Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

Published on by Filippo Valsorda.

Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it’s in the code that fixes Lucky13. It was found by Juraj Somorovsky using a tool he developed called TLS-Attacker. Like in the “old days”, it has no name except CVE-2016-2107. (I call it LuckyNegative20) It’s a wonderful example of a padding…

Introducing CloudFlare Origin CA

Published on by Patrick R. Donahue.

Free and performant encryption to the origin for CloudFlare customers In the fall of 2014 CloudFlare launched Universal SSL and doubled the number of sites on the Internet accessible via HTTPS. In just a few days we issued certificates protecting millions of our customers’ domains and became the easiest way to secure your website with SSL/TLS. At the time, we "strongly recommend[ed] that site owners install…

Stronger protection and more control over security settings with CloudFlare’s new cPanel plugin

Published on by Rahul Mahajan.

CloudFlare has released a new version of our plugin for cPanel with two new features and more control over the security settings of your website. The new plugin (v6.0) uses the latest cPanel PHP-based APIs, and is completely re-architected to make adding new features easier, allowing for more frequent updates. We’ve always focused on making integration with CloudFlare as easy as possible. As a customer of…

Bangkok, Thailand: CloudFlare’s 79th Data Center

Published on by Nitin Rao.

CloudFlare just turned up our newest data center in Bangkok, the capital of Thailand and a very popular destination with travelers in Southeast Asia. This expands our network to span 32 cities across Asia, and 79 cities globally. The floating market at Damnoen Saduak, just outside Bangkok (Photo source: CloudFlare's very own Martin Levy) Thailand, with a population of 65 million, is the fourth largest country in Southeast…

Lizard Squad Ransom Threats: New Name, Same Faux Armada Collective M.O.

Published on by Justin Paine.

CloudFlare recently wrote about the group of cyber criminals claiming to be be the "Armada Collective." In that article, we stressed that this group had not followed through on any of the ransom threats they had made. Quite simply, this copycat group of cyber criminals had not actually carried out a single DDoS attack—they were only trying to make easy money through fear by using the name…