 |
Post AsBI2dCfJ2JxBKBfRA by [email protected] |
 |
More posts by [email protected] |
|
Post #As9PhPUbUuN7tX39hQ by [email protected] |
|
0 likes, 4 repeats |
|
|
|
So, Cloudflare analyzed passwords people are using to log in to sites they prot… |
|
|
|
Post #As9PzHpUj9R9LBLU5g by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D |
|
|
|
Post #As9QB3ePGmJwqBlw9o by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@malanalysis it makes sense since they function as a global reverse proxy and d… |
|
|
|
Post #As9Rex0iccE4t91hNQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D I will assume that this is only on the cloudflare WAF feature where the… |
|
|
|
Post #As9Rex76EtKXCw0nK4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Erwinvb sites using cloudflare's free plan. Looks like it's a feature … |
|
|
|
Post #As9TufMsBUkwiE0hUm by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D wrote: "[...] something we technically knew was going on before bu… |
|
|
|
Post #As9UShbiMgLxVHBLZQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D why are websites still using custom login forms with plaintext credenti… |
|
|
|
Post #As9UShhk0HApny09xo by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@hyc with cloudflare, anything is possible. :( |
|
|
|
Post #As9ezgZkDlFvOwcvj6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D It's almost like Cloudflare is in fact this huge vulnerability that… |
|
|
|
Post #As9ezgflrM4nhdRk7U by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Infoseepage or pretending like they can’t be compelled to turn over informat… |
|
|
|
Post #As9fZsmQK2k9g5ok2C by [email protected] |
|
0 likes, 1 repeats |
|
|
|
But it's okay because it's just our Cloudflare free accounts!As usual, … |
|
|
|
Post #As9hINV1ZNDFeFSa8m by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D Documented here: https://developers.cloudflare.com/waf/detections/leake… |
|
|
|
Post #As9ikEXoYcdRwAbyRE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D : Cloudflare is evil anyway.Cloudflare reverse-proxies (or -proxied):-c… |
|
|
|
Post #As9m2mPpfBfm3uPfhQ by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D @GossiTheDog |
|
|
|
Post #As9njaCj2aBcayFxQ0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D netwatch |
|
|
|
Post #As9swnSBagNPDsbl7w by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ErikvanStratenIf your adblock is good enough you always see the captchas, so y… |
|
|
|
Post #As9swnZd90Kbay5hjM by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@EndlessMason : thanks for responding!You wrote:"Every site is a sea of sp… |
|
|
|
Post #As9z9E5H0LO912CW2a by [email protected] |
|
0 likes, 1 repeats |
|
|
|
Here's a followup of this post: https://infosec.exchange/@0xF21D/1141802048… |
|
|
|
Post #As9zztpx0tjRZI9Oam by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ErikvanStraten @malanalysis its safe to assume that any US corporation is alig… |
|
|
|
Post #AsA3bsYOX46KSHjxj6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D As an American who uses Cloudflare DNS, WTF should I use now? |
|
|
|
Post #AsA3bseQAevCkyYm7U by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@DarthAstrius I use Cloudflare 1.1.1.1 for DNS as well. It's good DNS. I wo… |
|
|
|
Post #AsA3wVRBfnIMqJClYu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D Did they do this study using actual passwords or just hashes? |
|
|
|
Post #AsA3wVXDJO7F901ZxI by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@slashdottir I'm not sure. Though I suspect a little from columns A and B i… |
|
|
|
Post #AsA4i0rEfgzztv2eX2 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D If you pay Cloudflare* to handle your website traffic encryption for yo… |
|
|
|
Post #AsACNgooGYglamj9Ga by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D all your kiwifarms passwords belong to us |
|
|
|
Post #AsACO03Kkmb1FKfW2i by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D if i understand the docs, it's an optional feature you can enable.n… |
|
|
|
Post #AsACPBbvGcdhNkPfai by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D it's long known that the cloudflare proxy in the free tier will ter… |
|
|
|
Post #AsACPBiera1jidZ35c by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hannsr DNS verification for Let's Encrypt can be hard to automate for sure… |
|
|
|
Post #AsACPBpkRDhM4csi8m by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D @hannsr My traefik instance does DNS Auth with INWX just fine? Also the… |
|
|
|
Post #AsACPR1dxH7tBrYvGS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D wtf, carl! Damn pirates. |
|
|
|
Post #AsACPnPqhxYodJ3Z32 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D Your one stop compromise shop! Four out of five police states recommen… |
|
|
|
Post #AsACWf3aBYs4jbunU8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D So cloudflare knows everyone's passwords and what sites they visit? |
|
|
|
Post #AsACWf9xnpyX3OttQm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@BuckRogers1965 at this point I think it is safe to assume the answer has been … |
|
|
|
Post #AsACWfH3NTe9PODYTw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D @BuckRogers1965 how Does cloudstrike use their CA key for this purpose… |
