The CloudFlare data leak is serious, but let’s take a look at it in context. According to the company, around one in every 3,300,000 HTTP requests potentially lead to memory leakage, or about 0.00003 percent of requests. That’s a fairly small leak.
The amount of data that CloudFlare leaked is very small and very random. There isn’t much value in partial IP addresses, passwords and cookies. Plus whatever data is stored in Google, Yahoo, Bing and other search engines is being or already has been scrubbed from caches.
So, yes, this leak is interesting but not for the typical reason of what damage it has caused. The bigger question to ask is what can be done to prevent bugs from making it into the final product. Is it more QA? Is it accepting that these kinds of leaks are inevitable given the massive amount of Internet traffic these sites handle?
Another point worth mentioning is that there is a security risk in anything that stands between you and your users. These products, while meant to keep you safe, have the potential to become a weakness.
CloudFlare and other services like it are designed to provide extra protection. CloudFlare attributed the leak to a “buffer overrun” that was caused by a bug in its code that had been present for years but didn’t surface until the company began using a new HTML parser for its edge servers. In other words, efforts to do security right don’t matter if something is implemented incorrectly.
More layers also increases the attack surface. Instead of hacking a website, you could hack the proxy, for example. Of course, these services are supposed to make it harder for the bad guys to breach an organization. But there's a rule in security where any additional layer always adds a potential weakness. The more integrated this service or product is, the more risk it can potentially pose. There's an inherent assumption that adding more layers of isolation makes you more secure. In reality, it's another device, another stack of software, another potentially exploitable system.
