Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/troyhunt/statuses/114185201005562624">Troy Hunt (troyhunt@infosec.exchange)'s status on Wednesday, 19-Mar-2025 06:17:31 JST</a><a href="https://infosec.exchange/@troyhunt" title="troyhunt@infosec.exchange"><img src="https://gnusocial.jp/avatar/89867-48-20230209101725.webp" width="48" height="48" alt="Troy Hunt" style="position: absolute; left: 0; top: 0;">Troy Hunt</a><div><a href="https://benjojo.co.uk/u/benjojo/h/fGpc3SfYQL75r3v1RF" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/36255" title="matthew_d_green@ioc.exchange">Matthew Green</a></li><li><a href="https://gnusocial.jp/user/92418" title="dangoodin@infosec.exchange">Dan Goodin</a></li><li><a href="https://gnusocial.jp/user/104832" title="benjojo@benjojo.co.uk">benjojo</a></li><li><a href="https://gnusocial.jp/user/161036" title="cr0w@infosec.exchange">sp00ky cR0w 🏴</a></li></ul></div></section><article><p><a href="https://benjojo.co.uk/u/benjojo">@benjojo</a> <a href="https://infosec.exchange/@dangoodin">@dangoodin</a> <a href="https://infosec.exchange/@cR0w">@cR0w</a> <a href="https://mastodon.social/@Viss">@Viss</a> <a href="https://ioc.exchange/@matthew_d_green">@matthew_d_green</a> I suggest the term “snooping” is the problem here. A huge part of the value proposition of any reverse proxy with WAF features (not just Cloudflare) is the ability to inspect traffic. By design, a service like this sits in a position where they can inspect traffic, and that’s a decision the site operator makes. Inspecting traffic then also provides the ability to report on it; I can pull back traffic stats based on the UA string, for example. There’s no explicit “consent” involved in people sending that data, just like there’s no explicit consent in them submitting a form with PII in it; it’s implied. It’s also up to the site owner to enable leaked credential check, who already has the ability to decide what happens to passwords submitted to their service whether CF exists or not: <a href="https://developers.cloudflare.com/waf/detections/leaked-credentials/" rel="nofollow">https://developers.cloudflare.com/waf/detections/leaked-credentials/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4754654#notice-9313089">In conversation</a><time datetime="2025-03-19T06:17:31+09:00" title="Wednesday, 19-Mar-2025 06:17:31 JST">about 7 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/9313089" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/9313089">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: developers.cloudflare.com</div><h5><a href="https://developers.cloudflare.com/waf/detections/leaked-credentials/">Leaked credentials detection · Cloudflare Web Application Firewall (WAF) docs</a></h5><div></div></header><div>The leaked credentials traffic detection scans incoming requests for credentials (usernames and passwords) previously leaked from data breaches.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Wednesday, 19-Mar-2025 06:17:31 JSTTroy Hunt
in reply to
@benjojo @dangoodin @cR0w @Viss @matthew_d_green I suggest the term “snooping” is the problem here. A huge part of the value proposition of any reverse proxy with WAF features (not just Cloudflare) is the ability to inspect traffic. By design, a service like this sits in a position where they can inspect traffic, and that’s a decision the site operator makes. Inspecting traffic then also provides the ability to report on it; I can pull back traffic stats based on the UA string, for example. There’s no explicit “consent” involved in people sending that data, just like there’s no explicit consent in them submitting a form with PII in it; it’s implied. It’s also up to the site owner to enable leaked credential check, who already has the ability to decide what happens to passwords submitted to their service whether CF exists or not: https://developers.cloudflare.com/waf/detections/leaked-credentials/
In conversationabout 7 months ago from gnusocial.jppermalink
Attachments
1. Domain not in remote thumbnail source whitelist: developers.cloudflare.com
  Leaked credentials detection · Cloudflare Web Application Firewall (WAF) docs
  The leaked credentials traffic detection scans incoming requests for credentials (usernames and passwords) previously leaked from data breaches.

Public

Embed Notice

HTML Code

Corresponding Notice