
Ask HN: What are the implications of CloudFlare leak? - ddito
I&#x27;m having a hard time understanding the implications of this CloudFlare breach. As I understand it, although only the websites who have been using the combination of features from CloudFlare have triggered the leak, the leaked information is from any website which was using the service for MitMing their https for some feature. Am I correct? There is a lot of misinformation out there about the scope of this... Also, is it ok to suppose pretty much any smaller website has been using CloudFlare? Has our payment information been leaked? Should we request new credit cards?<p>I&#x27;m using a few passwords with differing complexity for various websites which have my credit cards stored unfortunately. I have so far been trying to use my strongest passwords exclusively with websites which have my most sensitive info but I still reused the same password for 4-5 websites each.<p>This fiasco has coincided with me moving over to 1password anyways but I&#x27;m worried a bit about my credit cards.
======
onion2k
Without wishing to sound too melodramatic, a complex problem like this one
should be the least of your concerns online. Part of my job over the past
twenty years has been auditing website code, and I can tell you there are
online stores that do things that would absolutely terrify people if they knew
what was happening to their data - on one site everyone's creditcard
information was being emailed to the site owner's Hotmail account so he could
put payments through the till system in his shop.

If you're worried about your credit card data just don't put it in to a
website you don't _know_ is secure. If it isn't Amazon, Stripe, Paypal, <your
preferred payments provider> etc, just don't use it.

~~~
remx
+1 for mentioning offloading CC stuff to payment providers

------
andyjh
"...the leaked information is from any website which was using the service..."

Potentially, yes. Not _just_ HTTPS, but those are obviously the more worrying
cases.

It's not possible to know the totality of information that has been leaked,
though efforts are being made to try and list affected / potentially affected
sites.[1]

My advice would be: For any sites you're worried about (ie hosted on CF and
you have an account), log out of all sessions on all devices, and reset your
password. Don't share passwords between sites either; if you're using
1password now, you can use unique & complex passwords for everything.

[1] eg [https://github.com/pirate/sites-using-
cloudflare](https://github.com/pirate/sites-using-cloudflare)

------
fsf
You don't need to preemptively change your credit cards, but keep an eye on
them. Your analysis of the potential leak is correct. It's possible that one
of the bits of memory contained your credit card information, but changing
your card just for that is kind of silly without some indication of illicit
use.

After all, people happily hand their credit card to restaurant employees, pop
it into gas station devices, etc. without worrying too much. Keep an eye on
it, but don't fret.

You kind of goofed with the re-used passwords, though :). Kudos for switching
to a password manager!

------
remx
I never trusted Cloudflare's TLS/HTTPS infrastructure. Consider any CC
information that _could_ have been in their servers as already compromised.
Stuff like that should be on a dedicated payment provider, and insulated away
as much as possible. Stripe and other providers are perfect for handling CC,
because it's _what they do_ as a service.

------
lightedman
"I'm having a hard time understanding the implications of this CloudFlare
breach."

The implication is that people are still not very smart trusting anything to a
3rd party.

As the saying goes, "If you want it done right, do it yourself."

