Tell me I'm reading this blog post wrong. It reads as if Cloudflare is admitting to reading the login credentials of users of sites that use Cloudflare.
"Our data reveals that 52% of all detected authentication requests contain leaked passwords found in our database of over 15 billion records, including the Have I Been Pwned (HIBP) leaked password dataset."
h/t: @0xF21D
blog.cloudflare.com/password-r…
#infosec #security #cloudflare
Password reuse is rampant: nearly half of observed user logins are compromised
Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.The Cloudflare Blog
jonathankoren™
in reply to steve mookie kong • • •I read it looking for some methodology that was not what it all the hot takes are saying, and I got nothing.
It does appear that they MITMed it.
This makes me even more uncomfortable with cloudflare existing.
steve mookie kong
in reply to jonathankoren™ • • •@jonathankoren
I too was looking for a methodology, but they clearly are matching passwords to a list of leaked passwords from what they wrote.
Cloudflare is MITM for all traffic that passes through their network though. TLS traffic is terminated at their edge nodes first and then re-encrypted (or not depending on the origin setup) before it heads to the origin.
Antifa-gravity boots
in reply to steve mookie kong • • •@jonathankoren OTOH: "To understand human behavior, we focus on successful login attempts (those returning a 200 OK status code), as this provides the clearest indication of user activity and real account risk."
I wonder if they considered how many poorly architected systems are out there that will return a 200 "Login Failed" page?
🆘Bill Cole 🇺🇦
in reply to steve mookie kong • • •@jonathankoren They are comparing *hashes* of the passwords (which they have in the clear because they handle the TLS layer for customers) to the dumps of password hashes associated with various breaches, such as the HaveIBeenPwned data.
Details (linked to in their post) at blog.cloudflare.com/helping-ke…
It is a feature site owners can choose to not use.
Helping keep customers safe with leaked password notification
The Cloudflare BlogPaul Chambers🚧
in reply to steve mookie kong • • •I think website owners are required to enable leak protection detection. I don't know if it is enabled by default for free plans, or not, though. It is built in the free plans.
However, I'm not sure if the end user of a website knows their credentials are being sniffed by Cloudflare. Really is something that should be in a website's privacy policy, if so.
developers.cloudflare.com/waf/…
Leaked credentials detection · Cloudflare Web Application Firewall (WAF) docs
Cloudflare Docssteve mookie kong reshared this.
Maksim Elistratov
in reply to steve mookie kong • • •steve mookie kong reshared this.
Brian Vastag
in reply to steve mookie kong • • •steve mookie kong
in reply to Brian Vastag • • •@brianvastag
It does, but it is still a bit concerning that not only does Cloudflare have access to user credentials, but they are also utilizing it.
🆘Bill Cole 🇺🇦
in reply to steve mookie kong • • •@brianvastag It is intrinsic to their service that they have access to credentials in the clear, because they are providing the TLS layer for end users.
It is one of the reasons that many people have had forever for not using Cloudflare or similar services.
Asta [AMP]
in reply to steve mookie kong • • •steve mookie kong
in reply to Asta [AMP] • • •@aud
Rainbow tables technically shouldn't work if websites are salting their passwords.
Traffic does not pass through Cloudflare encrypted. Cloudflare terminates TLS at the edge and then re-encrypts (if the origin owner chooses to) when it sends to the origin. So technically, there is a moment when Cloudflare has the data unencrypted.
Asta [AMP]
in reply to steve mookie kong • • •arrghhhh. Shortly after posting this, I remembered that cloudflare “helpfully” serves up its own certificate and wondered if indeed that’s what that meant. I guess the idea of them MITMing a metric fuckton of servers was… just did not occur to me.
Great.