Posted February 24, 2017 (edited) I am hearing particularly serious news going around now that Cloudflare has had a serious security leak due to a bug in their code regarding proxy info, and said info (including passwords) was cached by any site that uses web crawlers or other common functionality. Everyone is strongly recommending that people change their passwords on any site that uses cloudflare (millions do, including DC DC does not, TJ confirmed below.) and to enable two-factor authentication on any accounts critical to you. Should there be an official announcement about this, since it affects all DC users and could potentially affect their security? Here's a preliminary site list on github: https://github.com/pirate/sites-using-cloudflare This is the official Cloudflare report: https://blog.cloudflare.com/incident-report...are-parser-bug/ Stay safe, everyone, and I'd say change passwords just in case! Edited February 24, 2017 by Sapphire Ryu Share this post Link to post
Posted February 24, 2017 (edited) There are some big sites on that list, but I downloaded the full list and didn't see DC on there. ? In any case, it is good to periodically change your passwords, and this could be a good prompting to do so. ~Moved to GD as this isn't really a discussion of the site~ Edited February 24, 2017 by SockPuppet Strangler Share this post Link to post
Posted February 24, 2017 There are some big sites on that list, but I downloaded the full list and didn't see DC on there. ? Well, I don't know if the forums or Invision Power Boards use cloudflare, but I do know for sure that Dragon Cave itself does: That's a screenshot of my NoScript dropdown showing scripts currently allowed. So, yeah Share this post Link to post
Posted February 24, 2017 Dragon Cave does not use Cloudflare for either the site or forums, so you're safe with regards to that. Regardless of this leak or any other security issues, the best practice is to make sure that you use a unique password per site and that you change passwords every so often. A password manager such as LastPass can help with this. Share this post Link to post
Posted February 24, 2017 (edited) Well, I don't know if the forums or Invision Power Boards use cloudflare, but I do know for sure that Dragon Cave itself does: That's a screenshot of my NoScript dropdown showing scripts currently allowed. So, yeah I'm guessing that's for an ad or something in a sig ? My ads are blocked and noscript doesn't show up cloudflare on the forums or the cave. Edited February 24, 2017 by fuzzbucket Share this post Link to post
Posted February 24, 2017 crrrimeny so many friggin password leaks and whatnot these days. uhg. eventually I bet I'll just be changing my password every day at this rate in a few years. I just can't keep up with all this nonsense I can't even keep track of all the sites I have accounts online how in the world am I going to be able to have unique passwords for everything =_= Maybe I should make up some physical notebook at this point, seems much safer than a password manager imo... Don't have to worry about anyone cracking into /that/ database or some sort of magical virus that logs all your passwords or something. But that might just seem best since I live alone in the middle of the woods. Guess people who live with others don't have that luxury sometimes. Share this post Link to post
Posted February 24, 2017 Yeah, at this point your best bet is to use complex variations of passwords/phrases such as "Ilike7kitties" and just change things about it, then document the changes in shorthand in a google doc. (Ex. actually write down "il7k" in the doc.)That's what I do these days, it's the only way I can remember everything. I personally would never trust a password manager, those can be hacked like anything else. I'm guessing that's for an ad or something in a sig ? My ads are blocked and noscript doesn't show up cloudflare on the forums or the cave. Perhaps so. I remember not allowing the script in the past, but DC acted strange in some ways without it, so I allowed it. I also do not see ads, so maybe it's something related to them in the background. Share this post Link to post
Posted February 24, 2017 (edited) Curse is on the list... Looks like I'm changing my passy, wouldn't want some haxxor gettin' a hold of my beautiful maps. If "discordapp.com" is on the list, does that apply to the program's sign-in itself or is that just like a forum or something? Edited February 24, 2017 by Toodles Share this post Link to post
Posted February 24, 2017 (edited) eventually I bet I'll just be changing my password every day at this rate in a few years. I just can't keep up with all this nonsense I can't even keep track of all the sites I have accounts online how in the world am I going to be able to have unique passwords for everything =_= Pick one secure password, download a password manager (e.g. KeePass), set up a password database with that one secure password, and use long, randomly generated passwords for all sites that you save in the password manager. Backup your password manager database (which is password protected) periodically, e.g. by copying it onto a thumbdrive once a week or, heck, even by dropping it into some cloud storage that you think has sufficient security. I would not suggest using an online password manager. (Regardless whether you trust those directly or not - they are delicious hacking targets, and the potential damage is intense.) Do not use password variations that you can keep in mind. If you can keep track of your pattern, so can almost anyone else that sees two of your passwords that puts their mind to it. With the number of password leaks that happen these days, unfortunately one basically has to assume "two of your passwords" have been leaked at some point. It's an unfortunate situation. A physical notebook is also totally fine if you can secure that! Though the nice thing about a password manager is the ability to just copy and paste passwords. (That said, if someone has a virus on your computer, you can also just get keylogged, and a physical notebook unfortunately wouldn't help mitigate that any more than a digital password manager would.) Edited February 24, 2017 by pinkgothic Share this post Link to post
Posted February 25, 2017 Thanks for posting this! I'm part of a small community hosted by one of the affected sites, so now I can go warn everyone just in case. ...but why are there so many leaks these days? It's going to make me paranoid. Share this post Link to post
Posted February 25, 2017 Oh man, that sucks What kind of program do I need to be able to read MD files? And from what sites I can see, I don't have a account in most of the site, or it been so long I am not sure if I actually a account there(anymore? I dunno lol). I try to usually write my password in a notebook I have near my computer but I have forgot some before. Share this post Link to post
Posted February 25, 2017 (edited) Oh man, that sucks What kind of program do I need to be able to read MD files? Any text editor should be able to open an MD file. Notepad, wordpad - the formatting may not show - but you want the contents, right ? Edited February 25, 2017 by fuzzbucket Share this post Link to post
Posted February 25, 2017 Any text editor should be able to open an MD file. Notepad, wordpad - the formatting may not show - but you want the contents, right ? Yeah, I just wanna see the sites, and so thank you! Share this post Link to post
Posted February 25, 2017 (edited) I do not by any means want to enforce a discussion on this - but I do indeed need to allow cloudflare.com to do any custom sorting, as well as to be able to have the scrolling background in the cave. Is this the same for anyone else, or is there any short idea how I can get that part working if the reason it is not working isn't actually the blocked cloudflare.com-Skript? Edit: Thanks for any answers in advance, of course! Edited February 25, 2017 by NightEagle Share this post Link to post
Posted February 26, 2017 (edited) Curse is on the list... Looks like I'm changing my passy, wouldn't want some haxxor gettin' a hold of my beautiful maps. If "discordapp.com" is on the list, does that apply to the program's sign-in itself or is that just like a forum or something? It's discord entirely. I was informed by this through discord, the monstercat forum actually. The mods are great. Amino, Wattpad, Patreon, and 4chan (ironically) are effected too. Edited February 26, 2017 by Jsward322 Share this post Link to post
Posted February 28, 2017 I found some information that maybe useful. If you want to see that site uses cloudflare, attach /cdn-cgi/trace after its domain. for example, if you want to see curse.com uses CF, you should type curse.com/cdn-cgi/trace in address bar in your browser. If it doesn't use CF, they will say they can't find page. If it uses CF it will show some text that starts with fl= I thought my password is complicated enough... *sigh* Share this post Link to post
Posted February 28, 2017 This really is an impressive issue. It even made national news, it looks like. Share this post Link to post
Recommended Posts