Comment on knowing when to trust a login page on a Cloudflare site
Dave@lemmy.nz 7 months ago
I think you can assume that your credentials go via Cloudflare.
But the only thing you can do on lemmy is post stuff publicly, and presumably you are using randomised passwords, so what’s the cyber security risk?
coffeeClean@infosec.pub 7 months ago
That would be my natural assumption until the contrary is verified.
I would not register on a CF site for anything AFAICT, and most certainly not a Lemmy site amid non-CF Lemmy sites. Lemmy.world is just a good example for my question because the code is obfuscated. My problem is often that I register on a non-CF service then it becomes CF and it’s not always social media. Indeed I use unique unguessable passwords for each site. But that’s not what the masses do. I’m trying to work out what diligent users do. I’m not sure how many people will evade my question. So I’ll try an example to overcome that. Suppose my bank becomes Cloudflared, without announcement (thus no time to pull my money out before it happens), and they charge a high fee for paper statements? The customer may choose good unique passwords, but this does not mean that password does not need to be protected. Most banks’ terms of service make customers liable for sharing creds with a 3rd party, and the ToS also includes a disclaimer for that bank. So if creds are compromised via CF the ToS is written to make the customer liable.
That’s just an example. Examples aside, I’m asking how a diligent user checks whether their creds are shared with CF.
glowie@h4x0r.host 7 months ago
Yes, CF can view your login creds as the reverse-proxy effectively acts as a MitM handling the encryption and decryption.
coffeeClean@infosec.pub 7 months ago
It’s not always the case though. If you look at vivaldi.net, the creds take a CF-free path.