Cl6mRPYs9QrpTcb2fy.png

@troyhunt @dangoodin sure, I use "snooping" very much on purpose, I'm also really aware of what a WAF is given I wrote a very high % of the whole Cloudflare WAF from 2014 to 2017 :P

https://blog.cloudflare.com/author/ben-cartwright-cox/

I am working in a different industry now though.

There’s no explicit “consent” involved in people sending that data

I'm not talking about the consent of the users, my larger problem is cloudflare enabling features that handles arguably some of the most sensitive data on free customers without asking them, and then publishing metrics on it, It just has a bad vibe.

It’s also up to the site owner to enable leaked credential check

This is verifiably not true for free users.

Here is what I did to confirm that.

1) I take a domain that is on the free plan, that I have not touched the cloudflare settings for years, check the security tab, 0 "Password leaked" hits

2) Make a subdomain test.<domain> to point to a test instance

3) Write a "hello world" test web server that dumps headers

4) fire a mimic login that wordpress would use:

$ curl -X POST -d 'log=username&pwd=password&wp-submit=Log+In' https://test.xxxxx.com/wp-login.php

5) There is no header to confirm it was a compromised password, but if we reload the cloudflare dashboard, it detected the password.

This is the crux of my problem. I don't think it's ethical to have this kind of feature enabled by default with no consent. The product as a concept is fine, as long as people opt into it.

Public

Notices where this attachment appears