Recent searches
Search options
So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.
Let me put the important words in uppercase.
So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.
[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/
@0xF21D to be clear, the blog post states they got their data from a feature you need to enable and configure. So this shouldn't be a surprise to most cloudflare customers.
https://developers.cloudflare.com/waf/detections/leaked-credentials/
https://developers.cloudflare.com/waf/managed-rules/check-for-exposed-credentials/
@adamsaidsomething @0xF21D I spoke with a few people on the CloudFlare discord about this. Bear in mind this is a community manager, not necessarily a cloudflare employee!
"if you use Cloudflare and proxy traffic, they can read your traffic because they're doing TLS termination"
They said it's well defined in the privacy policy since you generally are using them as a proxy and/or firewall so they'd be able to read your traffic.
But they agreed that the docs could add some additional clarification about the feature's reach.
#
@adamsaidsomething @soviut @0xF21D speaking as a cloudflare customer, I can confirm that you have to opt in to this, as I do _not_ opt into it.
That doesn't stop them from looking, because they're providing all of my TLS. (I don't even encrypt from my tunnel, because I tunnel directly to the box that has the service running on it.)
Fortunately(?) for me, I don't care one way or the other because I use it to host stupid personal projects with no sensitive data. I don't know that I would use it for anything with sensitive data or on behalf of an employer.
@jcr @0xF21D yeah fair. Still, any service like that is acting is a firewall is going to need to do this. They do TLS termination at their point of ingress (meaning they decrypt) and then act like a proxy, routing traffic according to rules that need to be able to see that data. The people administrating those rules definitely know at what point their traffic is no longer encrypted.