Cloudbleed Surface Area #175
Comments
|
Meh, i'd like a source on that other than "i was able to find more domains!" |
|
Actually, we have a bunch that were collected via a different method that haven't been added to the main list yet. We don't want to mix them because it will make further verification and maintenance more complicated. We're in the process of developing a solution. In the meantime, you can find the domains I've collected so far via this method in #141. |
|
@sahal2080 Would you be comfortable calling this a duplicate of #141? I don't want aim for the exact number in that post, because the wording isn't particularly reassuring--"potentially in scope" isn't really what we're aiming for. We're trying to narrow it down to domains that were almost certainly using the Cloudflare proxy service at the time. |
|
@coderobe I'm with you if this guy was a just a random person but he was quoted in a well-known site specializing in cyber security: http://www.darkreading.com/attacks-breaches/cloudflare-leaked-web-customer-data-for-months/d/d-id/1328266?print=yes @Zenexer I wouldn't know. My suggestion is to have a strategy:
If your priority is to initially filter the data in chunks and release something of quality so be it as long as you believe it's the way to go. You never know when the next source of data will pop up. |
|
You can connect with openssl s_client and dump all combined domains in the certificate bundle. Eg. Everything in the name, SAN, etc cert fields. This will be more representative than trying to tie via DNS. The bundling more applies to lower tier services though and the larger enterprise customers on alexa top domains may still need to be manually correlated. But you could find test domains of large companies which is an indicator they once used the free services as a trial or still use it for testing. Is this already being done? Yes, no? |
|
@DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K That would yield inaccurate results. Cloudflare keeps and renews certificates for your domain even if you use them only as a DNS, providing you were routing at least one (sub)domain through their proxy at any point in time, even if that was years ago (Which is very questionable). See one of my domains for example: https://crt.sh/?q=broda.me |
|
@coderobe then what is the proposed best method? Lookup all Alexa / top interesting root domains, find / brute force all subdomains, and check for DNS record pointing to cloudflare IP blocks? |
|
@DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K This is one of the only options, yeah. CURLing the headers and checking for |
|
@coderobe @DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K at this point it's too late to trust header/dns data to reflect proxy customers during the 6 month window, too many people have turned off Cloudflare in the last two days. IF we do a header scrape, we could tag domains with [currently using cloudflare proxy] to the list, but I wouldn't want to remove any from the list that aren't using it. |
|
Right. That's yet another problem. |
|
Did anyone do a Shodan search for the Server: header? |
|
@TobiX I did, but there's too much data for it to be useful. |
|
Since all major govs would have this historical DNS data, has anyone just kindly asked cloudflare to publish all the affected domains? |
|
@DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K No & they're not going to - it'd be a bit stupid if they did in terms of client security. There still might be data available from those leaked domains. |
According to this post, there are 1,030,501 sites are missing from your list. Just wanted to bring this to your attention.
The text was updated successfully, but these errors were encountered: