{"id":791,"date":"2017-02-24T12:46:56","date_gmt":"2017-02-24T12:46:56","guid":{"rendered":"https:\/\/hostinguk.net\/blog\/?p=791"},"modified":"2017-02-24T14:13:47","modified_gmt":"2017-02-24T14:13:47","slug":"pass-the-salt","status":"publish","type":"post","link":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/","title":{"rendered":"Pass the Salt"},"content":{"rendered":"

CDN’s are great. Seriously. They are a wonder of the modern age. You get your heavy lifting done by someone else, and they have offices around the globe. What is not to like? Oh – okay – so maybe if they start over sharing you find yourself with an issue. A very ugly issue.<\/p>\n

It has recently transpired that one of the most accessible CDN services CloudFlare have experienced an issue with some of their customers and users. While the number of sites was relatively small – they were able to to deliver content from just about all of the other sites they host.<\/p>\n

The content appeared as junk. Junk however that the more eagle eyed would have noted was IP addresses to and from, as well as fragments that would allow someone to possibly gain access through session data, keys, or just plain raw output.<\/p>\n

So why is this important…. well… if you use CloudFlare, then you need to take this into account.<\/p>\n

Most importantly possibly after securing yourself DISCLOSURE to any possibly effected parties if you are storing information about others depending on your compliance needs – for example Data Protection Act, and PCI Compliance.<\/p>\n

Here is a great article on the CloudFlare data leak<\/a> from one of the primary WordPress plugin vendors WordFence<\/a>.<\/p>\n

What they are outlining is change your Salt lines in your wp-config.php<\/a> , disclosure, and closer log analysis.<\/p>\n

Others have plenty to say on this too:<\/p>\n

ArsTechnica<\/em><\/a> reports that the leaks were spotted by\u00a0Google security researcher Tavis Ormandy.<\/p>\n

\n

We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.<\/span><\/em><\/p>\n<\/blockquote>\n

A Cloudflare blog post<\/a> acknowledges that the issue was serious, but says there is no evidence of it having been exploited.<\/p>\n

\n

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.<\/span><\/em><\/p>\n<\/blockquote>\n

Ormandy responded by writing<\/a>:<\/p>\n

\n

[The company\u2019s blog post]\u00a0contains an excellent postmortem, but severely downplays the risk to customers.<\/span><\/em><\/p>\n<\/blockquote>\n

Security researcher Ryan Lackey agrees<\/a>, saying that while the likelihood\u00a0of passwords being exposed is\u00a0low, that risk does exist and that users are advised to change them.<\/p>\n

\n

While Cloudflare\u2019s service was rapidly patched to eliminate this bug, data was leaking constantly before this point\u200a\u2014\u200afor months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet [\u2026]<\/span><\/em><\/p>\n

The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced.\u00a0<\/span>From an individual perspective, this is straightforward \u2014the most effective mitigation is to change your passwords.<\/span><\/em><\/p>\n<\/blockquote>\n

Next up you may wish to consider who their customers are… Uber, Fitbit, OKcupid – the list goes on. There is an outside chance your accounts\u00a0may have been compromised.<\/p>\n

This is by no means an end of days (in the same way as today came the inevitable two different documents with an SHA-1 signature that matched<\/a> – researched\u00a0again by Google)… but it both important, relevant, and food for thought. For me it is all about the follow up, the transparency, the how it is announced, and dealt with… the lack of cover up… things do go wrong, and bad things to good people.<\/p>\n

Go change that salt (to log out existing users getting in with session data or encrypted passwords) if\u00a0you use\u00a0WP with CloudFlare, or any CDN for that matter (as they are simply the ones in the spotlight and open about it) … and stop for a while and think about what you would leak, or lose, if your site were compromised, defaced, or deleted in it’s entirety.<\/p>\n

Patch. Backup. Compliance.<\/em><\/p>\n

Then go make a brew and rejoice – for it is Friday, and what is done… is done. It’s now time to make good.<\/p>\n

If you want to discuss the implications of this, or any other service we provide – get in touch.<\/em><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

