
Monzo’s Response to Cloudbleed - obeattie
https://monzo.com/blog/2017/02/24/cloudbleed/
======
libeclipse
Even though they weren't affected much and no one would have called them out
if they didn't do this, the fact that they did such a nice job of dissecting
the situation and deploying the appropriate measures is really, really good.

Love monzo. <3

~~~
lumisota
While it should be applauded that they responded promptly, it needs to be
remembered that this is a regulated, licensed bank that proxied sensitive
customer information via a (now compromised) third-party. We should expect
this kind of disclosure from such organisations, not be surprised by it.

~~~
mintplant
My thoughts exactly. As a bank, allowing Cloudflare to MITM their customers'
financial data, presumably so they can save on bandwidth, seems inappropriate.

~~~
shawabawa3
Did you read the post?

They don't use cloudflare to MITM customer data.

~~~
grzm
Please don't imply that someone hasn't read the article. From the guidelines:

 _" Did you even read the article? It mentions that" can be shortened to "The
article mentions that."_

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
deckiedan
Great that they respond so clearly and quickly.

One question - does anyone else feel that having NGINX as the only link in the
summary kind of suggests that it's an nginx problem? I could imagine my
previous boss reading the article, and 3 months later saying, "Wait what,
we're using nginx??? Isn't that that shit that made cloudbleed happen?"

~~~
zzzcpan
While they are not being precise in their response, you cannot consider nginx
more secure. Nginx is still part of the problem, it had many CVEs too, even
very similar memory disclosure vulnerabilities.

~~~
Filligree
It's written in C, which is part of the problem. I'd be very interested in a
similarly-featured webserver (reverse proxy, mostly) which is written in a
memory-safe language.

~~~
atmosx
Caddy[1] is written in Go and has a nicer, simpler syntax. I'm sure NGINX has
many more features though.

[1] [https://github.com/mholt/caddy](https://github.com/mholt/caddy)

~~~
fortytw2
Caddy has less than half the performance of Nginx - not really a viable
replacement at any sort of scale. [https://hackernoon.com/caddy-a-modern-web-
server-vs-nginx-e9...](https://hackernoon.com/caddy-a-modern-web-server-vs-
nginx-e9e4abc443e#.wps7udz6x)

~~~
Filligree
Depends on what you're doing. If it's fronting an expensive web-app, then the
couple hundred CPU-microseconds needed to proxy a request isn't going to be
noticeable...

Caddy can serve 5,000 requests per second per core. I would flip your
statement on its head, and say that a minority of people need anything close
to that. The few companies that do, can probably afford to keep on top of CVEs
for their frontends as well.

------
mseebach
Honest question, this is far from my area of expertise: I get why you would
put Cloudflare on a public website -- but what is the benefit of wrapping the
authenticated, dynamic parts of a website/service in Cloudflare? These are
things you would want to never get cached, and, I suppose, you would want end-
to-end TLS'd into your own network?

~~~
otabdeveloper
Because the "HTTPS everywhere or you're a dinosaur and you don't deserve to
live" hysteria forced everyone to put HTTPS even in places where it doesn't
belong.

~~~
jon-wood
I'm pretty sure "in front of the API for people's bank account" is exactly the
place HTTPS belongs.

------
rodionos
The Monzo's response is much more re-assuring compared to Cloudflare's:

    
    
      > "We've seen absolutely no evidence that this has been exploited," he told Reuters by phone. 
      > "It's very unlikely that someone has got this information." 
    

[http://www.reuters.com/article/us-cyber-cloudflare-
idUSKBN16...](http://www.reuters.com/article/us-cyber-cloudflare-
idUSKBN1630RT)

~~~
sverige
I agree. Cloudflare's public statements have not inspired confidence. When you
get publicly called out by Google's security chief, you need to bring your A
game in damage control.

------
_pmf_
> A bug in an NGINX module used by Cloudflare’s edge proxies

More precise: a bug in a proprietary closed source module for NGINX used in-
house at Cloudflare.

~~~
nailer
Not sure why the parent post is being downmodded: it's entirely accurate. From
what Google wrote [1], the module is part of a CloudFlare ScrapeShield, which
is a proprietary nginx module that does DOM manipulation to obfuscate pages to
fight scrapers. Mismatched tags were causing arbitrary bits of memory to leak
into responses.

[1] [https://bugs.chromium.org/p/project-
zero/issues/detail?id=11...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1139)

------
overcast
What the heck is Monzo? I read the About, is this another Paypal 20 years
later?

~~~
aembleton
It's a prepaid credit card that immediately notifies your phone every time you
make a transaction with the amount and location.

It is particularly useful overseas. I was in Belgium at the weekend and all my
€ spend was immediately translated into £ so I could clearly see how much I
was spending. I could also find the café that I went to for breakfast the
previous day because it's location is right there in the Monzo app.

The other useful feature is when I'm out drinking. If I loose the card, I can
freeze the card from inside the app. Also it means that the next morning I can
see how much I spent.

~~~
mintplant
> It's a prepaid credit card that immediately notifies your phone every time
> you make a transaction with the amount and location.

All of my regular financial accounts (bank, credit cards) can do this. There's
typically a page in the account center with settings for sending SMS and email
alerts when various types of transactions exceed a certain monetary threshold.
I set them all to $0 and get notified of everything as it happens.

~~~
aembleton
That's really good to hear. Unfortunately that doesn't seem to be the case in
the UK, at least for my accounts (Barclaycard and Halifax).

I think our banking system is a bit antiquated. Monzo have built a tech stack
that is far more advanced than any of our incumbant banks.

------
anc84
If I understood the issue correctly, then "Transaction information" and
"Customers’ personally identifiable information" via the Developer's API
_were_ potentially affected.

------
brad0
Great response from Monzo. I live in Scotland and it's amazing the difference
companies like monzo have compared to regular banks (see the tesco bank
fiasco)

~~~
pidg
Without meaning to sound rude, why does it make a difference where you live? I
feel like I'm missing something.

~~~
cesarb
The place where someone lives changes the set of "regular banks" one's exposed
to.

~~~
pidg
Ah. I live in Scotland too and wondered if Monzo had some connection (Tesco
Bank is based here but operates UK-wide)

~~~
OJFord
Monzo is also UK-wide, but only UK-wide.

Anecdotally, it seems Scots are more likely to say Scot* vs UK than are
Welsh/English to offer the equivalent. I certainly grew up (in England) with
the feeling that one had to be careful to say 'UK' if one really meant UK, for
fear of similar reprimand to that when using a gendered pronoun that may or
may not be correct.

------
mdekkers
excellent response

