this post was submitted on 27 Mar 2024
11 points (76.2% liked)

cybersecurity

3262 readers
8 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

Question for people willing to visit Cloudflare sites:

How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.

Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 7 months ago (1 children)

Yes, CF can view your login creds as the reverse-proxy effectively acts as a MitM handling the encryption and decryption.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

It’s not always the case though. If you look at vivaldi.net and stackexchange, the creds take a CF-free path.