Bash vulnerability CVE-2014-6271 patched
September 24, 2014 5:12 PM
This morning, Stephane Chazelas [disclosed](http://seclists.org/oss-sec/2014/q3/649) a vulnerability in the program bash, the GNU Bourne-Again-Shell. ...
Tinfoil Security vulnerability scanning now easy in CloudFlare Apps
August 18, 2014 11:00 AM
We’re pleased to introduce a new CloudFlare App: Tinfoil Security. Tinfoil Security is a service designed to find possible web application vulnerabilities....
New OpenSSL vulnerabilities: CloudFlare systems patched
June 05, 2014 4:00 AM
The OpenSSL team announced seven vulnerabilities covering OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 (i.e. all versions) earlier today....
Searching for The Prime Suspect: How Heartbleed Leaked Private Keys
April 27, 2014 10:00 PM
Within a few hours of CloudFlare launching its Heartbleed Challenge the truth was out. Not only did Heartbleed leak private session information (such as cookies and other data that SSL should have been protecting), but the crown jewels of an HTTPS web server were also vulnerable....
The Hidden Costs of Heartbleed
April 17, 2014 10:00 AM
A quick followup to our last blog post on our decision to reissue and revoke all of CloudFlare's customers' SSL certificates. One question we've received is why we didn't just reissue and revoke all SSL certificates as soon as we got word about the Heartbleed vulnerability?...
MORE POSTS
April 12, 2014 9:52 AM
Certificate Revocation and Heartbleed
As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site cloudflarechallenge.com has been obtained by several authorized attackers via the Heartbleed exploit....
- By
April 11, 2014 7:00 PM
The Results of the CloudFlare Challenge
Earlier today we announced the Heartbleed Challenge. We set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key....
- By
April 11, 2014 2:27 AM
Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
Below is what we thought as of 12:27pm UTC. To verify our belief we crowd sourced the investigation. It turns out we were wrong. While it takes effort, it is possible to extract private SSL keys....
- By
April 10, 2014 1:59 AM
Jetpack for WordPress: automatic protection
As we've said before, lots of our users run WordPress on their websites and its popularity makes it a big target. So when a new vulnerability is discovered, acting quickly is prudent....
- By
April 07, 2014 9:00 AM
Staying ahead of OpenSSL vulnerabilities
Today a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160). We fixed this vulnerability last week before it was made public. ...
- By
January 29, 2014 12:00 PM
Killing RC4 (softly)
Back in 2011, the BEAST attack on the cipher block chaining (CBC) encryption mode used in TLS v1.0 was demonstrated. At the time the advice of experts (including our own) was to prioritize the use of RC4-based cipher suites....
- By
October 03, 2013 11:00 AM
Patching a WHMCS zero day on day zero
A critical zero-day vulnerability was published today affecting any hosting provider using WHMCS. As part of building a safer web, CloudFlare has added a ruleset to our Web Application Firewall (WAF) ...
- By
April 24, 2013 10:36 PM
W3TC and WP Super Cache Vulnerability Discovered, We've Automatically Patched
The team at the research firm Sucuri announced a serious vulnerability to W3TC and WP Super Cache this afternoon. (Update: it appears the vulnerability was first reported on WordPress.org about a month ago.)...
- By
February 04, 2013 2:26 PM
New "Lucky Thirteen" SSL Vulnerabilities: CloudFlare Users Protected
CloudFlare often gets early word of new vulnerabilities before they are released. Last week we got word that today (Monday, February 4, 2013) there would be a new SSL vulnerability announced. ...
- By