CDN’s are great. Seriously. They are a wonder of the modern age. You get your heavy lifting done by someone else, and they have offices around the globe. What is not to like? Oh – okay – so maybe if they start over sharing you find yourself with an issue. A very ugly issue. It… Keep Reading<\/a><\/p>\n","protected":false},"author":6,"featured_media":794,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[13],"tags":[137,138,39],"class_list":["post-791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-support","tag-cdn","tag-cloudflare","tag-security"],"yoast_head":"\nPass the Salt - Hosting UK<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pass the Salt - Hosting UK\" \/>\n<meta property=\"og:description\" content=\"CDN’s are great. Seriously. They are a wonder of the modern age. You get your heavy lifting done by someone else, and they have offices around the globe. What is not to like? Oh – okay – so maybe if they start over sharing you find yourself with an issue. A very ugly issue. It... Keep Reading\" \/>\n<meta property=\"og:url\" content=\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/\" \/>\n<meta property=\"og:site_name\" content=\"Hosting UK\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-24T12:46:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-02-24T14:13:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg?fit=1100%2C663&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"1100\" \/>\n\t<meta property=\"og:image:height\" content=\"663\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Anthony Hogbin\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anthony Hogbin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/\"},\"author\":{\"name\":\"Anthony Hogbin\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/#\/schema\/person\/e7707cd2857ef38b31f396b1bf878707\"},\"headline\":\"Pass the Salt\",\"datePublished\":\"2017-02-24T12:46:56+00:00\",\"dateModified\":\"2017-02-24T14:13:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/\"},\"wordCount\":720,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg\",\"keywords\":[\"cdn\",\"cloudflare\",\"security\"],\"articleSection\":[\"Support\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/\",\"url\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/\",\"name\":\"Pass the Salt - Hosting UK\",\"isPartOf\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg\",\"datePublished\":\"2017-02-24T12:46:56+00:00\",\"dateModified\":\"2017-02-24T14:13:47+00:00\",\"author\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/#\/schema\/person\/e7707cd2857ef38b31f396b1bf878707\"},\"breadcrumb\":{\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage\",\"url\":\"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg\",\"contentUrl\":\"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg\",\"width\":1100,\"height\":663,\"caption\":\"Secure website.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/staging.hostinguk.net\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Pass the Salt\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/#website\",\"url\":\"https:\/\/staging.hostinguk.net\/blog\/\",\"name\":\"Hosting UK\",\"description\":\"Hosting UK | Domain names | Web hosting | Dedicated Servers\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/staging.hostinguk.net\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/staging.hostinguk.net\/blog\/#\/schema\/person\/e7707cd2857ef38b31f396b1bf878707\",\"name\":\"Anthony Hogbin\",\"url\":\"https:\/\/staging.hostinguk.net\/blog\/author\/huk-ant\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pass the Salt - Hosting UK","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_GB","og_type":"article","og_title":"Pass the Salt - Hosting UK","og_description":"CDN’s are great. Seriously. They are a wonder of the modern age. You get your heavy lifting done by someone else, and they have offices around the globe. What is not to like? Oh – okay – so maybe if they start over sharing you find yourself with an issue. A very ugly issue. It... Keep Reading","og_url":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/","og_site_name":"Hosting UK","article_published_time":"2017-02-24T12:46:56+00:00","article_modified_time":"2017-02-24T14:13:47+00:00","og_image":[{"width":1100,"height":663,"url":"https:\/\/i0.wp.com\/hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg?fit=1100%2C663&ssl=1","type":"image\/jpeg"}],"author":"Anthony Hogbin","twitter_misc":{"Written by":"Anthony Hogbin","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#article","isPartOf":{"@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/"},"author":{"name":"Anthony Hogbin","@id":"https:\/\/staging.hostinguk.net\/blog\/#\/schema\/person\/e7707cd2857ef38b31f396b1bf878707"},"headline":"Pass the Salt","datePublished":"2017-02-24T12:46:56+00:00","dateModified":"2017-02-24T14:13:47+00:00","mainEntityOfPage":{"@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/"},"wordCount":720,"commentCount":0,"image":{"@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage"},"thumbnailUrl":"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg","keywords":["cdn","cloudflare","security"],"articleSection":["Support"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/","url":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/","name":"Pass the Salt - Hosting UK","isPartOf":{"@id":"https:\/\/staging.hostinguk.net\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage"},"image":{"@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage"},"thumbnailUrl":"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg","datePublished":"2017-02-24T12:46:56+00:00","dateModified":"2017-02-24T14:13:47+00:00","author":{"@id":"https:\/\/staging.hostinguk.net\/blog\/#\/schema\/person\/e7707cd2857ef38b31f396b1bf878707"},"breadcrumb":{"@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#primaryimage","url":"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg","contentUrl":"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg","width":1100,"height":663,"caption":"Secure website."},{"@type":"BreadcrumbList","@id":"https:\/\/staging.hostinguk.net\/blog\/pass-the-salt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/staging.hostinguk.net\/blog\/"},{"@type":"ListItem","position":2,"name":"Pass the Salt"}]},{"@type":"WebSite","@id":"https:\/\/staging.hostinguk.net\/blog\/#website","url":"https:\/\/staging.hostinguk.net\/blog\/","name":"Hosting UK","description":"Hosting UK | Domain names | Web hosting | Dedicated Servers","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/staging.hostinguk.net\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/staging.hostinguk.net\/blog\/#\/schema\/person\/e7707cd2857ef38b31f396b1bf878707","name":"Anthony Hogbin","url":"https:\/\/staging.hostinguk.net\/blog\/author\/huk-ant\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/staging.hostinguk.net\/blog\/wp-content\/uploads\/2017\/02\/https-image.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p63y3g-cL","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/posts\/791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":4,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"predecessor-version":[{"id":803,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/posts\/791\/revisions\/803"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/media\/794"}],"wp:attachment":[{"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.hostinguk.net\/blog\/wp-json\/wp\/v2\/tags?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}