|
|
|
Post #AsACWfO8x7JllNXDX6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@clusterfcku @0xF21D @BuckRogers1965 If you want to use a proxy like CF you nee… |
|
|
|
Post #AsACX0ac7wlrW8WyO0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D yes 🧐 |
|
|
|
Post #AsACYkNDOCDznr5nUm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D to be clear, the blog post states they got their data from a feature yo… |
|
|
|
Post #AsACYkTF1n2s6XubtA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@soviut @0xF21DThey're blog post refers to a "built in" feature a… |
|
|
|
Post #AsACYkZce49KQKthpo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@adamsaidsomething @soviut @0xF21D speaking as a cloudflare customer, I can con… |
|
|
|
Post #AsACZJ0Od1lhDDgZHs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@scatty_hannah @hannsr thnaks! I'll check that out. |
|
|
|
Post #AsACiIlos7f75b9o2K by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@clusterfcku @0xF21D @BuckRogers1965 how would they know what cached URL you re… |
|
|
|
Post #AsACkGPibWTQMNksWe by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hannsr I thought people already know all about that. To be fair, I find it rea… |
|
|
|
Post #AsACw7IiJOavZV8A9Q by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D Thank you for pointing this out. |
|
|
|
Post #AsAD0reVv4iqUFaiwq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@EndlessMason that sounds more like you might be signing up to the wrong places… |
|
|
|
Post #AsAD3e5OocQZHRUcjY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JessTheUnstill @0xF21D @malanalysis you're still the product even if you p… |
|
|
|
Post #AsAD4JL5RCKzDy9ENU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D When you employ a middleman, he will be the mitm. |
|
|
|
Post #AsAD4RxfNdx1xwG9ce by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@clusterfcku @0xF21D @BuckRogers1965Most governments have their own CA. Maybe n… |
|
|
|
Post #AsAD6T5SANS82Hrdc8 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@0xF21D So, CloudFlare, IS the Mos Eisley of the internet providers. |
|
|
|
Post #AsAD6TBTnyH0KygS0W by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@krypt3ia @0xF21D I'm glad I never used any cloud storage. Avoiding 'sc… |
|
|
|
Post #AsAD7djK567rKn4Ukq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hannsr @0xF21D I also used cf only for DNS but recently I noticed they create … |
|
|
|
Post #AsADBZMkFV2uxQNuRE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@adamsaidsomething @0xF21D I spoke with a few people on the CloudFlare discord … |
|
|
|
Post #AsADHYpz7tsR3Xv01Q by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@malanalysis @0xF21D |
|
|
|
Post #AsADN2xsXcDHwUE6Wu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@scott @clusterfcku @0xF21D Yeah, I get that, but you can put the authenticatio… |
|
|
|
Post #AsADVvtKD2xubvKkQi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D I may have a suggested edit for them, for brevity's sake:Keeping us… |
|
|
|
Post #AsADWzAxU2gz5R5FRI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D 👀 What with the WHO THE FUCK NOW ??:: sheesh :: |
|
|
|
Post #AsADX15iMVgb1ke5Xk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hannsr, you might want to check out https://desec.io/. According to https://de… |
|
|
|
Post #AsADX4FkbeUqpkMe6S by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D HTTP only, opt-in.You can (should) do this at home. “Once enabled, le… |
|
|
|
Post #AsADX4NY8ejdDw0sG8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@juddy @0xF21D Lowkey hate how nobody read the article and noticed that it'… |
|
|
|
Post #AsADZDM3jlZLdpL3tw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D So cloudflare is the man in the middle attack we have always been warne… |
|
|
|
Post #AsADZDTVI5WY0up0VM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pgreer @0xF21D the "man in the middle" who also happens to be a ̶n… |
|
|
|
Post #AsADc4WT20457MZNCK by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D good reminder that I still need to move a couple of things away from th… |
|
|
|
Post #AsADf9ka3FqKCRdqDI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D all your data belong to US big tech companies for profit you dumb europ… |
|
|
|
Post #AsADlCXQbD8maFN8HA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@groxx @clusterfcku @0xF21D But the web site could be designed to not use the c… |
|
|
|
Post #AsADnwe29BR49xloAq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D As bad as the optics are on this one, they're doing the moral equiv… |
|
|
|
Post #AsAE0O1mADXeYro9iq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D "Are you afraid of MitM between you and our website? Don't wor… |
|
|
|
Post #AsAE0mTbGQ3iO70iQK by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nightoo Sure, this site looks sketchy, but this is the platform the vendor dec… |
|
|
|
Post #AsAE0o973YrLZ9RNlg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pgreer @0xF21DYes, Cloudflare "protecting" sites again with they'… |
|
|
|
Post #AsAE30xUOHxrsm3XAe by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cygnathreadbare @pgreer @0xF21DAre they tho? I thought they had a very inconsi… |
|
|
|
Post #AsAE40NU2G0EN3geem by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ErikvanStraten @0xF21D @malanalysis This is not an exclusive-or choice. In fac… |
|
|
|
Post #AsAE4oX7YhQ9vQa3cW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@clusterfcku @0xF21D Yes, they can just ask with a letter that says the CA can … |
|
|
|
Post #AsB0IzpJA93anxuqBs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pgreer we should have known that earlier. |
|
|
|
Post #AsB0QlkhNHlXTFSxvM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D @malanalysisThis is wild because I *always* knew they were a problem, f… |
|
|
|
Post #AsB0vFMxp5mk0wthKK by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JessTheUnstill @0xF21D @malanalysis > which includes leaked credentials det… |
|
|
|
Post #AsB0z9QXrGRSk8QyVU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@EndlessMason hm maybe the problem is more pronounced wherever you're livin… |
|
|
|
Post #AsBHXd4Nkjfzn3Wuga by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D this toot is a bit misleading imo.Saying it like like you did sounds li… |
|
|
|
Post #AsBHXdBpJ3dCA90rI0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@qz I posted a second toot as a response: https://infosec.exchange/@0xF21D/1141… |
|
|
|
Post #AsBHrSuJFKSo40HEki by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@alexlunaview https://infosec.exchange/@0xF21D/114180204895647789 |
|
|
|
Post #AsBHtd3UUFQc7HbSfQ by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@BenAveling see my followup https://infosec.exchange/@0xF21D/114180204895647789 |
|
|
|
Post #AsBHvQfbVQryHdHxz6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D So if you give your private key and certificate to a third party to MIT… |
|
|
|
Post #AsBHvQlHALPGZDwUpE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@dascandy see my followup https://infosec.exchange/@0xF21D/114180204895647789 |
|
|
|
Post #AsBHzLHZTl22jSuhlI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] you are implying they are MitMing plaintext passwords … |
|
|
|
Post #AsBHzLNx628V3Ftnhw by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@m https://infosec.exchange/@0xF21D/114180204895647789 |
|
|
|
Post #AsBI2dCfJ2JxBKBfRA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D this seems to be a little overacting. M$ stores your passwords for thir… |
|
|
|
Post #AsBI2dIgwd8pU10TpY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@CriticalSilence Please see my followup: https://infosec.exchange/@0xF21D/11418… |
|
|
|
Post #AsBI9ea6a4XXTzV1rk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D is there something we can do against this from an end user perspective?… |
|
|
|
Post #AsBI9eg8DfMPmgJqG8 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@smartphone I think calling attention to the fact that Cloudflare is a US compa… |
|
|
|
Post #AsBIEV8t6OcLek52jQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D Are you aware that this is a feature that you need to enable? In other … |
|
|
|
Post #AsBIEVEujzRDxQtr7o by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@sbeyer please see my followup: https://infosec.exchange/@0xF21D/11418020489564… |
|
|
|
Post #AsBacU0Wlt9gGGkruC by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@dt @juddy @0xF21D "Opt in" is relative. Did the users opt into the r… |
|
|
|
Post #AsBj9uOYU1ozI4RXTE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@tychotithonus @dt @0xF21D What part of "For other purposes for which we o… |
|
|
|
Post #AsBj9uVe3fUbe3lCWO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@juddy @dt @0xF21DOh, I understand. The question is whether ordinary users shou… |
|
|
|
Post #AsBpcIC8Bpryw9Y8XY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@RTP ehhh |
|
|
|
Post #AsBpcIJDlTXbI8rnai by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@schnur Wow. We knew this was possible and huge reason for all the anti cloudfl… |
|
|
|
Post #AsBpcIOtQO4tZjWKQq by [email protected] |
|
0 likes, 2 repeats |
|
|
|
@RTP @schnur This is why I call it "clownflare" .. That US company ow… |
|
|
|
Post #AsDTyz1hoUNDTO0Xaa by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I wonder why anyone thinks they are the good guys?They run half the internet al… |
|
|
|
Post #AsDTyzT0B0Cwq2mL8S by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@menel it sounds like communism and everyone knows that communism is a good thi… |
|
|
|
Post #AsHMqYMf8UQPQ1gPFw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D Any more reason to switch to FIDO2 with hardware tokens or #Passkeys.Th… |
|
|
|
Post #AsHMqYUoeAwlpJUuxs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@publicvoit @0xF21D passkeys can be saved to both security keys and credential … |
|
|
|
Post #AsNxqdILfQIPxkKGEy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@0xF21D What software is that guy using? It looks like people are repyling fro… |
|
|
|
Post #AsNxqdONJ17IGR94dM by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@crazyeddie I'm not sure, but it is quite nice. |
