Replying to Avatar Anhern Sarsalor [IQ: 102]

You misunderstand the article
Avatar
JackTheMimic 4mo ago

Wait, how? Array of password hashes on pwnd lists are compared to an array of password hashes in current use. 41% are the same hash. Meaning even after exposure people use the same passwords. What did they misunderstand? That's what I gleaned from it.

Reply to this note

Please Login to reply.

Discussion

Avatar
Anhern Sarsalor [IQ: 102] 4mo ago

They have access to the plaintext password. They are MITMing all websites using their services.

Avatar
JackTheMimic 4mo ago

"When we perform these checks, Cloudflare does not access or store plaintext end user passwords."

I mean they could be lying but the article says the opposite.

Avatar
Anhern Sarsalor [IQ: 102] 4mo ago

WHEN THEY PERFORM THE CHECK. But by design cloudflare routes "proxied" your traffic through their servers before. Their certificates. They have 5 levels:

- Off (no SSL)

- flexible (MITM and the server gets no SSL request)

- full (MITM, your server gets SSL requests)

- full strict (MITM and they enforce the MITM)

- strict (MITM)

Avatar
Anhern Sarsalor [IQ: 102] 4mo ago

"I have all this data, but don't worry when I check the passwords I only look at the hashed data!"

Avatar
JackTheMimic 4mo ago

Lol, yeesh, I need to research them more. I just self-host so much of my shit I almost forget how much people trust nameless faceless orgs with their data.