Skip to content
This repository has been archived by the owner on Jan 18, 2018. It is now read-only.

Cloudbleed Surface Area #175

Open
SandNerd opened this issue Feb 25, 2017 · 14 comments
Open

Cloudbleed Surface Area #175

SandNerd opened this issue Feb 25, 2017 · 14 comments

Comments

@SandNerd
Copy link

According to this post, there are 1,030,501 sites are missing from your list. Just wanted to bring this to your attention.

@coderobe
Copy link
Contributor

Meh, i'd like a source on that other than "i was able to find more domains!"

@Zenexer
Copy link
Contributor

Zenexer commented Feb 25, 2017

Actually, we have a bunch that were collected via a different method that haven't been added to the main list yet. We don't want to mix them because it will make further verification and maintenance more complicated. We're in the process of developing a solution. In the meantime, you can find the domains I've collected so far via this method in #141.

@Zenexer
Copy link
Contributor

Zenexer commented Feb 25, 2017

@sahal2080 Would you be comfortable calling this a duplicate of #141? I don't want aim for the exact number in that post, because the wording isn't particularly reassuring--"potentially in scope" isn't really what we're aiming for. We're trying to narrow it down to domains that were almost certainly using the Cloudflare proxy service at the time.

@SandNerd
Copy link
Author

@coderobe I'm with you if this guy was a just a random person but he was quoted in a well-known site specializing in cyber security: http://www.darkreading.com/attacks-breaches/cloudflare-leaked-web-customer-data-for-months/d/d-id/1328266?print=yes

@Zenexer I wouldn't know. My suggestion is to have a strategy:

  • Have clear goals that would translate to clear prioritization criteria
  • Add the data on this blog as a source to mine through. Also assign an importance grade to it
  • Go through sources according to your priorities

If your priority is to initially filter the data in chunks and release something of quality so be it as long as you believe it's the way to go. You never know when the next source of data will pop up.

@gripedthumbtacks
Copy link

You can connect with openssl s_client and dump all combined domains in the certificate bundle. Eg. Everything in the name, SAN, etc cert fields. This will be more representative than trying to tie via DNS. The bundling more applies to lower tier services though and the larger enterprise customers on alexa top domains may still need to be manually correlated. But you could find test domains of large companies which is an indicator they once used the free services as a trial or still use it for testing. Is this already being done? Yes, no?

@coderobe
Copy link
Contributor

coderobe commented Feb 26, 2017

@DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K That would yield inaccurate results. Cloudflare keeps and renews certificates for your domain even if you use them only as a DNS, providing you were routing at least one (sub)domain through their proxy at any point in time, even if that was years ago (Which is very questionable). See one of my domains for example: https://crt.sh/?q=broda.me

@gripedthumbtacks
Copy link

@coderobe then what is the proposed best method? Lookup all Alexa / top interesting root domains, find / brute force all subdomains, and check for DNS record pointing to cloudflare IP blocks?

@coderobe
Copy link
Contributor

@DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K This is one of the only options, yeah. CURLing the headers and checking for CF-* or Server: cloudflare-nginx is another method, but i think (ab)using DNS and comparing IPs is the best and most accurate option we have.

@pirate
Copy link
Owner

pirate commented Feb 26, 2017

@coderobe @DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K at this point it's too late to trust header/dns data to reflect proxy customers during the 6 month window, too many people have turned off Cloudflare in the last two days. IF we do a header scrape, we could tag domains with [currently using cloudflare proxy] to the list, but I wouldn't want to remove any from the list that aren't using it.

@coderobe
Copy link
Contributor

Right. That's yet another problem.

@TobiX
Copy link

TobiX commented Feb 26, 2017

Did anyone do a Shodan search for the Server: header?

@Zenexer
Copy link
Contributor

Zenexer commented Feb 26, 2017

@TobiX I did, but there's too much data for it to be useful.

@gripedthumbtacks
Copy link

Since all major govs would have this historical DNS data, has anyone just kindly asked cloudflare to publish all the affected domains?

@Phineas
Copy link
Contributor

Phineas commented Feb 26, 2017

@DtpEJsaYXDU4GDH8dE4MyI9VrieF0UZpPZ0K76K No & they're not going to - it'd be a bit stupid if they did in terms of client security. There still might be data available from those leaked domains.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants