Talk:Cloudflare

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Request Edit 2022[edit]

Hi, I have a few more suggestions for this article, including correcting several significant accuracy and NPOV problems . As noted previously, I have a COI as a Cloudflare employee, so I cannot make these changes myself. Thanks very much.

1. In Controversy, sub-section Reaction to 2022 Russian invasion of Ukraine

Please replace:

During the 2022 Russian invasion of Ukraine, Cloudflare refused to join the international community and withdraw from the Russian market. Research from Yale University updated on April 28, 2022 identifying how companies were reacting to Russia's invasion identified Cloudflare in the worst category of "Digging In", meaning Defying Demands for Exit: companies defying demands for exit/reduction of activities. [1]

With:

After Russia invaded Ukraine in late February 2022 Ukrainian Vice Prime Minister Mykhailo Fedorov[2] and others[3] called on Cloudflare to stop providing its services in the Russian market amidst reports that Russia-linked websites spreading disinformation were using the company’s content delivery network services.[4] Cloudflare CEO Matthew Prince responded that “[i]ndiscriminately terminating service would do little to harm the Russian government but would both limit [Russian citizens’] access to information outside the country and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government.”[5] The company later said it had minimal sales and commercial activity in Russia and had "terminated any customers we have identified as tied to sanctioned entities."[6]

Explanation: replaces WP: Primary with WP:RS; corrects NPOV issues; corrects factual errors ; includes WP:DUE.


2. The first paragraph in the Intrusions subsection of the Security and Privacy Issues section is a highly inaccurate accounting of the event (including a doctored quote), concerning an attack of the website 4chan by a hacker group called UGNazi via accessing Cloudflare’s back-end. The paragraph is sourced to two blog posts.

Here is the current version of the first paragraph]:

The hacker group UGNazi attacked Cloudflare in June 2012 by gaining control over Cloudflare CEO Matthew Prince's voicemail and email accounts, which were hosted on Google. From there, they gained administrative control over Cloudflare's customers and used that to deface 4chan. Prince later acknowledged, "The attack was the result of a compromise that allowed the hacker to eventually access my Cloudflare.com email addresses" and as the media pointed out at the time, "the keys to his business were available to anyone with access to his voicemail."[7][8]

And here is a version that is actually accurate,:

On June 1, 2012, the hacker group UGNazi redirected visitors to the website 4chan to a Twitter account belonging to UGNazi by “hijacking” 4chan’s domain via Cloudflare. After initiating a password recovery for the Google Apps’ hosted email account of Cloudflare CEO Matthew Prince, UGNazi then allegedly tricked AT&T support staff into giving them access to his voicemail. Exploiting a bug in Google App’s two-factor authentication security procedures, the hackers allegedly used the voicemail-recovered password to access Prince’s email account without a second layer of authentication. Once in control of Prince’s email account, they were able to do a redirect of the 4chan domain through Cloudflare’s database.[9][10]

Explanation: The current Wikipedia paragraph inaccurately says this was an attack on Cloudflare, rather than 4chan and it severely doctors a quote to omit text saying that the security “compromise” was with Google Apps – in order to imply it was a Cloudflare “compromise”:

Here is the actual quote from Maclean’s

“The attack was the result of a compromise of Google’s account security procedures that allowed the hacker to eventually access to [sic] my CloudFlare.com email addresses, which runs on Google Apps,” wrote CloudFlare’s CEO Matthew Prince.

And here is how it has been doctored on Wikipedia, to omit mention of Google:

“The attack was the result of a compromise that allowed the hacker to eventually access my Cloudflare.com email addresses” 

Either an accurate version of the event should replace the current version or the paragraph should just be omitted because it was only covered by two niche blogs and is not relevant to the history of the company. WP:NOTEVERYTHING, and WP:NOTNEWS).

3. In the Security and Privacy Issues section, Data leaks subsection, the first paragraph should be replaced because it is inaccurate, poorly sourced and violates WP:NPOV. Here’s the current version:

From September 2016 until February 2017, a major Cloudflare bug leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests.[11] The leaks resulted from a buffer overflow which occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected.[12][13][14][15]

Here is a suggested replacement:

In February 2017, a bug within Cloudflare's services was discovered by a Google engineer. According to USA Today, “When Cloudflare encountered a website with poorly-constructed HTML, data from other websites using Cloudflare's programs could leak onto those sites, making the data easy to read.” Cloudflare reported that there was no evidence that any sensitive information was leaked as a result of the Cloudbleed bug. It was fixed within a week.[13]

Explanation: The current Wikipedia paragraph definitively states there was a bug that resulted in customer data being leaked, In fact, the USA Today source cited explicitly says that Cloudbleed "may have leaked" data, and Cloudflare was quoted in the USA Today piece saying that “there’s no sign the bug was exploited” by anyone. In the second sentence of the paragraph, three of the four sources are primary (all blog posts), and the fourth, USA Today, does not state “more than 18,000,000 times before the problem was corrected.” Without press coverage, cherry-picking details from company blog posts fails to establish encyclopedic relevancy. Instead it’s WP:OR.

4. In the [Cloudflare#Service outages|Service outages subsection] of the Security and Privacy Issues section, the first sentence is WP:CRYSTAL and should be removed. It reads:

Cloudflare outages can bring down large chunks of the web.[16]  

This is speculation about what may happen (and the source speculates about multiple CDNs, not just Cloudflare). The following two sentences are actual events.

