Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'd say it shouldn't be their responsibility to fix it at all - this is on CloudFlare. CloudFlare shouldn't be downplaying the issue to their customers.

They should be telling them to reset passwords and get users to do similar. And I say this as a generally very happy CloudFlare customer.

A few Bitcoin exchanges have realized the seriousness and have already contacted me and told me to just go ahead and enable 2fa, which I did even on empty accounts. One of which is going so far as to revoke and change their SSL certificates even though there's no reason to believe they were at risk.



> They should be telling them to reset passwords and get users to do similar.

Someone correct me if I'm wrong, but:

This isn't just about passwords. Any memory from those proxy servers could have been dumped into these responses, meaning plaintext content of all kinds. The data needs to be purged in addition to telling customers that everything they did in these months has a chance of being out there in plaintext in the hands of random people.


Yes - definitely.

I was just saying passwords because they're something that could have leaked which could be used to actively compromise accounts and result in further attacks now. And probably the only thing most sites can do anything about at this point.

Of course if you were sending private keys, api keys, etc over an SSL connection - those all now need to be treated as exposed.

Some sites may also have special concerns - btc-e for example, a fairly large bitcoin exchange allows users to withdraw to a "btc-e code" which can be deposited by another user of the site. It'd be a serious mess if any of that kind of thing leaked.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: