Cloudbleed: When Hidden Trusted Parties Leak your Data


#1

Yesterday, it was revealed by Google’s Project Zero that Cloudflare (a popular Content Delivery Network) was leaking sensitive information between websites. For example, if Alice signed into OKCupid.com (which uses Cloudflare), Bob can see Alice’s password, her private messages, her full profile, and her credit card number by exploiting a bug in Cloudflare (by requesting a specially-crafted HTML page). This bug affects every site that uses Cloudflare, which number in the millions.

The fundamental problem is that Cloudflare is a trusted middle-man between the site and the user. In most configurations, Cloudflare is the TLS endpoint for the site (TLS provides communications security over the Internet using cryptography). What this means is that when you log into the site behind Cloudflare via HTTPS, you’re really connecting to a Cloudflare proxy via HTTPS. The proxy then connects to the back-end site via a separate HTTPS connection. This means that by using Cloudflare, the site allows it to Man-in-the-Middle attack all of its users’ connections without the user’s knowledge.

This is obviously a huge breach of trust. When you sign into your favorite sites, you rightfully expect that only you and the site ever see your usernames, passwords, credit card numbers, and so on. But Cloudflare also sees this data, and due to this bug, so does everyone else.

How Blockstack Would Have Prevented This

Blockstack apps have no trusted middlemen. The design simply does not admit them into the trusted computing base. It does so in three ways:

  • Your authentication credentials never leave your computer. There are no passwords in Blockstack; you sign into apps with Blockstack using a private key known only to you. Since you never send your password to the app, there’s nothing to compromise.

  • Blockstack enforces the Trust-to-Trust Principle. The only trust link Blockstack allows is between you and the application developer’s code. It doesn’t matter where the application’s code is hosted, where your data is hosted, what underlying network you use, and which CDNs are involved in your connection; all these are outside the trusted zone. If an app wants to do something potentially evil like send funds from your Blockstack wallet or transfer your names, the only way for it to do so is to ask for your explicit permission using your locally-running Blockstack node. Since only your local node can spend your money or modify your identity, there’s nothing a leaky middleman can do to hurt you.

  • Your data is signed and encrypted end-to-end. With Blockstack, your application-specific data is signed with your private key, and encrypted before it leaves your device. You choose who may decrypt it. Your storage providers (and leaky CDNs) will only see ciphertext, so there’s no security lost by using them.

The Way Forward

If you used any of the Cloudflare-affected sites, you should rotate your passwords and other sensitive information. In the future, we should design our applications to use CDNs for availability, but not correctness. Blockstack applications can still use CDNs to accelerate data delivery, but the CDN would only see ciphertext. Blockstack app developers cannot betray your trust by using a man-in-the-middle, since by design you don’t trust any devices that you don’t own.


#2

Perils of centralization! I love Cloudflare and think they’ve done a great job at democratizing access to CDNs and bringing down the cost of these services. The issue here is not with any specific company, like Cloudflare, but the overall model of having a centralized proxy service.


#3

Agreed. I use Cloudflare heavily and am a long term enthusiastic customer. It’s important to understand why people use Cloudflare. In my case, I use it for speed and DDOS protection. Cloudflare is a vast improvement upon what came before both in terms of cost, quality and accessibility.

The downside is that these benefits delivered through Cloudflare come at the cost of centralization, trust in a 3rd party, and create a single point of failure.

We can (and will!) deliver many of the same benefits as Cloudflare (and many more) by decentralizing the internet and removing single points of failure.


#4

They can provide the speed benefits by delivering ciphertext over their CDN and deny requests from hosts that they think are part of a DDoS attack. There is certainly a place for CDNs in a new decentralized web.


#5

I really love this type of article, pointing out a problem and seeing how blockstack would have prevented it.