Question for people willing to visit Cloudflare sites:

How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.

Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?

  • coffeeClean@infosec.pubOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    8 months ago

    You seem to make the assumption that CF is storing that level of your data.

    What have I said that would imply a presumption of retention?