CAll Us: +1 888-999-8231 Submit Ticket

Clef, The Popular Two-Factor Authentication Service, Is Shutting Down

ClefClef, a popular two-factor authentication service used by Magento eCommerce stores and WordPress sites has announced that its service will cease operation on June 6th 2017. It’s not clear why Clef is shutting down, but the company’s announcement states its employees will be moving to another company. It seems Clef – in spite of its popularity – failed to find a business model that could support its continued existence.

eCommerce merchants and site owners who use Clef should prepare to move to a different TFA provider as soon as possible.

Although there is no shortage of TFA plugins and services, Clef put the user experience front and center, offering an intuitive solution to the perennial problem of poor password management. Clef’s WordPress plugin has been installed over a million times, and its Magento extension has five stars on Magento Connect. The WordPress plugin has already been removed from the WordPress Plugin repository, and other integrations and mobile apps will be withdrawn in the lead-up to the service’s shutdown in three months.

Two-factor authentication is a key security measure for sites and stores that need authentication more robust than a simple username and password combination can offer. Brute force attacks are a constant threat to any online business, and sites with many users struggle to ensure they choose passwords intelligently.

Two-factor authentication services – including Clef – add an extra factor of authentication, often a one-time code generated by a mobile application. Without access to the secrets used to generate these codes, brute-force attacks can’t succeed. Sites are also protected against other password-based vulnerabilities, including leaked password databases and careless users who don’t keep their passwords safe.

It’s advisable for all sites and eCommerce stores to implement two-factor authentication. Those who used Clef have several options to choose from.

Users of Magento 1.X can move to Hostdedi’ Sentry extension, which, once installed, will require two-factor authentication for all administrative logins. Sentry integrates with many of the most popular two-factor authentication services, including Duo and Google Authenticator.

WordPress hosting clients who use the WordPress security plugin Wordfence might consider its built-in 2FA functionality or a dedicated plugin.

  • Two Factor Authentication is a comprehensive TFA solution for WordPress. It can be used with Google Authenticator, Authy, and a number of other TFA services. Two Factor Authentication is thoughtfully designed and includes several features to simplify logging in for WordPress users, including graphical QR codes that can be scanned by mobile devices.
  • The Duo Two-Factor Authentication plugin works with the popular Duo TFA service and offers one-tap authentication and one-time passwords delivered by SMS.

If you don’t use two-factor authentication, you’re missing out on a low-friction strategy that significantly reduces the chances that your site will be compromised.

Posted in:
Security

Source link

What You Need To Know

CloudbleedTowards the end of last month, it was revealed that CloudFlare, a popular CDN provider, suffered a vulnerability that caused its edge servers to leak private data. The vulnerability – discovered by Google researcher Tavis Ormandy – was swiftly mitigated, but because the problem may have existed since September 2016, it’s worth taking some time to understand the potential implications for eCommerce merchants, site owners, and their users.

Cloudflare is a service that – among other things – helps websites achieve better performance. It takes the contents of a website and uploads it to edge servers around the world. When a user requests a page, the request is redirected to the nearest edge server, significantly reducing the latency introduced when server and client are far apart. Because the site’s HTML and other assets travel through Cloudflare, they can be processed in various ways before being passed on to the requester.

To process the HTML, Cloudflare runs pages through an HTML parser. A bug in that parser is what caused private information to be leaked. You can read the full technical details in Cloudflare’s post-mortem, but, in short, a buffer overrun error caused the parser to access parts of the server’s memory that should have been private. In a specific combination of circumstances, the parser would not stop with the HTML it was parsing, but would continue to read data from memory. That data sometimes included sensitive information like login details, keys, and private messages.

When someone requested the page, the private data was sent along with it. Even worse, the private data was also sent when web crawlers made page requests, including search engine crawlers, which resulted in some private data being made available in search engine results.

That all sounds very bad indeed, but it should be understood that the buffer overrun could only happen in a very specific set of circumstance. It’s not the case that every request routed through Cloudflare leaked private data. According to the company:

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (thatʼs about 0.00003% of requests).”

Cloudflare is huge, so even 0.00003% is a lot of requests, but there’s no evidence that any criminals were actively exploiting the vulnerability and the problem was fixed less than 8 hours after it was discovered. For large sites using Cloudflare, it’s likely that some user data was leaked, but for each individual user the risk is miniscule. Google and other search engines have attempted to scrub their search indexes of any private data that may have been cached.

Should You Reset Passwords?

At this point, the risks are minimal. If you use Cloudflare with your site or eCommerce store, you may choose to advise users to reset their passwords out of an abundance of caution. Given the extensive publicity the leak received, it may well be wise to communicate with users about the nature of the vulnerability and the risk to their privacy. Some security experts advise that passwords should be reset, but because the risk to individual users is small, some prominent security writers advise against password resets, arguing it will do little to protect users and is likely to add to the security fatigue that causes users to ignore security best practices.

Posted in:
Security

Source link