

Protection against critical Windows vulnerability (CVE-2015-1635) - jgrahamc
https://blog.cloudflare.com/cloudflare-is-protected-against-cve-2015-1635/

======
thrownaway122
Interesting. I guess the question is for something as big as this should
companies like cloudflare have a obligation to protect everyone using their
service (rather than just those on a certain support level)?

~~~
ianlevesque
Obligation? No. Why would they?

Microsoft released a patch, patch your stuff.

~~~
thrownaway122
> Microsoft released a patch, patch your stuff.

I have nothing to patch so no worries there!

> Obligation? No. Why would they?

I certainly lean towards this view myself.

I agree that Cloudflare are a company that is trying to make money and if they
can allow big corp X to not have to rapidly push through a patch without
testing then clearly they are providing a service to big corp X (we all know
that enterprise doesn't like to upgrade anything fast).

The alternative view could be that your and my e.g. bank and credit card
details are somewhere almost certainly exposed somewhere right now. Cloudflare
have apparently the ability to prevent this so it could be seen that not doing
so is allowing crime to take place when they could stop it.

I'm not sure about this myself hence why I posted a question rather than an
opinion...

Maybe they could offer to block for say 48 hours and then thereafter only
those that pay get the service?

~~~
emn13
In general, protecting an unpatched server takes work - perhaps manual
configuration, perhaps extra server load on your proxies, perhaps
retrospective damage control when it turns out your proxy rules are buggy -
but it's clearly not reasonable to require them to do that work for free.

~~~
thrownaway122
As a counterpoint let's use a simple analogy. Me calling the police if I see
someone breaking into my neighbours house takes effort as well. In this
situation no one would expect that I should have my neighbour to pay me a
retainer first.

~~~
thrownaway122
To late to edit this and it came out a little further to one side of the
argument than I was going for.

A better analogy would be what one would expect from a private security
company which is contracted to protect certain houses businesses. They might
phone the police if a house they are not contracted to protect is broken into
as a matter of public duty but they would not attempt to intervene themselves.
I guess one could draw a similar line somewhere (I'm not sure where) for
Cloudflare who are effectively the digital equivalent .

------
stephengillie
Main thread:
[https://news.ycombinator.com/item?id=9380468](https://news.ycombinator.com/item?id=9380468)

