Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/dangoodin/statuses/114184514710797895">Dan Goodin (dangoodin@infosec.exchange)'s status on Wednesday, 19-Mar-2025 06:17:32 JST</a><a href="https://infosec.exchange/@dangoodin" title="dangoodin@infosec.exchange"><img src="https://gnusocial.jp/avatar/92418-48-20240105201020.webp" width="48" height="48" alt="Dan Goodin" style="position: absolute; left: 0; top: 0;">Dan Goodin</a><div><ul><li><li><a href="https://gnusocial.jp/user/36255" title="matthew_d_green@ioc.exchange">Matthew Green</a></li><li><a href="https://gnusocial.jp/user/89867" title="troyhunt@infosec.exchange">Troy Hunt</a></li><li><a href="https://gnusocial.jp/user/104832" title="benjojo@benjojo.co.uk">benjojo</a></li><li><a href="https://gnusocial.jp/user/161036" title="cr0w@infosec.exchange">cR0w :cascadia:</a></li></ul></div></section><article><p>To follow up on yesterday's discussions about privacy implications of Cloudflare detecting the use of reused passwords in traffic passing through its infrastructure, Cloudflare has disclosed this practice previously. The protocol behind this check, known as Might I Get Pwned (in a nod to <a href="https://infosec.exchange/@troyhunt">@troyhunt</a>), was described in a 2022 Usenix paper called Might I Get Pwned:<br>A Second Generation Compromised Credential Checking Service. It devises what it claims is a privacy-preserving way to check for credential reuse. It involves comparing hashes. Cloudflare says passwords are never logged.</p><p>I'm home recovering from a Covid infection, so I don't have the energy to dig into this any deeper right now. I am interested in responses from people qualified to evaluate the privacy-preservation claims, including <a href="https://benjojo.co.uk/u/benjojo" rel="nofollow">@benjojo</a> <a href="https://infosec.exchange/@cR0w">@cR0w</a> <a href="https://mastodon.social/@Viss" rel="nofollow">@Viss</a> and <a href="https://ioc.exchange/@matthew_d_green" rel="nofollow">@matthew_d_green</a> </p><p>Relevant links:</p><p><a href="https://arxiv.org/pdf/2109.14490" rel="nofollow">https://arxiv.org/pdf/2109.14490</a></p><p><a href="https://blog.cloudflare.com/helping-keep-customers-safe-with-leaked-password-notification/" rel="nofollow">https://blog.cloudflare.com/helping-keep-customers-safe-with-leaked-password-notification/</a></p><p><a href="https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/" rel="nofollow">https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4754654#notice-9313085">In conversation</a><time datetime="2025-03-19T06:17:32+09:00" title="Wednesday, 19-Mar-2025 06:17:32 JST">about 9 days ago</time> <span>from <span><a href="https://infosec.exchange/@dangoodin/114184514710797895" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@dangoodin/114184514710797895">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Wednesday, 19-Mar-2025 06:17:32 JSTDan Goodin
To follow up on yesterday's discussions about privacy implications of Cloudflare detecting the use of reused passwords in traffic passing through its infrastructure, Cloudflare has disclosed this practice previously. The protocol behind this check, known as Might I Get Pwned (in a nod to @troyhunt), was described in a 2022 Usenix paper called Might I Get Pwned:
A Second Generation Compromised Credential Checking Service. It devises what it claims is a privacy-preserving way to check for credential reuse. It involves comparing hashes. Cloudflare says passwords are never logged.
I'm home recovering from a Covid infection, so I don't have the energy to dig into this any deeper right now. I am interested in responses from people qualified to evaluate the privacy-preservation claims, including @benjojo @cR0w @Viss and @matthew_d_green
Relevant links:
https://arxiv.org/pdf/2109.14490
https://blog.cloudflare.com/helping-keep-customers-safe-with-leaked-password-notification/
https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/
In conversationabout 9 days ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice