Cloudflare recently announced a security incident that potentially impacts anyone who visited various wireshark.org and winpcap.org sites for the past six months.
Cloudflare is a popular service that provides content delivery, DDoS protection and DNS services for web sites.
A software bug Cloudflare’s servers leaked potentially sensitive information. Some of that information ended up in caches all over the Internet. At Google, Microsoft, your ISP, your company’s or university’s proxy servers, and elsewhere. Due to the randomness and distributed nature of the bug, it’s difficult to know what the full impact is. Cloudflare provides the following estimate:
“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).”
The bug was introduced on September 22, 2016 and fixed on February 18th, 2017.
The Google Project Zero bug describing the issue in detail can be found at https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Cloudflare’s incident report can be found at https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
The initial Hacker News discussion can be found at https://news.ycombinator.com/item?id=13718752
Was Wireshark affected?
The following wireshark.org and winpcap.org sites were behind Cloudflare proxies during the period in question:
Wireshark’s download servers (*.dl.wireshark.org), buildbot.wireshark.org and code.wireshark.org were not behind Cloudflare.
I browsed to a one of the sites listed above between September 22nd, 2016 and February 18th, 2017. Am I affected?
The chances are slim, but those chances are not zero.
Most of the content that we serve is “static” and “public.” That is, it’s the same for everyone and doesn’t contain any sensitive information. The risk exposed by Cloudflare is from dynamic content that contains sensitive information such as the login page on ask, bugs, wiki, etc. Our web sites get frequent requests for static content, but dynamic requests are relatively infrequent.
In a world where everyone has infinite free time I would have no qualms about recommending that everyone with a wireshark.org account change his or her passwords. However, this is the real world and your time is valuable. If you logged in to one of our sites and used a unique password it might not be worth your time to change it. On the other hand, if your professional reputation depends on your ask.wireshark.org score you probably should. If you have any sort of administrative access you definitely should. Most of our users fall into the first category.
If you’re wondering why it looks like I’m downplaying the importance of changing your wireshark.org passwords, see the next question.
I used a web browser, smart phone, or an internet-connected wearable doohickey between September 22nd, 2016 and February 18th, 2017. Am I affected?
I honestly don’t know. The chances are almost certainly not zero.
Cloudflare is a very popular service. At the time of this writing an unofficial list of affected sites stands at more than four million entries and counting. It includes many of the world’s most popular web sites.
If you’re going to spend time changing passwords, doing so for sites that deal with finance, email, DNA testing, dating, and other parts of your personal life probably ranks higher than that for, say, the Wireshark wiki.
Isn’t a vague answer like “the chances are slim but not zero” a frustratingly craptastic one compared to a definitive “yes” or “no”?
Yes, but it’s also the honest and correct one.
Update: March 2, 2017
Yesterday Cloudflare posted an update on the issue at https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/. In it they posted the following leak estimates:
Requests per Month Anticipated Leaks ------------------ ----------------- 200B – 300B 22,356 – 33,534 100B – 200B 11,427 – 22,356 50B – 100B 5,962 – 11,427 10B – 50B 1,118 – 5,926 1B – 10B 112 – 1,118 500M – 1B 56 – 112 250M – 500M 25 – 56 100M – 250M 11 – 25 50M – 100M 6 – 11 10M – 50M 1 – 6 < 10M < 1
The affected wireshark.org web sites get just over 10M requests per month combined. Private traffic is substantially less than that.