So, turns out the SHA1 collision was not what P0 people were ominously hinting at last night.
A buffer overrun in C is not news.
On second thought, I think that the memory problems in C are, in this case, more the proximate cause than the root cause, at least in terms of the dispersal of private information.
The root cause being that sensitive information even existed in clear-text on the machines in the first place.
The intermediate servers that your data passes thru can’t inadvertently disperse clear-text that you don’t give them.
So, credit where it’s due, addressing the lack of end-to-end encryption is a big part of Cloudflare’s thing, so at least it’s not like they aren’t working on the mess we’ve inherited.
Many of Cloudflare’s services depend on having access to the cleartext though