Skip to content
This repository has been archived by the owner on Jan 18, 2018. It is now read-only.

Add vultr.com to list #130

Closed
koitsu opened this issue Feb 24, 2017 · 2 comments
Closed

Add vultr.com to list #130

koitsu opened this issue Feb 24, 2017 · 2 comments

Comments

@koitsu
Copy link

koitsu commented Feb 24, 2017

As a Vultr (VPS provider) customer, I just received the below Email. The main vultr.com domain does not appear to utilise NS records that point to CF, nor does Vultr disclose what FQDNs/hosts they have which do utilise CF. I did manually find one -- https://my.vultr.com . And for posterity, http://my.vultr.com (non-SSL) redirects to the SSL version.

As such, I feel vultr.com should be added to the list.

From: "[email protected]" [email protected]
To: {removed}
Date: Fri, 24 Feb 2017 14:28:43 -0500
Subject: Vultr.com - Important Security Notice

Dear Valued Client,

As you may know, Vultr utilizes Cloudflare's CDN product to enhance the speed of our website around the globe and protect against various malicious attacks on our site.

Cloudflare recently revealed a security vulnerability that may have resulted in private data from sites whose data is behind the Cloudflare CDN. According to Cloudflare’s security team, the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage. While Cloudflare patched the discovered issue quickly, it was possible sensitive data was leaked to third party search engines that cache data such as Google.com.

Cloudflare has worked with the security team from Google to search cached data for any relevant Vultr links and has confirmed no data was found. Based on this we have no reason to believe any Vultr customer information has been compromised via this Cloudflare bug.

This is a good opportunity to remind you of best security practices to secure your account:

  • Enable 2 factor authentication for your main vultr.com account login.
  • Change your control panel password every 90 days (or less).
  • Always change your Instance’s default password after initial deploy.
  • If you utilize the API service, ensure your API IP ACLs are configured correctly.
  • Routinely scan your computer for malware, spyware, browser extensions, and Virii that could compromise or leak private
    information.

We will continue to closely monitor the situation and stay in close contact with Cloudflare should there be any change in the facts we have received thus far. Your account security is our top priority here at Vultr.

Additional Background Information:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Regards,

The Vultr Team

@ddymko
Copy link
Contributor

ddymko commented Feb 24, 2017

👍

@youngj
Copy link
Contributor

youngj commented Feb 24, 2017

Done - 279977c

@youngj youngj closed this as completed Feb 24, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants
@youngj @ddymko @koitsu and others