mTLS client certificate revocation vulnerability with TLS Session Resumption
2023-04-03
This blog post outlines the root cause analysis and solution for a bug found in Cloudflare’s mTLS implementation...
Continue reading »
However improbable: The story of a processor bug
2018-01-18
Processor problems have been in the news lately, due to the Meltdown and Spectre vulnerabilities. But generally, engineers writing software assume that computer hardware operates in a reliable, well-understood fashion, and that any problems lie on the software side of the software-hardware divide....
An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience
2018-01-08
Last week the news of two significant computer bugs was announced. They've been dubbed Meltdown and Spectre and they take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast. ...
Quantifying the Impact of "Cloudbleed"
2017-03-01
Last Thursday we released details on a bug in Cloudflare's parser impacting our customers. It was an extremely serious bug that caused data flowing through Cloudflare's network to be leaked onto the Internet....
Incident report on memory leak caused by Cloudflare parser bug
2017-02-23
Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare....
MORE POSTS
January 01, 2017 10:40 PM
How and why the leap second affected Cloudflare DNS
At midnight UTC on New Year’s Day, deep inside Cloudflare’s custom RRDNS software, a number went negative when it should always have been, at worst, zero. A little later this negative value caused RRDNS to panic. ...
- By
July 18, 2016 3:26 PM
CloudFlare sites protected from httpoxy
We have rolled out automatic protection for all customers for the the newly announced vulnerability called httpoxy....
- By
October 29, 2015 9:26 PM
Creative foot-shooting with Go RWMutex
Hi, I'm Filippo and today I managed to surprise myself! (And not in a good way.) I'm developing a new module ("filter" as we call them) for RRDNS, CloudFlare's Go DNS server. ...
- By
September 08, 2015 9:55 AM
Weird bug of the day: Twitter in-app browser can't visit site
We keep a close eye on tweets that mention CloudFlare because sometimes we get early warning about odd errors that we are not seeing ourselves through our monitoring systems. Towards the end of August we saw a small number of tweets like this one:...
- By
March 19, 2015 3:15 PM
OpenSSL Security Advisory of 19 March 2015
Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet)....
- By
September 30, 2014 10:38 PM
Inside Shellshock: How hackers are using it to exploit systems
On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash....
- By
April 11, 2014 2:27 AM
Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
Below is what we thought as of 12:27pm UTC. To verify our belief we crowd sourced the investigation. It turns out we were wrong. While it takes effort, it is possible to extract private SSL keys....
- By
April 07, 2014 9:00 AM
Staying ahead of OpenSSL vulnerabilities
Today a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160). We fixed this vulnerability last week before it was made public. ...
- By
November 18, 2011 11:08 PM
Cloudflare Tips: Troubleshooting Common Problems
Debugging technical issues online can be tricky. There are many moving pieces; it can be an isolated network connection with the ISP, an issue with your server or one of CloudFlare's data centers could be temporarily having a problem....
- By