Cloudflare
Latest
Tor accuses CloudFlare of blocking its anonymizing network
Not long ago, the content delivery provider CloudFlare claimed that a whopping 94 percent of the requests it gets from people using the Tor anonymizing network are malicious. It needs strict, Tor-specific security measures (such as demanding that visitors see CAPTCHAs) to protect its website customers against attacks, the company says. Well, the Tor team isn't having any of it -- it's accusing CloudFlare of both mischaracterizing Tor users and blocking innocents in the name of overzealous security.
CloudFlare donates tech to stop politically-sensitive sites from being knocked offline
If protecting yourself from hackers wasn't tough enough, there's another crippling internet attack that knocks websites completely offline while you're a target: a denial of service attack. That's why a company called CloudFare has launched Project Galileo, a free service that helps "protect politically and artistically important organizations and journalists against attacks that would otherwise censor their work." CloudFlare has been in the business of protecting sites for quite some time, operating as a content delivery network that offers DDoS protection, but only to paid customers.
What is Heartbleed, anyway?
If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing." "Do I need to update my antivirus?" "Can I login to my bank account now?" "Google already fixed it, right?" We've heard them all, but the answers aren't all that clear or simple. In an attempt to take the pressure off -- it is the weekend after all -- we've put together a primer that should answer all of those questions and a few more. Next time someone asks you about that "Heartbleed thing," just shoot them in our direction.
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
