CloudFlare/Cloudbleed and Airbitz

'

As you may have heard, there was was recently a major flaw discovered within CloudFlare, a service used on many websites to improve web performance and protect against denial of service attacks.

Airbitz does not utilize any of Cloudflare’s services and hence no Airbitz user info or data were compromised.

The cause of the Cloudflare bug has been identified, and has now been fixed. However, there was a small percentage (<.0001%) of HTTP requests that may have leaked sensitive user information including unencrypted usernames and passwords.

The Airbitz Edge-Security architecture *assumes* that network connectivity has been compromised and ensures all sensitive info is client-side encrypted so that only end-users can unlock their data. Airbitz user data, bitcoin private keys, usernames, and passwords were not compromised.

However, if you use an Airbitz password that is similar to one used by other services, we recommend changing your Airbitz password as soon as possible to prevent passwords acquired from other compromised services from being used on your Airbitz account.

Most of all we recommend all Airbitz users enable One-Touch 2 Factor Authentication on their account which protects them against attackers which might have acquired their username and password. We’ve designed our One-Touch 2FA to make it as seamless and invisible for users. No need to install 3rd party apps like Google Authenticator and no need to copy and paste 6 digit codes. Simply enable it and forget it.

Screen Shot 2017-02-27 at 3.52.15 PM

This incident is an important reminder that there are major flaws with the security model internet in its current form. Relying on centralized services such as CloudFlare with millions of users’ unencrypted data is begging for compromise in the same manner that relying on centralized, hosted services to secure our digital currency has created the largest losses of bitcoin.

CTOs and IT managers, should take inspiration from bitcoin/blockchain technology and utilize decentralization to protect their infrastructure. A peer-to-peer designed server architecture is inherently more robust against denial of service attacks while decentralized security solutions like Airbitz Edge Security protects against compromised networks or servers. Compromised passwords from the Cloudflare leak could have been prevented using public/private key authentication (see BitID) much like how wallets authenticate to the bitcoin blockchain. We applaud our partner Glidera (acquired by Kraken) for implementing BitID and protecting many accounts from any compromised passwords.

Additional info on the CloudFlare bug

https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

List of websites affected

https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

BitID information

https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

Leave a Reply

Your email address will not be published. Required fields are marked *