A quick guide on how to act on last week’s news from the field of security.
First and foremost, an important vulnerability was discovered in Cloudflare which affects everyone using it. Extensive details on this vulnerability can be found on the Project Zero page about it and Cloudflare’s Announcement.
The gist of it is that due to an HTML parser bug, Cloudflare reverse proxies ended-up dumping data coming from other sessions in arbitrary responses. This means that if you are running services on Exoscale behind Cloudflare, sensitive information that transited there may very well be present in browser caches and search engines.
Our recommendation would thus be, if you use Cloudflare in any capacity in front of Exoscale services to inform your customers and re-roll any credentials that may have been leaked.
Exoscale obviously does not use Cloudflare for any of its services and thus your Exoscale credentials are safe and do not need to be re-rolled.
The second important piece of news from last week is that SHA-1 has been broken in practice. While planned collisions this requires one year on 110 GPUs to generate, this event marks the end of the viability of SHA-1 for strong cryptographic algorithms. More information can be found here.
This also should serve as a reminder that you should never use fast hash functions like MD5, SHA1, or even SHA256 for password storage. For this, we recommend using either BCrypt or PBKDF2 with a large number of rounds. These approaches are better because comparisons are very slow and expensive, which makes dictionnary attacks unfeasible.
While on the topic of security, we would also like to take this opportunity to encourage you to review your organization settings and ensure all members are using 2-Factor authentication for added protection.