Important: Tyk Cloud exposure to Cloudflare proxy bleed

Context

If you haven’t read the announcement already, there has been a significant security issue raised regarding sites secured via SSL by Cloudflare, in particular sites that use Cloudflare’s universal SSL termination and related transformation services.

For more information on the issue please visit:

Tyk Cloud Exposure

All Tyk-Cloud managed APIs are terminated by Amazon-provided SSL certificates at our load-balancer level, this includes all *.cloud.tyk.io endpoints. They are not affected by this issue and your proxied traffic is not affected

There are three Tyk websites that are potentially affected by this issue:

1. Our marketing site (https://tyk.io) utilises Cloudflare SSL, however it carries no sensitive information, billing, or login information for service users and is not directly connected to any of our SaaS offerings (it is in a different DC with a different hosting provider altogether).

2. The other site that utilises Cloudflare SSL is https://cloud.tyk.io (the Tyk Cloud account management application), we are actively investigating whether we are affected by the issue for this website. However, this application is completely separate to our SaaS offering and carries no sensitive billing information, it is also not possible to affect a SaaS account from this system as the two user bases are stored and managed separately. We deem the risk to users as minimal.

3. This community forum: While this forum does contain sensitive information regarding usernames and passwords, we do not believe it has been affected. Again this site is not attached in any way to active servies in our Cloud (different hosting provider).

While managed cloud endpoints are not affected at all by the Cloudlfare memory leaks, customers that utilise custom domains and have used back-to-back SSL with cloudflare to provide their own SSL protection may be exposed and should take appropriate action to ensure that their services are not affected.

We are monitoring the situation and will keep this topic updated as we find out more. If you have any questions, feel free to highlight them here or get in touch with us directly.

Martin Buhr
CEO & Founder, Tyk Technologies.

1 Like

Update 04:47 UTC

  • None of the Tyk properties use the services that were affected by the Cloudflare leak, these were: email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. However we cannot guarantee this for customers that use custom domains with us that utilise these services.