Impact of the "CloudBleed" bug on www.ietf.org
IETF Chair <chair@ietf.org> Sat, 25 February 2017 20:43 UTC
Return-Path: <chair@ietf.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2481129535; Sat, 25 Feb 2017 12:43:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DN29YI1KJMO6; Sat, 25 Feb 2017 12:43:55 -0800 (PST)
Received: from [10.132.216.20] (unknown [194.157.96.226]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPSA id A89321294DB; Sat, 25 Feb 2017 12:43:54 -0800 (PST)
From: IETF Chair <chair@ietf.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Subject: Impact of the "CloudBleed" bug on www.ietf.org
Date: Sat, 25 Feb 2017 22:43:50 +0200
Message-Id: <EBDE9228-B232-47B0-BFE1-3AC524ADBED8@ietf.org>
To: IETF Announcement List <ietf-announce@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/zbOxFIeEYj9dH6DQyUuzSEZx00s>
Cc: IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Feb 2017 20:43:56 -0000
As you may have seen, there was a recent and widely publicised bug in the Cloudfare service. You can read more about the bug here: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ https://github.com/pirate/sites-using-cloudflare Since the IETF uses Cloudfare for our public-facing website, you may be wondering whether there are IETF effects. I wanted to let people know that we performed an initial analysis of the possible impacts on Friday. The site www.ietf.org is primarily static and the more interesting content is at datatracker.ietf.org and various wikis that are not hosted at Cloudfare. However, we we realised that there are a few groups of users (such as the ADs) who use IETF credentials on www.ietf.org. Consequently, it is possible that some of these credentials were compromised. We’ve taken the precaution of changing the potentially affected passwords. As the analysis continues in the starting week, if we identify further groups that may be affected, we may be asking you to reset your passwords; if you get such a request, please take action as soon as possible. For your information, datatracker passwords can always be changed here: https://datatracker.ietf.org/accounts/password/ Jari Arkko, IETF Chair