hhmx.de

BuckRogers1965

BuckRogers1965
@BuckRogers1965@cr8r.gg

· Föderation EN Mo 17.03.2025 18:03:03

@0xF21D

So cloudflare knows everyone's passwords and what sites they visit?

0x   1   0x

Futuristic Robert [KJ5ELX] :donor:

Futuristic Robert [KJ5ELX] :donor:
@0xF21D@infosec.exchange

Föderation EN Mo 17.03.2025 18:07:09

@BuckRogers1965 at this point I think it is safe to assume the answer has been "yes, for sites that transit through cloudflare (cloudflare's customers)."

0x   1   0x

Cluster Fcku

Cluster Fcku
@clusterfcku@mastodon.social

Föderation EN Mo 17.03.2025 18:21:22

@0xF21D @BuckRogers1965 how Does cloudstrike use their CA key for this purpose? Can any government or doge-like IT just ask a CA to snoop SSL?

0x   4   0x

groxx

groxx
@groxx@hachyderm.io

Föderation EN Mo 17.03.2025 18:31:09

@clusterfcku @0xF21D @BuckRogers1965 how would they know what cached URL you requested if they didn't? They need to be able to read the request, both for providing caching and for many DOS preventions.

(to be clear I think this is a TERRIBLE tradeoff... but it's not new or anything. every CDN can do this too, which is part of why you often see CDN resources under a different domain, but not everyone does that)

0x   1   0x

BuckRogers1965

BuckRogers1965
@BuckRogers1965@cr8r.gg

Föderation EN Mo 17.03.2025 18:49:40

@groxx @clusterfcku @0xF21D

But the web site could be designed to not use the cdn for the authentication portion of the web site. So this is also a web design issue.

0x   0   0x

BuckRogers1965

BuckRogers1965
@BuckRogers1965@cr8r.gg

Föderation EN Mo 17.03.2025 18:51:22

@clusterfcku @0xF21D

Yes, they can just ask with a letter that says the CA can never speak about the request. Then DOGE will have the password to all your accounts.

0x   0   0x

scott

scott
@scott@ruby.social

Föderation EN Mo 17.03.2025 19:13:49

@clusterfcku @0xF21D @BuckRogers1965 If you want to use a proxy like CF you need to upload your cert's private key to the proxy. They don't need special key - site owners send their own.

0x   1   0x

BuckRogers1965

BuckRogers1965
@BuckRogers1965@cr8r.gg

Föderation EN Mo 17.03.2025 22:53:31

@scott @clusterfcku @0xF21D

Yeah, I get that, but you can put the authentication page on your own servers so the proxy service can't see the passwords in the web requests, the authentication page, the login page could be on the companies own servers and that would stop the CND from reading passwords and other identifying information.

0x   0   0x

Leeloo

Leeloo
@leeloo@techhub.social

Föderation EN Mo 17.03.2025 19:45:18

@clusterfcku @0xF21D @BuckRogers1965
Most governments have their own CA. Maybe not officially, but then via e.g. the telephone monopoly or similar.

And browsers just trust all of them.

Which is why I for years have considered the http encryption to be more secure than https. At least the "rot-zero" of http doesn't give a false sense of security

0x   0   0x