Replying to Avatar Anhern Sarsalor [IQ: 102]

They have access to the plaintext password. They are MITMing all websites using their services.
Avatar
JackTheMimic 4mo ago

"When we perform these checks, Cloudflare does not access or store plaintext end user passwords."

I mean they could be lying but the article says the opposite.

Reply to this note

Please Login to reply.

Discussion

Avatar
Anhern Sarsalor [IQ: 102] 4mo ago

WHEN THEY PERFORM THE CHECK. But by design cloudflare routes "proxied" your traffic through their servers before. Their certificates. They have 5 levels:

- Off (no SSL)

- flexible (MITM and the server gets no SSL request)

- full (MITM, your server gets SSL requests)

- full strict (MITM and they enforce the MITM)

- strict (MITM)

Avatar
Anhern Sarsalor [IQ: 102] 4mo ago

"I have all this data, but don't worry when I check the passwords I only look at the hashed data!"

Avatar
JackTheMimic 4mo ago

Lol, yeesh, I need to research them more. I just self-host so much of my shit I almost forget how much people trust nameless faceless orgs with their data.