# CEO/Founder of CloudFlare thinks HTTPS is over UDP



## Exelion (Apr 14, 2014)

http://i.imgur.com/3gQIDqx.png

https://twitter.com/eastdakota/statu...82082380611584

"Want more terrible #heartbleed news? Probably can be used as a massive DDoS application vector. Yay!"

"it's just a UDP request."

"let's not talk about this over a public channel and hope that I'm wrong."


----------



## kaniini (Apr 14, 2014)

Doesn't really surprise me given what else we've seen out of Cloudflare... they are in many ways the scummiest of the anti-DDoS scum.


----------



## KuJoe (Apr 14, 2014)

I understand that CEOs are supposed to be experts about everything but sometimes they aren't. I know, it sucks to hear.

I'm surprised his Harvard Business School degree didn't teach him basic networking protocols.

[/sarcasm]


----------



## iWF-Jacob (Apr 14, 2014)

Eh, he got it wrong but honestly it doesn't get me in a tizzy. People make mistakes, I know I for certain have made plenty of them. Just learn and move on.

For all the good CloudFlare has done (and seriously, they do some pretty cool stuff) I don't think it's worth it to bash them on such a small comment.


----------



## dano (Apr 14, 2014)

After reading the bio of Matt Price of Cloudflare, I'm seriously thinking his previous positions as Lawyer or Ski Instructor were more down his alley. In all honestly though, he really should know what he is talking about 100%, before he shoots off technical tweets for the world(that knows better) to laugh at.


----------



## D. Strout (Apr 14, 2014)

No no no, he's right! HTTPS stands for HyperText TCP Protocol (Secure) - the only mistake he made was that he should have referred to HTUPS: HyperText UDP Protocol (Secure).

On a related note, visit my website: htups://www.dstrout.net/


----------



## raidz (Apr 14, 2014)

iWF-Jacob said:


> Eh, he got it wrong but honestly it doesn't get me in a tizzy. People make mistakes, I know I for certain have made plenty of them. Just learn and move on.
> 
> For all the good CloudFlare has done (and seriously, they do some pretty cool stuff) I don't think it's worth it to bash them on such a small comment.


Luckily its just the CEO and not an engineer. People should expect CEO's to say stupid things like this.


----------



## wlanboy (Apr 14, 2014)

Well he is a CEO, not a CTO, so it is ok.


----------



## Hxxx (Apr 14, 2014)

Honest mistake.


----------



## WebSearchingPro (Apr 14, 2014)

Fear mongering I suppose, he was probably like "Hey we should say X to see if we can get some people to buy our product"


----------



## drmike (Apr 14, 2014)

Heheh, happens to the best of us.  Question is if he is typically making these sorts of off comments..


----------



## Dylan (Apr 14, 2014)

DTLS uses UDP.


----------



## tchen (Apr 14, 2014)

Refers to this probably..


"Don't forget to patch DTLS against #heartbleed, reachable pre-handshake (amplification). Congrats to @CodenomiconLTD as well btw!"


- Neel Mehta


https://mobile.twitter.com/neelmehta/status/453542518584381440


----------



## Dylan (Apr 14, 2014)

Definitely referring to that.

1. Neel Mehta (the Google Security researcher who discovered Heartbleed in the first place) sends out that tweet.

2. One of the CloudFlare guys (Nick Sullivan) replies to it.

3. Matthew Prince sends out the tweet in the OP just a couple hours after Nick's reply.

It's kind of depressing how people are so eager to pile on about how someone is wrong and must not know anything because he's "just a CEO" without taking 30 seconds to look into things.


----------



## Hxxx (Apr 14, 2014)

> I'm CEO bitch!


If you guys get the reference to the movie...


----------



## GIANT_CRAB (Apr 14, 2014)

Guys, becareful, he has enough money to lobby HTTPS into a UDP protocol!


----------



## Wintereise (Apr 14, 2014)

The amount of mongs who like ripping people a new one without understanding shit are way too high.

Hurr hurr.


----------



## yomero (Apr 15, 2014)

He is right if the software using TLS is also using UDP. For example, OpenVPN.

