Hacker News new | past | comments | ask | show | jobs | submit login

I assumed this was a reset from Google due to the Cloudflare stuff, but seems like it wasn't?

Well, he said that it wasn't. But then refused to say more, and disabled comments.


It's not strange at all?

Imagine you walked into a group of people, talking about one thing. You started talking about something completely random and different. They want to continue their conversation, you keep interjecting with questions about your random thing.

If they could, they'd probably turn you off so you couldn't talk, or go to another place to talk about it.

That's precisely what happened here.

I would imagine that was because the comments are intended for discussion about that particular issue, not for random users to jump in with wild conjecture on its impacts. Honestly not that strange.

he was nice enough to answer the off-topic question, and the person who asked decided not to believe him and continued to take the discussion further off topic. The only good way to handle that sort of thing is to lock the thread.

> But then refused to say more

What more is there to say?

A link to an announcement on the issue?

Not in a random unrelated bug that people hijacked to discuss a different problem, no.

I think there's nothing special about refusing to discuss stuff there and disabling comments.

That's true, if it is "a random unrelated bug".

I suspect that there will be many such reports in coming weeks. And lots of denial, and refusal to comment.

That would have been the best outcome. As it is, I'm left with concerns. Maybe it is related, but he's been instructed to not comment. Maybe it's a National Security Letter. Or whatever.

And yes, maybe he was just stressed out, and didn't want to be pestered with conspiracy theory ;)

I would be surprised if Gmail sent any tokens or credentials via Cloudflare

Third party sites where the Google account was used for authorization, could have transmittted data through Cloudflare. (Think "Log in with Google" button on millions of sites.)

Fear might be shared email/passwords since thats really common.

What's the fear? Aren't all passwords encrypted on the server side?

But if an in-transit plaintext password is leaked by CloudFlare, server-side encryption is irrelevant.

(... that said, it's not like revoking sessions would impede a password-holding adversary...)

It would for users that have 2FA enabled.

Perhaps they are worried about active oauth tokens having leaked?

That was my first thought. Maybe accounts with google credentials exposed in some way had a forced logout to invalidate exposed auth token?

Does Google use cloudflare? Don't they do everything themselves?

Yes. They integrate as a proxy for Google's cloud stuff.


Not quite. CloudFlare is available to users of Google Cloud, but Google services don't use CloudFlare.

The only exception I could imagine would be some service that was brought in as part of an acquisition but has not yet been migrated to Google's internal platform. Obviously not applicable to products like Gmail or other core G Suite apps.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact