Question for people willing to visit Cloudflare sites:

How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.

Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    8 months ago

    You don’t. Assume the password is hashed server side and are sent unhashed via the TLS session that CF mitm.

    • coffeeClean@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      8 months ago

      What if I am reporting a GDPR offender who (e.g.) neglected my article 15 request? If I make the assumption you are suggesting and add to my Article 77 complaint that the data controller also needlessly exposes passwords to Cloudflare and it turns out to be untrue for that particular service, then my report loses credibility and puts a DPA on a run around.

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        You seem to make the assumption that CF is storing that level of your data. In all likelihood CF are inspecting the traffic for malicious intent and if there is nothing malicious the non metadata is dropped.

        • coffeeClean@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          You seem to make the assumption that CF is storing that level of your data.

          What have I said that would imply a presumption of retention?