this post was submitted on 27 Mar 2024
11 points (76.2% liked)
cybersecurity
3262 readers
8 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You don't. Assume the password is hashed server side and are sent unhashed via the TLS session that CF mitm.
What if I am reporting a GDPR offender who (e.g.) neglected my article 15 request? If I make the assumption you are suggesting and add to my Article 77 complaint that the data controller also needlessly exposes passwords to Cloudflare and it turns out to be untrue for that particular service, then my report loses credibility and puts a DPA on a run around.
You seem to make the assumption that CF is storing that level of your data. In all likelihood CF are inspecting the traffic for malicious intent and if there is nothing malicious the non metadata is dropped.
What have I said that would imply a presumption of retention?