October 2014 Summaries
8 posts from Cloudflare
Filter
Month:
Year:
Post Summaries
Back to Blog
On October 30, 2014, John Graham-Cumming spoke at dotGo 2014 conference in Paris while his colleague Yichun Zhang presented at the first NGINX conference in San Francisco. The talk by Yichun Zhang focused on the latest features and tools of the ngx_lua module, which embeds Lua dynamic language into the NGINX core, transforming it into a highly scriptable proxy server. This module is also used as a non-blocking full-stack web application server known as OpenResty. The session covered new features such as light threads, websockets, timers, SSL/TLS cosockets, and more. Additionally, advanced tools for troubleshooting and profiling ngx_lua-based systems were discussed.
Oct 30, 2014
237 words in the original blog post.
On October 16, 2014, the Drupal Security Team released a critical security patch for Drupal 7 addressing a severe SQL injection vulnerability. Cloudflare also updated its Web Application Firewall (WAF) rules to mitigate this issue. Customers using Cloudflare's WAF with the Drupal ruleset enabled received automatic protection. Rule D0002 provides specific protection against this vulnerability, and users can enable it by clicking the ON button next to "CloudFlare Drupal" in the WAF Settings. While Cloudflare's WAF can help mitigate such vulnerabilities, it is crucial that Drupal 7 users upgrade to the safe version of Drupal immediately. On October 29, 2014, the Drupal Security Team issued a PSA stating that every Drupal 7 website was likely compromised unless updated or patched before Oct 15th, 11 pm UTC. Users who did not update their Drupal 7 installation should read the PSA and follow instructions on cleaning up their site. Updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If a site appears patched without user action, it may indicate that the site was compromised, as some attacks have applied the patch to gain control of the site.
Oct 16, 2014
278 words in the original blog post.
A new vulnerability in SSL called POODLE has been discovered, which targets the SSLv3 protocol and allows an attacker to compromise encryption. CloudFlare has disabled SSLv3 across its network by default for all customers, impacting some older browsers like Internet Explorer 6 on Windows XP or older. The company is working with partners to ensure support for HTTPS over other protocols than SSLv3. An option to enable SSLv3 is available for Business and Enterprise customers who prioritize broad browser support over the risk posed by this vulnerability, but it's recommended to leave it disabled unless there's a specific reason to enable it. Google's BoringSSL fork of OpenSSL may provide protection against downgrading SSL connections, mitigating the largest risk posed by this vulnerability.
Oct 14, 2014
582 words in the original blog post.
CloudFlare Pro or above customers benefit from the CloudFlare Web Application Firewall (WAF). For users of popular web platforms like WordPress, Drupal, Plone, WHMCS, and Joomla, it's advisable to check if the relevant WAF ruleset is enabled. The firewall automatically updates these rules when new vulnerabilities are discovered. Enabling a specific ruleset for your technology ensures immediate protection upon release of new rules. To enable a ruleset, simply toggle the ON/OFF button in the WAF Settings. For widespread issues like Heartbleed and Shellshock, CloudFlare provides automatic protection, but for technology-specific updates, enabling the appropriate ruleset is recommended.
Oct 14, 2014
199 words in the original blog post.
The Domain Name System (DNS) is one of the oldest and most fundamental components of the modern internet, used to translate domain names into numeric IP addresses. However, DNS was designed without strong security mechanisms in place, making it vulnerable to attacks such as cache poisoning and on-path attacker attacks. To address these issues, a set of security extensions called Domain Name System Security Extensions (DNSSEC) were developed. These extensions provide authentication for DNS records, allowing resolvers and applications to trust the data received. While adoption of DNSSEC is still relatively low, it has significant potential to improve the trustworthiness and integrity of the internet.
Oct 07, 2014
3,137 words in the original blog post.
On October 6th, 2014, John Graham-Cumming announced the launch of CloudFlare's Universal SSL plan, which provides free SSL certificates to all sites running on their platform and automatically secures them over HTTPS. This not only enhances security but also improves site speed by enabling the SPDY protocol, which requires SSL support. As part of this launch, CloudFlare has also made SPDY available for everyone using its services. The company's mission is to bring internet giants' tools to everyone, focusing on both security and performance improvements.
Oct 06, 2014
256 words in the original blog post.
On October 2, 2014, at 5:44 PM, CloudFlare experienced a downtime that caused inaccessibility of its customers' websites in certain parts of the world. The cause was a BGP route leak by Internexa, an ISP in Latin America, which directed traffic meant for CloudFlare data centers globally to a single data center in MedellĂn, Colombia. This resulted in a 49-minute disruption from 15:08 UTC to 15:57 UTC. The impact varied geographically, with North American traffic dropping by 50% and European traffic decreasing by 12%. Route leakage is a significant problem within the Internet's core routing system, as seen in previous high-profile incidents involving other ISPs. CloudFlare worked directly with Internexa to resolve the issue and has taken steps to prevent future occurrences. Service credits will be issued to affected accounts covered by SLAs.
Oct 02, 2014
472 words in the original blog post.
CloudFlare's Universal SSL enables HTTPS for all websites using its Free plan, increasing the number of sites served over HTTPS from tens of thousands to millions. The company achieved this by leveraging modern hardware and software configurations that significantly reduce the cost of SSL on web servers. By utilizing Intel CPUs with specialized cryptographic instructions, prioritizing AES-based ciphers, and implementing elliptic curve cryptography for private key operations and key establishment, CloudFlare minimized the computational burden of TLS handshakes. Additionally, session sharing techniques and lazy loading of certificates further optimized server resources. This approach demonstrates that SSL can be deployed on a large scale with minimal impact on web server performance.
Oct 01, 2014
1,104 words in the original blog post.