CloudFlare sites protected from httpoxy

Published on by Ben Cartwright-Cox.

CC BY 2.0 image by Joe Seggiola We have rolled out automatic protection for all customers for the the newly announced vulnerability called httpoxy. This vulnerability affects applications that use “classic” CGI execution models, and could lead to API token disclosure of the services that your application may talk

OpenSSL Security Advisory of 19 March 2015

Published on by Ryan Lackey.

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until

No upgrade needed: CloudFlare sites already protected from FREAK

Published on by John Graham-Cumming.

The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January. CC BY 2.0 image by Stuart

SSLv3 Support Disabled By Default Due to POODLE Vulnerability

Published on by Matthew Prince.

For the last week we've been tracking rumors about a new vulnerability in SSL. This specific vulnerability, which was just announced, targets SSLv3. The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows