Why Cloudbleed is Good for Cloudflare

I went to college in New York City, which is famous for tall buildings, big dreams, delicious bagels and aggressive rats. Sometimes those latter two get a little close for comfort and we get a “health scare.” It happens all the time in New York, and the city food inspector shuts down a local bagel shop on account of vermin or lack of sanitation. The infamous orange letter grade goes up in the window -- “C” or, god forbid, “F” -- and passers-by cringe like they found the old Chinese food container stinking up the refrigerator.

This happened to a bagel shop on the Upper West Side that I absolutely love. They made the best bagel I have ever eaten, and I was distraught when I heard the news. The location shut down. I waited. I wondered how many cockroach legs I had eaten. I feared for the future of the bagel shop.

And then one day the shop reopened, and my roommate excitedly asked if I wanted to go.

“Gross,” I said, “of course not. Haven’t you seen the big letter ‘C’ up in the window?”

“It’s an ‘A’ now,” he said.

But I simply couldn’t stomach the idea. My roommate proceeded to explain the absurdity of my position. I had gone to this bagel shop for years without hesitation. Now, with their fancy new “A” in the window, the place had never been cleaner. The food inspector is sure to pass far more scrutiny on this location given their failing grade, right? The owners, because their doors are shuttered, have all the time and resources in the world to clean up their act, pun intended.

“You’ll never have a more sanitary bagel in your life,” my roommate told me. And so we went. I got an everything bagel with chive cream cheese. And it was incredible; free of cockroach legs. They say New York bagels are better than anywhere on earth because the water in New York is so delicious. I buy it.

Today, CloudFlare got a poor letter “C” stuffed up in their window by researchers at Google’s Project Zero security initiative. Faulty code was leaking data once every roughly 3 million HTTP requests, which is a huge problem for a service that runs at the scale of Cloudflare. It’s been dubbed “cloudbleed.”

The Google researcher who first found the problem, Tavis Ormandy, was able to access huge amount of sensitive data, from dating site private chats to password management files to PII of nearly every kind. As Ormandy said himself, “I’m surprised how much of the internet is behind Cloudflare.”

Ok, so we had another embarrassing breach. How can we trust a security company to secure our business when they have had issues themselves? We were asking the same questions of password manager LastPass when they were breached in 2015. It is time to jump ship?

No!

The bagel shop analogy should be obvious at this point. For all those web security teams out there who are nervous about using Cloudflare, know that Cloudflare is on the cusp of being new, improved and cockroach-leg-free. Ormandy reports with admiration that Cloudflare engineers made three urgent patches to their code in just 7 hours. Wow that was fast recovery and that's what you want from a security vendor!

Believe me when I say Cloudflare’s work won’t stop there. They may not be talking about it to the media, but there’s nothing like a breach to kick an organization into high gear. They’ll be reviewing security practices, testing code, hiring pen testers and vuln finders and adding new layers to their defense. They may have an “C” now, but their rapid reponse is an "A+".

And so the lesson is that we should not fret over breaches. Rather we should take the glass-half-full approach and see them as opportunities to move forward stronger and more secure than before. Only organizations who get attacked will build out the proper security procedures to protect themselves. Those who do not have a one way ticket to breach-ville; it’s just matter of waiting long enough. As is always the case in security, we change our passwords and move on, hopefully savvier and more secure than before.

Thus, cyber attacks are not the arch nemesis of security -- complacency is. It’s not the alerts that should scare us but the silence. I promise that the New York city bagel shop that’s been skating by with low “B’s”  is far less sanitary than the bagel shop reopening after getting a bad grade. Their shop has never been cleaner. Likewise, Cloudflare has never been safer.