Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Have I Been Pwned

You are. HN sits behind Cloudflare. Your SSL connection terminates at Cloudflare to plaintext, and new SSL connection to HN is created.

Your login and password, IP and User-Agent and who knows what else, is in clear view to Cloudflare - you've been pwned :))



That's such an amazing thing about them.

I know a few places that... would pretty much die for such a global "MITM" service, so I wonder if it's five corners financing it.


I need a browser extension (for Safari) to warn me if the site is behind Cloudflare. I'll pay money :) I'm kinda protected by using VPN, IP is not my ISP IP. But the rest, plus browser fingerprinting is busted.

Use this: www.cloudflare.com/ips/ and HTTP headers like CF-RAY


You could also just use the ASN of the network which is always cloudflare for CF ips.


That's not easy to retrieve from a browser extension without using an external service, right?


You're on, hired. Presentation with demo is at 4 July 10:00am GMT. Congrats :))


same as with any other CDN, the load-balancer frontend of any cloud provider (e.g. if HIBP weren't behind Cloudflare, would you post the same about Azure, where its backend lives?), ...

I get why people are critical of SSL termination that talks to the backend over public channels unencrypted (which Cloudflare offers too), but for the HTTPS-to-HTTPS case they behave exactly like many other companies.


What is your point? Mine is - Cloudflare reads in plaintext all data you think is SSL 'protected' between me and the website.


That I find it weird that people appear to single out Cloudflare (e.g. asking for a Cloudflare-detection extension) when there's nothing materially different about them from many other companies serving large parts of the web. Traffic is protected between you and an agent the site you are visiting trusts, just like in nearly every other hosting scenario. You're almost by definition not "pwned" if your traffic is seen by someone who is supposed to see it, as long as they treat it appropriately.


> You're almost by definition not "pwned" if your traffic is seen by someone who is supposed to see it,

Well ... Noone, repeat, Noone is supposed to see my traffic except the site owner. I just don't buy the 'trusted' CDN provider idea. 'treat it appropriately' - I'm past that.


Do you buy the idea of trusted hosting providers? Or does everyone need to own their hardware? Or are rented VMs ok? (where traffic isn't exposed by design, unlike with traditional hosting or ingress services by cloud providers, but could be accessed by the provider if it really wanted to)


Nothing is wrong about CNN terminating SSL on CNN CDN nodes, it is part of CNN's infrastructure. In house.

Cloudflare is bad because it terminates ~10% of global traffic. How would I know that my HN login/password is known to Cloudflare? Did you know?


> Nothing is wrong about CNN terminating SSL on CNN CDN nodes, it is part of CNN's infrastructure. In house.

But they don't, they use Fastly, at least that's where cnn.com points. Are they better than CF?

I did know that HN uses Cloudflare, yes, and if I distrusted Cloudflare specifically I'd maybe want something making sure I always know, but I kind of expect nowadays that sites use CDNs or cloud infrastructure and have no strong reason to distrust any of the many providers more than the others.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: