Why is Cloudflare underplaying this issue? All data that transited through Cloudflare from 2016-09-22 to 2017-02-18 should be considered compromised and companies should act accordingly.
I suspect the random nature of the overflow plaintext spewed out into caches will be difficult to leverage into a statistically significant attack against any particular customer. If CF's bottom line is unlikely to be impacted, why not downplay the issue and refer to it in the past tense?
There may be significant long lasting damage to CF's reputation amongst vulnerability researchers, but that's a tiny subset of the population and statistically insignificant to a company that ~10% of internet traffic flows through.
This all is assuming that no-one has found the vulnerability before. My understanding is that, once you figure out what kind of request causes the overflow, you can pretty much just spam CF with it, getting new garbage data every time. If someone was deliberately doing that, they could have more data than all the indexes combined. And the worst part is that we'll never know.
Does CF redirect all non-HTTP traffic to HTTPS? If not, NSA could have passively intercepted tons of leaked data, and all it would take is for one of their analysts - people paid to find stuff like this - to notice a single out-of-place leaked secret and trace it back to CF.
The way I see it, it's not "chances that this individual is compromised are too low to worry about", it's "chances are this individual is compromised because even though everybody wasn't compromised, anybody was, and we don't know who or to what extent.
We are all familiar with "better safe than sorry", but another no-brainer when it comes to security is "remove all uncertainties".
Not only do Cloudflare's CEO and CTO not seem to operate by these golden rules, but they are spreading misinformation to others about the importance of respecting these basic tenants of security. That shows that they place their profit margin over the customers who give them that margin in the first place.
They do not consider routine corporate security, potential legal backlash to their customers, or the safety of their customers' customers to be the most important thing and that is unacceptable for a company that is basically trying to MITM the internet.
On the other hand, the random nature of the overflow plaintext also means it's perfectly possible for one or several keys to various kingdoms having fall into unsuspecting laps. Whether that happened or how much of those will be discovered by bad actors and to what effect we cannot really know for sure, but I it already says not so great things about those who downplay it.
> There may be significant long lasting damage to CF's reputation amongst vulnerability researchers, but that's a tiny subset of the population and statistically insignificant to a company that ~10% of internet traffic flows through.
Yes, security researchers boycotting CF isn't going to hit their user metrics directly. But what happens when security researchers advise people to use CF because of their poor security/handling of security?
Their whole business model is basically "funnel all your secure stuff through our servers. We won't compromise it, we promise". It's be pretty surprising if they didn't try to underplay it.
Their business model also seems to be "get DDOS protection from us by hiding your real IP behind our proxy (while we also hide the IP of the DDOS services to protect against in the first place)".
Aren't they held liable for taking money from those conducting DDOS attacks in the US?
