User talk:MikeMol: Difference between revisions
Content added Content deleted
(→cloudflare issue: expiry, not reset.) |
|||
| Line 53: | Line 53: | ||
: Good point; I should only need to expire passwords for accounts touched during the affected period. However, understand that RC didn't need to have those features enabled to be affected; those features resulted in the client being sent data that was resident in memory on Cloudflare's systems, they didn't have control over whether data would be in that memory in the first place; if someone logged into RC, their credentials would be in memory for a time. Then someone else makes a request from some other site with those features enabled, and they would get some chunk of Cloudflare's server's memory sent to them. This is a very, very common misunderstanding from people who've only read Cloudflare's blog post on the subject, and Cloudflare has unfortunately downplayed the severity and scope of the issue. --[[User:Short Circuit|Michael Mol]] ([[User talk:Short Circuit|talk]]) 04:33, 25 February 2017 (UTC) |
: Good point; I should only need to expire passwords for accounts touched during the affected period. However, understand that RC didn't need to have those features enabled to be affected; those features resulted in the client being sent data that was resident in memory on Cloudflare's systems, they didn't have control over whether data would be in that memory in the first place; if someone logged into RC, their credentials would be in memory for a time. Then someone else makes a request from some other site with those features enabled, and they would get some chunk of Cloudflare's server's memory sent to them. This is a very, very common misunderstanding from people who've only read Cloudflare's blog post on the subject, and Cloudflare has unfortunately downplayed the severity and scope of the issue. --[[User:Short Circuit|Michael Mol]] ([[User talk:Short Circuit|talk]]) 04:33, 25 February 2017 (UTC) |
||
:: yes, i didn't read that out of the report. will have to read again. the way you explain it makes sense of course. thanks. not good on cloudflares part to not make that clear. :-( [[User:EMBee|eMBee]] ([[User talk:EMBee|talk]]) 04:50, 25 February 2017 (UTC) |
|||
: The expiry process *should* allow one login using the old password, requiring the user to set a new password before proceeding. It's not a reset, but an expiry. I chose that approach because not everyone even has their email address loaded in... --[[User:Short Circuit|Michael Mol]] ([[User talk:Short Circuit|talk]]) 04:34, 25 February 2017 (UTC) |
: The expiry process *should* allow one login using the old password, requiring the user to set a new password before proceeding. It's not a reset, but an expiry. I chose that approach because not everyone even has their email address loaded in... --[[User:Short Circuit|Michael Mol]] ([[User talk:Short Circuit|talk]]) 04:34, 25 February 2017 (UTC) |
||