This week saw two scary but interesting technology/internet related security incidents. First there is Cloudbleed.

Cloudbleed […] is a security bug discovered on February 17, 2017 affecting Cloudflare’s reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of this data was cached by search engines. (wikipedia)

In other words: Data which should be encrypted and only seen by the endpoints of communication (e.g. browser/server) where transmitted in the open. Or put into more drastic words:

Many major news outlets have advised consumers of sites using Cloudflare to change their passwords, even for accounts protected by 2-factor authentication as they could be at risk. Passwords of mobile apps too could have been impacted. Researchers at Arbor Networks, in an alert, suggested that “For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day…Pretty much all of them.” (wikipedia)

The other news was the successfull attempt of creating a SHA-1 conflict by Google. But what is a Cryptographic hash function like SHA-1?

A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function’s output is to attempt a brute-force search of possible inputs to see if they produce a match, or use a “rainbow table” of matched hashes. Bruce Schneier has called one-way hash functions “the workhorses of modern cryptography”.

SHA-1 is considered to be unsafe for some time now, but there are some applications (e.g. git) where SHA-1 is still in use. The answer to the question What are the implications of a SHA-1 collision being found? on is also helpfull to understand the topic.