Cloudbleed and Varnish

Have you heard? A tiny bug in Cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. If you haven’t heard of the so-called Cloudbleed vulnerability, keep reading. This is a scary big deal.

Let’s start with the good news. Cloudflare, one of the world’s largest internet security companies, acted fast when security researcher Tavis Ormandy of Google’s Project Zero identified the vulnerability.

The bad news is that the Cloudflare-backed websites had been leaking data for months before Ormandy noticed the bug.

Isn’t this whole Cloudflare concept flawed by design? Who hands out HTTPS certificates to a central honeypot?

It turned out that in some circumstances, Cloudflare edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

More concerning was that fact that chunks of in-flight HTTP requests for Cloudflare customers were present in the dumped memory. That meant that information that should have been private could be disclosed.

Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.

Now tell me, do you use LastPass? It relies on Cloudflare infrustructure partially:

From Google employee:

We’ve discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).

Conclusions? Same with our standard advice of not using shared hosting plan, the same applies to not using shared cache. Want your website to be speedy? Use Varnish, you guys!