Thanks again for considering these requests. Ryanknight24 (talk) 19:45, 23 March 2022 (UTC)Reply[reply]

Partially Accepted[edit]

I accepted edits 1, 2, & 4 with minor modifications. Your suggested edit for issue 3 discussing Cloudbleed need some additional work, as your edit request appears to downplay the issue and leave out information. Other sources specifically note that there was leakage of "passwords, cookies, authentication tokens".[17]

The current text could use still use improvement, so please discuss here if you think there are still edits required.

Jttx76 (talk) 18:39, 30 June 2022 (UTC)Reply[reply]

@Jttx76: Hi, thanks very much for your comments and for implementing Proposals 1, 2, and 4 above. Regarding #3, It was certainly not my intention to downplay things, but while it’s true that the Today source I worked from does say that there is no evidence the exploit was used, TechCrunch article, as you noted in your reply, does say that Cloudbleed vulnerabilities were exploited. Strictly speaking, an argument could be made that USA Today is a more “prominent” source (as per WP:BALANCE) and therefore takes precedence over TechCrunch here. (There have also been questions over the years about the reliability of TechCrunch. WP:TechCrunch) But since at least one reputable source says that information was leaked, it seems to me that a more reasonable way to deal with the issue is to provide the information from both sources, as opposed to cherry-picking one of the two.
With that being the case, here’s my revised suggestion #3 above, which now includes both sources and attributes the reporting to each one as per WP:BALANCE:

In February 2017, a bug within Cloudflare's services was discovered by a Google engineer. According to USA Today, “When Cloudflare encountered a website with poorly-constructed HTML, data from other websites using Cloudflare's programs could leak onto those sites, making the data easy to read.”[13] USA Today also reported that Cloudflare had said there was no evidence that any sensitive information was leaked as a result of the Cloudbleed bug,[13] but TechCrunch reported that at least some sensitive information, including passwords, had in fact been leaked.[18] After its discovery, the Cloudbleed bug was fixed within a week.[13]

What do you think? Ryanknight24 (talk) 17:33, 14 July 2022 (UTC)Reply[reply]


References

  1. ^ "Over 750 Companies Have Curtailed Operations in Russia—But Some Remain". Yale School of Management. Retrieved 28 April 2022.
  2. ^ Timberg, Craig; Zakrzewski, Cat; Menn, Joseph (4 March 2022). "A new iron curtain is descending across Russia's Internet". Washington Post. Retrieved 11 May 2022.
  3. ^ Moore, Logan; Vanjani, Karishma (25 March 2022). "These Companies Haven't Left Russia. Behind Their Decisions to Stay". Barrons. Retrieved 17 May 2022.
  4. ^ Stone, Jeff; Gallagher, Ryan (8 March 2022). "Cloudflare Rebuffs Ukraine Requests to Stop Working With Russia". Bloomberg. Retrieved 11 May 2022.
  5. ^ Brodkin, Jon (8 March 2022). "Cloudflare refuses to pull out of Russia, says Putin would celebrate shutoff". Ars Technica. Retrieved 19 April 2022.
  6. ^ Morrow, Allison (26 May 2022). "Crypto is dead. Long live crypto: Davos Dispatch". CNN. Retrieved 26 May 2022.
  7. ^ Simcoe, Luke (June 14, 2012). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Archived from the original on January 15, 2014. Retrieved August 22, 2019. What makes the 4chan hack interesting is how it was done. UGNazi got to 4chan by attacking the site's host – a company called Cloudflare. 'The attack was the result of a compromise that allowed the hacker to access my Cloudflare.com email addresses, which runs on Google Apps,' wrote Cloudflare's CEO Matthew Prince. In Prince's case, the keys to his business were available to anyone with access to his voicemail.
  8. ^ Smith, Ms. (June 3, 2012). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Archived from the original on November 12, 2013. Retrieved August 22, 2019.
  9. ^ Simcoe, Luke (June 14, 2012). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Archived from the original on January 15, 2014. Retrieved August 22, 2019.
  10. ^ Smith, Ms. (June 3, 2012). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Archived from the original on November 12, 2013. Retrieved August 22, 2019.
  11. ^ Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved August 22, 2019.
  12. ^ Steinberg, Joseph (February 24, 2017). "Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement". Inc. Retrieved February 24, 2017.
  13. ^ a b c d e Molina, Brett (February 28, 2017). "Cloudfare bug: Yes, you should change your passwords". USA Today. Retrieved March 1, 2017. Cite error: The named reference "USA Today" was defined multiple times with different content (see the help page). Cite error: The named reference "USA Today" was defined multiple times with different content (see the help page).
  14. ^ "About Cloudflare". Cloudflare. Archived from the original on March 4, 2017. Retrieved 16 June 2021. Every week, the average Internet user touches us more than 500 times.
  15. ^ "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. February 23, 2017. Archived from the original on February 23, 2017. Retrieved 16 June 2021. 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage.
  16. ^ Dodds, Io (12 June 2021). "Why the internet is just one domino away from collapse". The Telegraph. Archived from the original on January 12, 2022. Retrieved 13 August 2021.
  17. ^ Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved June 30, 2022.
  18. ^ Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved June 30, 2022.

Founded year[edit]

Sidebar and article introduction disagree whether it's founded in 2009 or 10. --RubenKelevra (talk) 07:01, 1 August 2022 (UTC)Reply[reply]