Anyway, I don't think you can find enough instances of UDP software to run a big attack.


----------



## maounique (Apr 15, 2014)

I think a CEO must know basics about his products. However, he must not be judged on that, but on how well the company does, because, even if he does not know he can get around people that can give advice on the technical side.

In the end, CEO is about choosing the right people and giving the right instructions as well as securing resources for those instructions to be carried out in good conditions.


----------



## Tom_WebhostingUK LTD (Apr 15, 2014)

According to me, he is company's CEO and not CTO so we can understand it.


----------



## Exelion (Apr 15, 2014)

May I ask why so many people are jumping to defend him?


----------



## tchen (Apr 15, 2014)

Exelion said:


> May I ask why so many people are jumping to defend him?


I can't talk for the others, but the display of hubris was leaving too foul a stench.


----------



## KuJoe (Apr 15, 2014)

Originally I was defending him because his non-technical background entitles him to make mistakes in a field he is not familiar with. Now I'm defending him because he was repeating something about the Heartbleed bug from the person who discovered the Heartbleed bug so the people attacking somebody for repeating something somebody else said is illogical.


----------



## Exelion (Apr 15, 2014)

KuJoe said:


> Originally I was defending him because his non-technical background entitles him to make mistakes in a field he is not familiar with. Now I'm defending him because he was repeating something about the Heartbleed bug from the person who discovered the Heartbleed bug so the people attacking somebody for repeating something somebody else said is illogical.


If he did repeat it, he repeated it in a way that shown he didn't completely understand it.


----------



## tchen (Apr 15, 2014)

Prince actually repeated it quite concisely albeit bluntly to someone who assumed wrongly that heartbleed was strictly a TCP/HTTPS vulnerability.  Lyon's refusal to admit his own mistake and then subsequently bark up/redirect the discussion to the certificate amp protection in DTLS (the cookie bit) is a bit sad.  RFC 6347 adds that security feature for handshaking, but sadly RFC 6520 is slightly orthogonal to it, with only passing mention to the 6347.  As it currently is, OpenSSL's implementation of heartbeat is outside the handshake, as the original patch mentions "Heartbeats can be sent any time when *no handshake* is in progress to check the availability of the peer"

In fact, most network IDS setups right now purporting to monitor for heartbleed attacks relies on the fact that most malware implementations right now bypass the handshake altogether and go directly for the jugular (hence why you can 'detect' it unencrypted).

In the end, Mr. Mehta is right.  Fix your DTLS apps too.

Please.


----------



## Exelion (Apr 15, 2014)

tchen said:


> Prince actually repeated it quite concisely albeit bluntly to someone who assumed wrongly that heartbleed was strictly a TCP/HTTPS vulnerability.  Lyon's refusal to admit his own mistake and then subsequently bark up/redirect the discussion to the certificate amp protection in DTLS (the cookie bit) is a bit sad.  RFC 6347 adds that security feature for handshaking, but sadly RFC 6520 is slightly orthogonal to it, with only passing mention to the 6347.  As it currently is, OpenSSL's implementation of heartbeat is outside the handshake, as the original patch mentions "Heartbeats can be sent any time when *no handshake* is in progress to check the availability of the peer"
> 
> In fact, most network IDS setups right now purporting to monitor for heartbleed attacks relies on the fact that most malware implementations right now bypass the handshake altogether and go directly for the jugular (hence why you can 'detect' it unencrypted).
> 
> ...


Maybe the twitter conversation is out of context, but I don't see him actually saying this is DTLS related, which yes, DTLS is affected by this since afaict it also allows heartbeat and thus has to be fixed too. That is a correct analysis. But from the twitter conversation I see, I see no indication this was about DTLS.


----------



## xxdesmus (Apr 16, 2014)

I'm just going to leave this here:

He was even remotely wrong actually, just folks misunderstanding an intentionally vague comment: http://www.networkworld.com/news/tech/2014/041614-heartbleed-ddos-attacks-280741.html


----------



## Lanarchy (Apr 16, 2014)

Who gives a shit? He's a CEO, not a network engineer.


----------

