Ditch Cloudflare - Broken HTTPS/MiTM
#1
http://cryto.net/~joepie91/blog/2016/07/...a-problem/

So for those of you who don't know Cloudflare is fundamentally broken and at this point is literally a MiTM attack for sites that employ it (Including HTTPS).

When using CF everything between the user and CF is encrypted but because of its flexible certificates everything between CF and the site is plaintext(including CF's ISP). Recently the CF ISP was intercepting traffic and blocking sites that they saw fit, like pirate bay.

Needless to say this article is a great overview and a good lesson on not using services like this. And personally I have first hand experience with complaining about loose HTTPS standards on cloudflare. I figured it possible to sign up with CF with a domain you don't own and then use a DNS spoof attack resulting in a page with the same domain AND valid HTTPS. They said it wasn't a vulnerability and worked as intended.
Reply
#2
Quote:at this point is literally a MiTM attack for sites that employ it

This seems like fear mongering to me, every CDN, Load-balancer, really anything that uses a reverse proxy is literally a MiTM setup. Sometimes, MiTM is good and useful.

That isn't to say there are not legitimate and serious problems, as you've pointed out there most certainly are.

Edit: Just read the actual article, I had more issues but I realize the article covers them sufficently.
Reply
#3
(08-31-2016, 09:20 PM)dropzone Wrote:
Quote:at this point is literally a MiTM attack for sites that employ it

This seems like fear mongering to me, every CDN, Load-balancer, really anything that uses a reverse proxy is literally a MiTM setup. Sometimes, MiTM is good and useful.

That isn't to say there are not legitimate and serious problems, as you've pointed out there most certainly are.

Edit: Just read the actual article, I had more issues but I realize the article covers them sufficently.

I recognize the fear mongering comment but at the same time a lot of security forums use Cloudflare for https and as a cdn. If people had their own certificates it would be different because then they would actually have some protection, but they don't because how how CF acts. I think it's a great point for monitoring information over the internet with or without CF's compliance.
Reply
#4
Not like I didn't already knew about this problem before, one of the reasons I've always been hesitant on letting GreySec rely on Cloudflare. I remember the times of Hacksociety, relyed on CF way too much which in those terms left the site very unstable with constant downtimes... However reading this article, I realize how big the scope of this problem is. I never really thought about it that way, but they do control a significant amount of the internet.

Interesting article, thanks for sharing! Admittedly I have been considering relying on CF recently for DNS servers since they offer free anycast. But I think I'm going to think it over once more.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  unmasking Cloudflare and Tor hidden services Insider 1 10,781 02-12-2021, 12:19 AM
Last Post: ueax
  https://www.hackthebox.eu/ kms 11 34,863 06-20-2018, 03:33 PM
Last Post: ekultek
  how to hack Hack gmail method MITM C0derx 0 9,885 03-05-2018, 08:14 AM
Last Post: C0derx