blog.cloudflare.com/password-r…
the only way for cloudflare to have this data is if it is inside the ssl channel, analyzing traffic to their customers who are logging in.
ssssoooooooo i guess this makes the cloudflare logs a massive target for nation states now?
Password reuse is rampant: nearly half of observed user logins are compromised
Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.The Cloudflare Blog
Viss
in reply to Viss • • •okay so several people have responded to this thread, pointing at me and figuratively waving off this as "well, duh. cloudflare terminates ssl. theres no surprise here"
so i feel like i have to point this out to the non-security folks.
the part where they, without consent, intercept the traffic (ESPECIALLY FUCKING AUTHENTICATION), imbibe it into a research context, and perform password analysis on it?
Thats a crime
its the same as MITMing someone from their corp workstation and stealing creds
fedops 💙💛
in reply to Viss • • •Viss
in reply to Viss • • •i would further argue, that if that in of itself doesn't straight up smack, to you, of 'crimes', or 'gross violations of privacy', then perhaps its time for your to revisit your moral compass.
because on this planet, when you steal fucking credentials from people who havent given you authorization to have those credentials
thats CFAA.
Thats a felony.
Thats crimes. Lots of them.
the fact they blogged about it is icing on the cake, and an admission of guilt/complicity.
j_angliss
in reply to Viss • • •Cirio
in reply to Viss • • •There was even an entire website devoted to it, crimeflare or something like that. All I have when I look it up now is a research tool...
Phil
in reply to Viss • • •Ian Campbell
in reply to Viss • • •Sven Geggus
in reply to Viss • • •ohmrun
in reply to Viss • • •@dan
WTL
in reply to Viss • • •shironeko
in reply to Viss • • •Mans R
in reply to Viss • • •BasieP
in reply to Viss • • •Sorry about being toxic, but if ssl is terminated by any other then you, you are compromised!
System Adminihater
in reply to Viss • • •Duncan Blair
in reply to Viss • • •I don’t see this as particularly egregious in isolation - it’s basically a WAF tool being implemented by the site owner.
**However**, AFAICT it’s on by default and there doesn’t seem to be a way to turn it off with the free plan, which is gross. Having to pay to opt out of this is quite icky.
Frederik Braun �
in reply to Viss • • •Mike P
in reply to Viss • • •"Cloudflare’s free plan, which includes leaked credentials detection as a built-in feature..."
Presumably "non-leaked credentials detection" is a paid extra?
Pxl Phile
in reply to Viss • • •Kevin Karhan
in reply to Viss • • •#CloudFlare is a #RogueISP known to offer Services in #Russia and to #CyberCriminals...
#ClownFlare is also a #ValueRemoving #rentseeker who's core product / service is essentially a #Racketeering Scheme and should not exist as any competent hoster offers #DDoS protection free of charge...
tyil
in reply to Viss • • •It always has been. A service like #Cloudflare has always been a massive security and privacy issue. Just because its more obvious now doesn't mean it hasn't always been true.
If you care even the tiniest bit about your users, stop using Cloudflare.