Web Cache Deception Hacks

Web Cache Deception Hacks

Web cache deception hacks are a fairly recent threat, first described by Omer Gil in February 2017. In certain situations a hacker could leverage a misconfiguration between a web server and a proxy cache like Cloudflare to reveal sensitive information that could help the hacker takeover my account. To be honest, this seems like a very unlikely threat. The situations that could cause it seem complex and obscure, and large scale attacks of this sort have not been observed in the wild.

But, I never know when a brilliant bad guy or gal could find a way to expand a tiny, obscure threat into a great big nasty one. So, it makes sense to do what I can to prevent it. Cloudflare initially recommended that each and every Cloudflare user carefully check his or her server and Cloudflare configurations, and fix anything amiss. Kinda wishful thinking there on Cloudflare’s part. This is sure to be over the head of most users, and even those tech-savy enough to do it probably won’t get the word, this being an obscure threat.

Fortunately Cloudflare introduced a more practical solution about a few months later, in January 2018. The Cache Deception Armor page rule promises protection from Web Cache Deception hacks while still allowing static assets to be cached. It makes sense to include this new rule with my ‘Cache Everything’ rule.

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.