Today, the internet is awash with two major security concerns: SHA-1 and ‘Cloudbleed’.
Yesterday, Cloudflare and Google’s Project Zero announced details of a months-old, undetected security leak affecting websites and apps that use Cloudflare. Reminiscent of the ‘Heartbleed’ bug, this threat has been nicknamed ‘Cloudbleed.’
The bug has been leaking approximately 1 out of every 3.3 million requests from Cloudflare. This memory can (and is likely to) include sensitive information from any site using Cloudflare. You can even see some of the affected data through web search, which is how this leak was accidentally discovered in the first place.
This is a big thing. Close to 10% of all internet traffic is routed through Cloudflare, which optimises content loading speeds and mitigates attacks. Big names such as Uber, Medium, TransferWise, and StackOverflow all use Cloudflare services. The list of affected websites is long.
A little while before the Cloudbleed announcement another security announcement came, this time about authentication.
It seems SHA-1, one of the oldest ways of securely validating the authenticity of files, has been successfully broken for the first time in a real-world scenario.
Even though SHA-1 has been known to be vulnerable to theoretical attacks since 2005 - and many security-conscious organizations have stopped using it over the last few years - this is the first time the vulnerability has appeared in the real-world.
Despite efforts to phase out SHA-1 the security algorithm is still widely used to validate credit card transactions, electronic documents, open-source software, repositories, software updates, and backups.
In a blog from Google, one of the two parties exposing this weakness, the search giant states:
“Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3.”
While it’s true this vulnerability currently takes the capability of a nation state to take advantage of, it’s worrying for future security everywhere on the internet. This is especially true as we create more data and increasingly rely on the insights and capabilities data afford us.
Protecting yourself with backups
For both the Cloudbleed and SHA-1 issues, secure and current backups provide a level of security afforded by no other means.
In a worst case scenario, no matter how bad a breach or hack due to third-party vulnerabilities, if you have recent database backups (secured by two-factor authentication) you can recover very quickly.
Many of us know we should backup on a regular basis but very few of us actually do. This is a combination of limited secure, automated database backup services (AWS excluded) and human nature.
What usually ends up happening is adhoc backups when we remember or when something like ‘Cloudbleed’ or SHA-1 jolts us into action.
In the future, automated backups will help protect us all from security issues like these.
What you should do now
- Change all your passwords and enable two-factor authentication
- Stop using SHA-1
- Incorporate database backups into the very fabric of your online activities