status-resolved Namepros Uses Cloudflare

[WalletControl]

Hi,

Please Namepros staff report back to your users. Namepros.com is listed on a list of sites which use Cloudflare:

https://github.com/pirate/sites-using-cloudflare

In view of the news:

Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster
http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616

Cloudbleed bug: Everything you need to know
The internet has a new security bug called Cloudbleed and it's pretty bad. We explain what it is, how it affects you and what you can do.
https://www.cnet.com/how-to/cloudbleed-bug-everything-you-need-to-know/

It is time for Namepros to make an announcement.

Thank you.

 

[WalletControl]

A site has been created where you can search the 7 million or so sites that use Cloudflare, to see which ones are affected:

DoesItUseCloudflare.com

 

[Paul]

I am personally a maintainer of the link you provided. I have been working closely with the other maintainers to gather as much data as possible and to determine the best course of action. I haven't had a chance to make an announcement yet because I've been so busy contributing to that list and performing research (look for posts by Zenexer). Right now, we're still trying to quantify the risk--it's likely very low, but still worth discussing for peace of mind. As soon as we have an accurate estimate of how this affects members, we'll make an announcement.

Here's what we've been able to determine so far:

• There isn't actually any definitive proof that this directly impacted NamePros. We're in the set of potentially affected domains, but there's no trace of anything bad actually occurring. This is mostly precautionary.
• Millions of other sites were potentially affected. There are sites using the Cloudflare CDN who are claiming there is proof they weren't affected, but this has been proven false.
• A lot of big sites were affected--very big sites. Because of how the bug worked, this decreased the risk for someone using NamePros.
• This doesn't actually affect internal NamePros data because the bug wasn't with NamePros. There was an issue with the service provider we use to deliver content to people around the world.
• Most of the "leaks" that occurred for other sites immediately vanished and had no impact. We can't be sure any even happened for NamePros, but if they did, this was also the case.
• Because the overwhelming majority of requests that NamePros handles carry no sensitive information, the risk was decreased even further.
• The most sensitive information likely to have escaped would be something called a session cookie. This is trivial, as we can easily reset those on our end. To be safe, we're assuming that such an incident could've occurred, although it's quite likely that it didn't.
• When all the factors are taken into account, we estimate that the possibility of something as sensitive as a password having been leaked by Cloudflare are so small as to be negligible.

Through the link mentioned in the first post, I've mostly been advising companies to reset session cookies but not passwords--that's what NamePros did. Because of the specific circumstances surrounding this incident, most affected websites don't need to worry too much about what happened. However, they should review the facts and decide whether a different course of action makes sense for their specific website. Some websites were more affected than others due to search engine caches, and as such need to be more cautious; NamePros doesn't fall into this category. As always, websites should offer 2FA and have a system in place to detect unusual activity.

 

[WalletControl]

Correction:

I'm afraid there is a discrepancy between info on the github link, and info on the DoesItUseCloudflare.com link.

HugeDomains.com uses Cloudflare, according to the github link.

Someone registered, DoesItUseCloudflare on NameCheap, which itself is implicated in using Cloudflare.

I am personally a maintainer of the link you provided. I have been working closely with the other maintainers to gather as much data as possible and to determine the best course of action. I haven't had a chance to make an announcement yet because I've been so busy contributing to that list and performing research (look for posts by Zenexer). Right now, we're still trying to quantify the risk--it's likely very low, but still worth discussing for peace of mind. As soon as we have an accurate estimate of how this affects members, we'll make an announcement.

Thank you for replying!

We'll wait for your announcement!

Paul, you are the contributor of github link?

 

[Paul]

Correction:

I'm afraid there is a discrepancy between info on the github link, and info on the DoesItUseCloudflare.com link.

HugeDomains.com uses Cloudflare, according to the github link.

Someone registered, DoesItUseCloudflare on NameCheap, which itself is implicated in using Cloudflare.

There are several complications when determining whether a site uses Cloudflare, especially when attempting to compile a list of all affected sites. The list is still a work in progress; we're working on more advanced techniques to accurately scan everything.

Paul, you are the contributor of github link?

There are three levels of contributors:

1. Owner: the person who started the list; has ultimate say
2. Collaborators: a small number of people who work together to verify that proposed changes are accurate and actively work to improve the list; there are about 10 of these
3. Contributors: people who have formally proposed at least one change to the list that's been accepted; there are 65 of these as of writing

I'm a collaborator.

I've also updated my initial response with more details.

 

[WalletControl]

BuySellAds.com <== uses cloudflare.

I'll create a list here, and update it.

 

[Paul]

BuySellAds.com <== uses cloudflare.

I'll create a list here, and update it.

Let's not create a list here. There's already an organized utility dedicated to that purpose with professionals working around the clock to maintain it.

 

[WalletControl]

Let's not create a list here. There's already an organized utility dedicated to that purpose with professionals working around the clock to maintain it.

Should I sign up at Github, and post in the comments?
DonaldJTrump.com - hehe.

Edited to say, never mind. I see your work is comprehensive, with levels of exposure per list, not just who uses cloudflare servers!

Thanx for updating your info in your opening comment. I followed the links.

 

[Paul]

Should I sign up at Github, and post in the comments?
DonaldJTrump.com - hehe.

You can, but they're probably already in the master list. The user-friendly lists only shows domains that are also in the top 10k Alexa list or that are otherwise very notable.

 

[Paul]

I rewrote the code behind the "Remember Me" login option to "harden" it (increase its security), as I wasn't fond of how XenForo implemented it; forcing cookie invalidating was too cumbersome, among other issues. I've reset the session cookies again accordingly. If you weren't logged out before, you should have been logged out this time.