A few days ago our company got blackmailed and we refused to pay. Today we woke up and about 180 websites that we host were exploited with the same bug. All 180 websites got offline (we use Cloudflare on all of them). At that moment we didnt know the bug and because of our despair we ended up paying the “hacker” R$ 20.000,00 (about 5000 USD dolars) to tell us how to fix the problem. In his answer he told us the bug/exploit that he found out and we already provided a fix to that. BUT that alone wouldnt create us much problem. What created lots of problem to us is that this hacker said he got all websites we host using the DNS provided by Cloudflare. This is a serious problem with Cloudflare: any domain that we add to our panel gets the same exactly DNS to our entire account. This started happening 2 or 3 years ago. Before that the DNS’s informed by Cloudflare were “random”. I know that only with the DNS this “hacker” should have discovered milions of domains that has no relation to us. But he told that what he did was to narrow the list of the websites that used the same DNS filtering first the ones that use “.com.br” (90% the websites we host are “.com.br”) and he said he used other things to narrow the list and after that he automated a tool to exploit the bug on all the domains left on his list (some were ours, others were not) and surely all the domains that were ours got the bug exploited and the websites got offline. So I ask you: is it possible to you start assigning random DNS to newly added domains to our Cloudflare account? This way it would be much harder to narrow all the domains are hosted with us.
Sorry to hear that your websites were exploited, but all Cloudflare domains on an account getting the same pair of nameservers isn’t really an issue or “exploit”. Security through obscurity isn’t security.
Respectfully I TOTALLY DISAGREE WITH YOU @JUDGE.
“Security through obscurity isn’t security”. Well, so why are you using Cloudflare, on the first place? Isnt a big reason to use Cloudflare being able to hide your server? I know LOTS of other things Cloudflare provide and most of them are reallly great. But the core business, mainly at the beginning of Cloudflare, was to protect servers from attacks or compromises? After a while Cloudflare started also being used to improve performance (as a CDN should do) and so on.
Obscurity IS SECURITY most of the time. We can start a huge debate here but why do you think most of MACOS code is obscured? Security. There are $$$ reasons by Apple but obscurity helps a lot cause you can avoid people watching your code and finding bugs - it’s way harder.
I have to totally disagree with you. Also, my company hosts many websites and applications. We use a totally custom CMS on all of our projects. LETS JUST ASSUME some hacker finds a bug in one of our applications/websites. If Cloudflare approaches that hacker and says “HEY YOU FOUND A BUG! Here is a list of 300 other websites that have this same bug. Feel free to exploit.”
What would you say??? Wouldnt it be better to have your other websites hidden from the hacker and have only one website exploited? So you can fix that problem and spread the solution to all of the other websites.
Obscurity can help in protecting websites, however I am with @judge on this. It should not be the main part of the security.
Who here said it should be the “main part of the security”? I am doing my part, I am helping to protect most of the websites we host. We use many techniques to detect bugs, to prevent problems… but sh*t happens and if you can prevent problems, you should.
There is no benefit in using the same DNS accross hundreds of domains. There are much more benefits using different DNS than identical. If obscurity is not considered a benefit, in your opinion, I will add another benefit: at the current state, if the DNS that Cloudflare provides to all of our 200 domains start to have problems, ALL the 200 doains will be offline. On the other hand if multiple DNS were used, some websites would be with problem, but not all of them.
I never said that it wouldn’t be a benefit, I just said that it shouldn’t be the main part.
Great! This security is really important too.
This topic was automatically closed after 30 days. New replies are no longer allowed.