Troy Hunt (troyhunt@infosec.exchange)'s status on Wednesday, 19-Mar-2025 06:17:31 JST

@benjojo @dangoodin @cR0w @Viss @matthew_d_green I suggest the term “snooping” is the problem here. A huge part of the value proposition of any reverse proxy with WAF features (not just Cloudflare) is the ability to inspect traffic. By design, a service like this sits in a position where they can inspect traffic, and that’s a decision the site operator makes. Inspecting traffic then also provides the ability to report on it; I can pull back traffic stats based on the UA string, for example. There’s no explicit “consent” involved in people sending that data, just like there’s no explicit consent in them submitting a form with PII in it; it’s implied. It’s also up to the site owner to enable leaked credential check, who already has the ability to decide what happens to passwords submitted to their service whether CF exists or not: https://developers.cloudflare.com/waf/detections/leaked-credentials/