claustromaniac / detect-cloudflare-plus Goto Github PK

Suppose there is difference in CF (edge server) TLS traffic if the (shared) certificate is issued by CF (like the link you stated https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/) or issued by another CA like mozilla.org being hosted on CF but using their own (even EV) certificate.

Whilst in the former case it is rather likely that the TLS traffic terminates at the CF edge server and thus insinuates a higher MitM risk whilst in the latter case it is less likely that Mozilla is sharing its EV certificate key (and thus governing TLS traffic) at the CF edge server with CF, though there is not guarantee to it either.

What I am trying to point out is that it perhaps makes sense for the user awareness to differ whether a site hosted on CF is utilising a CF certtificate and thus presenting the lowest security level with regard to potential MitM.

N.B. If sites would deploy DNSSEC + TLSA (and clients to support same natively) the TLS traffic with any cloud provider would be way more transparent, but that is for another day..

The OnCompleted event makes detection more accurate, but at the same time prevents the extension from detecting loaded cached resources as having been served by Cloudflare. Doing a two-step detection using a separate OnResponseStarted listener in addition to the current OnCompleted one should work.

oh wow you've been pretty busy updating this, A LOT! :)

a couple things I noticed while glancing over the code:

• browser.runtime.getBackgroundPage() in options/page.js doesn't work in private windows. Not terrible but not ideal either.
• this.hasOwnProperty(i) ? val[i] = this[i] : val[i] = this.defaults[i]; in classes.js is prettier like this: val[i] = this.hasOwnProperty(i) ? this[i] : this.defaults[i];

I avoid browser.storage.sync like the pest in all my addons, just out of principal. Maybe use local as the default and add an option to use sync? something like

var storageArea = browser.storage.local;
if (settings.sync) storageArea = browser.storage.sync;

you get the idea. Or just get rid of sync because the extension comes with good default settings anyway and there's no real need to sync them IMHO.

Introduced in 1.4.0, more specifically in ab5e9e6. It is a consequence of trying to make the total count more accurate in the first place.

Thanks for the great extension.

It appears that Firefox's new Proton UI refresh has new address bar styling, including spacing changes.

This affects this extension's URL bar indicator, making it arguably look a little unintentional and distorted post-update, as can be seen in the below screenshot. Specifically, it appears the indicator spacing is now taller and thinner.

Screenshot

Note that this new UI refresh can be turned on by setting browser.proton.urlbar.enabled (this only controls the URL bar, other proton prefs enable other parts of the theme) to true in Nightly in about:config.

While this is not enabled by default yet, it appears that it will make its way to release reasonably soon.

When browsing I hardly look at the address/tool bar and rather focus on the content window thus in such work flow missing the DCF+ icons (colours). Else having getting used to tilting up my eyes from the content window to one of the bars in search for the DCF+ icons (colours).

I would rather be content to have a more intrusive but enhanced/instant visual awareness with a frame/border (top and each side in the style of red/white or yellow/black hazard tape) placed/injected in the content window .

Suppose that others may prefer the less intrusive icons this could perhaps be a option.

Use this issue for requests regarding individual CDNs.

Notes

• Researching these cloud services can take quite a lot of time, and results are not guaranteed. Please be patient.
• I only add new items to the extension when I can detect them in a fairly reliable and efficient way.
• Items marked with ❌ are items that I already investigated considerably, but still haven't figured out how to detect reliably and efficiently. I may eventually get back to investigating these, but they lose priority.

Any chances True Sight to be ported to Chromium?

Tested on Firefox 62.0 and Waterfox 56.2.2, Windows 7 64bit.
The toolbar icon of version 0.13.0 used to show the list of domains when clicked on, even when the address bar icon was disabled in the extension options. This has changed with 0.13.1, it's only showing "Cloudflare not detected." now when clicked on if the address bar icon is disabled in the options, but the badge with the number is still here showing correctly non-zero Cloudflare requests on the toolbar icon.

They're meant to help but I suspect they can be darn confusing and even misleading to some. WTF was I thinking? NEED MOAR SLEEP.

Well... at least I'm not messing up the code itself...

That is at least on the surface reading of https://www.bleepingcomputer.com/news/google/google-chrome-adding-support-for-signed-http-exchanges/ and without having dug into details.

Perhaps not surprising that is being pushed by G and CF. So far M is not caving but will see how long that might last.

N.B. Noticed that development of this WX has slowed and efforts are invested into the other WX https://github.com/claustromaniac/poop/releases

Considering this development of SXG it would probably render further development of this WX rather futile anyway?

When the badge counter is yellow, the text would probably be better off being not-white, its basically impossible to read that number - i.e. the little square yellow blob of info in the toolbar - NFI why I included the panel in the pic :)

or do something about the popup to make it more intuitive. Or both.

and be sure to take your time to explain well what you mean by that.

For users with the strictest privacy preferences, this would help a great deal. If the heuristics detect a webpage with CDNs then users could be redirected to a page warning them the website was infected with CDNs, and show a list of what ones were used.

Potential later enhancements:

• Separate settings for whole pages hosted by CDNs and ones with only assets hosted
• Whitelist/blacklist
• Sharing button on the warning page to publicly shame these offending websites on social media or by emailing the warning directly to the webmaster

I really like the addon, but seing the eye in my address bar, it feels out of place. Having the option of using a flat icon consistent with the visual style of the rest of Firefox would be great.