkins So far that's about the only thing I've come up with to make any educated guess for sites that haven't released any information. Certainly it's not the be-all end-all lacking any other information at this point it may help to get some degree of confidence one way or another.

If there's some alternative to get a better measure for any sites that have not made any statements I'd love to know about it.

[caleuanhopkins]

@mmiller7 Based upon my scenario, I probably can't submit anything better. I'm trusting the information from Cloudflare about my domains being unaffected is correct. I think your suggestion is good for those waiting to hear from Cloudflare as it at least gets the owners thinking about a plan of action in case their site has been affected.

[pirate]

As it stands we're not trusting cloudflare's "you were not affected" emails, since it appears their only data is based on whether search engines cached leaked info or not. It's entirely possible that HTTP(s) proxy customers had data leaked that did not end up in search engine caches.

[youngj]

Could someone provide a copy/link to a "you were not affected" notification from CloudFlare? Various companies are using this notification as confirmation that they were not affected (e.g: https://twitter.com/23andMe/status/835206141818765312, https://support.betterment.com/customer/portal/articles/2752560-was-my-information-affected-by-the-cloudflare-vulnerability-). I wonder if the notification is really only saying that they couldn't find any information in public search engine caches. I'm not sure how CloudFlare would have any idea whether a particular site's information was leaked if it didn't show up in a public search engine cache (e.g. if someone was actively exploiting this bug before it was announced).

[abalabahaha]

Someone on Hacker News posted a pastebin

http://pastebin.com/pUnKJE3J

[youngj]

Thanks. So yeah -- it seems like all of these companies are just saying that they were not affected because CloudFlare couldn't find any of their data in public search engine caches. They actually have no idea if their data was leaked or not.

[pathmissing]

The procedure of removing has been defined in #132 (comment). Therefore, this issue can be closed.

[mikkorantalainen]

I think that Cloudflare is able to tell if somebody is NOT affected because they probably have logs that tell which request was served by each proxy server. Because the leak was only triggered by 770 separate URLs they can list proxy requests that were served by the same proxy process before triggering the bug. If you were lucky enough to not being ever served by the same process that was handling one of the triggering URLs, you're not affected. (This works because the bug was triggered by serving one affected URL and caused leaking part of RAM of said process. It's not possible to leak if that process never served any of the affected URLs or if your request was served only after the bug was triggered.)

There's no way anybody else but Cloudflare can tell the same thing because you would need Cloudflare's internal proxy logging to figure out if you were affected or not.