The so called Cloudbleed bug is much worse than its little brother called Heartbleed as it not only affected millions of websites, in addition, it sent personal information like login data (even for banking websites) as well as private chat sessions from dating websites to any other browser accessing a website that uses Cloudflare.
The list of all affected websites is terribly long, so here are some important ones:
It is possible that you have recently visited one of these websites thinking you were safe as the lock for the SSL-connection was showing up green. But visiting these sites was like going to a cash machine to withdraw money. Everything seemed normal, except that the machine would still show all details of the previous user including his PIN and a copy of the used card, making it possible for you to withdraw money from his account. And it gets even worse: After you used this machine, your information might be shown to the next customer and so on and so forth.
This information exchange was hidden within the browsers so it hugely went unnoticed. However, it is very likely that it was noticed by some. The traffic was cached automatically by search engines like Google and Bing, which made it easily accessible to anybody who accidentally found out about the leak, thus knowing what he was looking for. In addition, this information was visible to bots trawling the web so it might have already fallen into the hands of people with bad intentions.
Google engineer Tavis Omady discovered the bug and it was fixed as well as search engine data scrubbed manually within a couple of days. However as the bug was probably active since September 2016, we advise you to change all passwords from affected websites. In addition if you are using your Tutanota password for anything else, please change it as well, just to be sure.
According to the official statement of Cloudflare, the problem was in the code of a new HTML parser, which suffered from a buffer overflow vulnerability triggered by unbalanced HTML tags on pages. The biggest amount of leakage took place between February 13 and February 18, which is also when Omady noticed the leakage.
Now imagine what malicious people with the leaked Cloudflare information can do: They can monitor the data flows of these websites - user names, passwords, communications, cookies and authentication tokens.
Cloudflare is a service which protects websites from DDoS attacks. In order to be capable to protect HTTPS sessions, Cloudflare pretends to need access to the private keys of the SSL certificates of the "protected" websites, which by itself means that customers completely need to trust Cloudflare.
A SSL certificate gives you visual approval that you are currently viewing the website you intended to visit, and that it is safe to enter payment details and passwords.
If an attacker had a private key of an SSL certificate at his disposal, he could duplicate a website, let's say, of your bank, and you wouldn't even notice. He pretends that this is the original website, a classical Man-in-the-middle attack. Now you want to transfer money online and go to your bank's website. You check whether the connection is secure, because you are a prudent person. Everything seems to be alright, so you enter your credit card details and hit the send button.
And now? Your payment details are sent directly to the attacker - you did not visit your bank's website as you thought, you have just been to the malicious duplicate. Fortunately, this is not what happened with Cloudbleed, but this is exactly the reason why we at Tutanota would never use Cloudflare or any similar service.
In a nutshell, the real danger of any service like Cloudflare is that they collect the private keys of millions of SSL certificates, which makes them an extremely attractive target not only for attackers, but also for secret services. With the private keys, the NSA would be able to decrypt everything - yes, every little bit of data you generated through these affected websites.
Change your passwords. The people in charge may communicate that the data has disappeared from the internet now, but no-one knows who already had access to the data. For instance, no-one knows whether Omady was the first or the only one to notice this data leakage. Even if your information has not been leaked, it is always a good idea to change your passwords every once in a while.
As Tutanota does not use Cloudlfare - we would never hand the private keys of our SSL certificates to anyone - you can be sure that your secure mailbox is not affected.
In case you were using the same passwords for Tutanota and other services, please also change your Tutanota password. And make it unique - plus write it down somewhere safe as we cannot reset it.
Although attackers may have recorded a lot of your online traffic, we have good news for you: Your data in Tutanota is encrypted. Your Tutanota emails are not accessible to anyone apart from yourself.
No comments available