@0xF21D

@0xF21D So, CloudFlare, IS the Mos Eisley of the internet providers.

@0xF21D I may have a suggested edit for them, for brevity's sake:

Keeping user accounts safe with Cloudflare

FUCKING BLOCK IT

@0xF21D good reminder that I still need to move a couple of things away from there…

@0xF21D When you employ a middleman, he will be the mitm.

@0xF21D
So cloudflare is the man in the middle attack we have always been warned about

@0xF21D

👀

What with the WHO THE FUCK NOW ??

:: sheesh ::

@0xF21D why are websites still using custom login forms with plaintext credentials? Should all be using browser-computed SCRAM in standard http authentication.

@0xF21D I will assume that this is only on the cloudflare WAF feature where they automatically check against known leaked credentials. The website owner can request this feature to be able to inform the user they should use a different password. If they would analyse all traffic without explicit consent from the site owner it would be dubious at best.

@0xF21D it's long known that the cloudflare proxy in the free tier will terminate SSL at their servers and re-encrypt it on the way to your host. They can basically analyze everything sent through the proxy.

So I'm honestly not surprised at all that they do, in fact, analyze the data users willingly throw at them.

Personally I am using* CF for my domain and DNS as well, but without proxy because of that.

*Because sadly, they are the only ones having a proper API to get letsencrypt certs via DNS auth.

@0xF21D Your one stop compromise shop! Four out of five police states recommend their victims use it.

@0xF21D "Are you afraid of MitM between you and our website? Don't worry, we paid an enterprise to do it for us the best way 👍​"

@0xF21D

So cloudflare knows everyone's passwords and what sites they visit?

@0xF21D
yes 🧐

@0xF21D wtf, carl! Damn pirates.

@0xF21D if i understand the docs, it's an optional feature you can enable.
not sure if that is using the monitoring, or enabling the monitoring

@0xF21D HTTP only, opt-in.
You can (should) do this at home.

“Once enabled, leaked credentials detection will scan incoming HTTP requests for known authentication patterns…”

@0xF21D all your data belong to US big tech companies for profit you dumb europeans

@0xF21D come again? 😂

@0xF21D
Thank you for pointing this out.

@0xF21D to be clear, the blog post states they got their data from a feature you need to enable and configure. So this shouldn't be a surprise to most cloudflare customers.

https://developers.cloudflare.com/waf/detections/leaked-credentials/

https://developers.cloudflare.com/waf/managed-rules/check-for-exposed-credentials/

@0xF21D all your kiwifarms passwords belong to us

@0xF21D As bad as the optics are on this one, they're doing the moral equivalent of https://github.com/DivineOmega/password_exposed

They aren't storing people's passwords for their analysis, they queried the HIBP API with the first 5 hexits from the SHA1 hash of the user's password then check if the full SHA1 hash is returned. If it is, they report that it's compromised. If it isn't, they report that it isn't.

Is it alarming that they're in a position to do this for all the websites they protect? Oh, absolutely.

But CloudFlare was always MitM as a Service (the Service being "DDoS mitigation"). That's one reason why it's so actively distrusted.

@0xF21D my iPhone does this and it’s creepy AF. It will tell me if other people use similar passwords or if mine would be easy to guess. But it will also tell me if my password has been in a data breach which has been helpful because half of these data breaches I only find out about by seeing the notation in my iPhone password area.

Then google tries to force me to set up a “passkey” which won’t help me login to Google Voice on my computer to do two factor authentication if I ever lose my phone, so I’m not real sure how I would get back to any of these things if I misplaced my phone. I can’t transfer the phone number attached to my phone to a new phone if I can’t get into the email, and I can’t get into the email if I can’t give them a code from the phone, which is why I wanted to use a Google Voice number for that stuff, but if I lose my phone I can’t get into the Google Voice.

It all just feels like a huge scam. Yesterday I tried to file a Small Claims Court case and it only gave me two court options so I chose the one closest to me. This morning they told me my filing was rejected because I chose the wrong jurisdiction, when I got someone on the phone they told me the right one should be there, and low and behold it was today.

But as I was going through refiling this morning all I could think about was this is how they lock us out of this stuff. You can only e-file small claims cases, and if I don’t have the option to choose the correct court when I e-file I can’t file. And when it gets to the point that no one is there to answer the phone to help us there will be no help to be had.

And at this point I think I have drifted far off topic and I apologize, but it’s possible I have circled right back around to the topic at hand because this is all the same problem at its core.

@0xF21D this toot is a bit misleading imo.

Saying it like like you did sounds like CloudFlare keeps a database of passwords people use on websites in order to conpare them. However cloudflare only compares them to previously leaked password (through haveibeenpwned and other sources). This could theoretically be done without cloudflare ever having the password. I don't know how they do it though.

It doesn't change the fact that CloudFlare is an actual MitM and therefore a huge security risk.

@0xF21D In addition, remember that Cloudflare offers DNS resolvers at the 1.1.1.1 IPv4 anycast address.

Being in the position of the a users DNS resolver opens up all kinds of possibilities for manipulation of the returned resource records. (It's been a many years since I played with DNSSEC, so I am not sure whether DNSSEC could provide protection.)

I wonder why anyone thinks they are the good guys?
They run half the internet all for free....
¯\(ツ)/¯

(Medien: 1)

Let me put further important words in uppercase:
One more reason why it's a REALLY GOOD IDEA to REALLY #UNPLUGTRUMP ASAP!

@0xF21D wrote:
So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.

Let me put the important words in uppercase.

So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

@0xF21D It's almost like Cloudflare is in fact this huge vulnerability that is in a position to intercept and analyze a huge percentage of the web's overall traffic...and we're just trusting them not to be evil.

@0xF21D

Cloudflare + MITM = Bullshit

Still any questions? Don't usw this shit!

@0xF21D One day I would love to have the balls to do that and then write a blog with the headline "Keeping user accounts safe with Cloudflare"

@0xF21D

(Medien: 1)

@0xF21D What software is that guy using? It looks like people are repyling from mastodon. Is this a write.as? I didn't think it had that feature actually.

Anyway, this is nuts, and one person there saying he's fine with it because it's free: said the same thing when I joined gmail what, two decades ago? Really regret that now. We should care more about privacy. _I_ didn't sign up for this.

I'm American though. Used to it.

@0xF21D global MITM machine MITMs *sigh*

@0xF21D and?

@0xF21D Documented here: https://developers.cloudflare.com/waf/detections/leaked-credentials/

@0xF21D So if you give your private key and certificate to a third party to MITM you, or you let them request their own certificate, they can MITM you?!

Who saw that coming?!

@0xF21D @bsi Hey #BSI evtl. Auch interessant für euch und ob es dem Datenschutz etwas weh tut :)

@0xF21D@infosec.exchange that moment when your supply chain risk is the largest protection service in the world, and they just do crimes without being arrested because they're a company and wrote a cute blog to call it "data analysis" when they sniff login credentials lol

@0xF21D @GossiTheDog

@0xF21D@infosec.exchange you are implying they are MitMing plaintext passwords and thats just actively spreading misinfo at that point.

@0xF21D netwatch

@0xF21D I'm surprised that anyone is surprised by this. CDNs are an awful idea. Putting way too many eggs in way too few baskets. Trusting a bunch of oversized corps to do The Right Thing.

@0xF21D@infosec.exchange
Oh, they store passwords in clear text? Now that's ridiculous.

@0xF21D WTAF!