claustromaniac / detect-cloudflare-plus Goto Github PK
View Code? Open in Web Editor NEWTrue Sight Firefox extension.
Home Page: https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/
License: GNU General Public License v3.0
True Sight Firefox extension.
Home Page: https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/
License: GNU General Public License v3.0
Suppose there is difference in CF (edge server) TLS traffic if the (shared) certificate is issued by CF (like the link you stated https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/) or issued by another CA like mozilla.org being hosted on CF but using their own (even EV) certificate.
Whilst in the former case it is rather likely that the TLS traffic terminates at the CF edge server and thus insinuates a higher MitM risk whilst in the latter case it is less likely that Mozilla is sharing its EV certificate key (and thus governing TLS traffic) at the CF edge server with CF, though there is not guarantee to it either.
What I am trying to point out is that it perhaps makes sense for the user awareness to differ whether a site hosted on CF is utilising a CF certtificate and thus presenting the lowest security level with regard to potential MitM.
N.B. If sites would deploy DNSSEC + TLSA (and clients to support same natively) the TLS traffic with any cloud provider would be way more transparent, but that is for another day..
The OnCompleted
event makes detection more accurate, but at the same time prevents the extension from detecting loaded cached resources as having been served by Cloudflare. Doing a two-step detection using a separate OnResponseStarted
listener in addition to the current OnCompleted
one should work.
oh wow you've been pretty busy updating this, A LOT! :)
a couple things I noticed while glancing over the code:
browser.runtime.getBackgroundPage()
in options/page.js doesn't work in private windows. Not terrible but not ideal either.this.hasOwnProperty(i) ? val[i] = this[i] : val[i] = this.defaults[i];
in classes.js is prettier like this: val[i] = this.hasOwnProperty(i) ? this[i] : this.defaults[i];
I avoid browser.storage.sync
like the pest in all my addons, just out of principal. Maybe use local as the default and add an option to use sync? something like
var storageArea = browser.storage.local;
if (settings.sync) storageArea = browser.storage.sync;
you get the idea. Or just get rid of sync because the extension comes with good default settings anyway and there's no real need to sync them IMHO.
Introduced in 1.4.0, more specifically in ab5e9e6. It is a consequence of trying to make the total count more accurate in the first place.
Thanks for the great extension.
It appears that Firefox's new Proton UI refresh has new address bar styling, including spacing changes.
This affects this extension's URL bar indicator, making it arguably look a little unintentional and distorted post-update, as can be seen in the below screenshot. Specifically, it appears the indicator spacing is now taller and thinner.
Note that this new UI refresh can be turned on by setting browser.proton.urlbar.enabled (this only controls the URL bar, other proton prefs enable other parts of the theme) to true in Nightly in about:config.
While this is not enabled by default yet, it appears that it will make its way to release reasonably soon.
When browsing I hardly look at the address/tool bar and rather focus on the content window thus in such work flow missing the DCF+ icons (colours). Else having getting used to tilting up my eyes from the content window to one of the bars in search for the DCF+ icons (colours).
I would rather be content to have a more intrusive but enhanced/instant visual awareness with a frame/border (top and each side in the style of red/white or yellow/black hazard tape) placed/injected in the content window .
Suppose that others may prefer the less intrusive icons this could perhaps be a option.
Platform to investigate | Added in | Notes |
---|---|---|
75CDN | ||
Advanced Hosting | ||
Akamai | 98ec768 | |
Alibaba Cloud | 47c01bd | |
Amazon Cloudfront | 98ec768 | |
Amazon Shield | 9e347b6 | |
Azion | ❌ | Needs custom pragma in the request to get debug headers in the response |
Azure | ❌ | Can't be detected reliably via headers. |
Baidu | 6cc3ae8 | |
BelugaCDN | 6cc3ae8 | |
BootCDN | ||
BootstrapCDN | 6cc3ae8 | |
BunnyCDN | 6cc3ae8 | |
CacheFly CDN | Offers custom CDNs and multi-CDN setups, seizing other popular CDNs (like Cloudflare) | |
CDN.net | ||
CDN77 | e3112f7 | |
CDNetworks | a149a10 | Uses Zenedge internally |
cdnlion | ❌ | |
ChinaCache | 9e347b6 | |
Cloudflare | 1fa92cc | |
Cloudflare AMP | Already detected by CF filters | |
Cloudflare IPFS gateway | Same as above | |
Edgecast | e3112f7 | |
Fastly | 33f24e4 | |
fly.io | 9e347b6 | |
Flywheel | 9e347b6 | |
G-CDN | a149a10 | |
GitHub | 6cc3ae8 | |
GoCache | e3112f7 | |
Google AMP | ||
Google Cloud | 33f24e4 | |
Google Project Shield | 6e8c38d | |
Huawei Cloud | ❌ | |
Highwinds | a149a10 | |
IBM Cloud | ❌ | CDN powered by Akamai. |
ICSS | ❌ | |
Incapsula | 6e8c38d | |
Instart Logic | 6fe4d17 | |
IPFS | 6fe4d17 | Not a CDN, but a gateway. |
jsDelivr | ❌ | Uses StackPath, Cloudflare, Fastly, and Quantil. |
KeyCDN | 6e8c38d | |
Kinsta | 98ec768 | Hosting powered by Google Cloud, CDN powered by KeyCDN. |
Leaseweb | 6fe4d17 | |
Limelight | ||
Link11 | ❌ | |
MaxCDN / StackPath | ||
MyraCloud | 98ec768 | |
NetDNA | 9e347b6 | |
Netlify | 6fe4d17 | |
NetScout | ❌ | |
Netskope | ||
OVH | ||
QiHU | 6cc3ae8 | |
Qiniu | ||
Quantil | e3112f7 | |
section.io | a149a10 | |
SingularCDN | 6fe4d17 | |
Sucuri | 6e8c38d | |
staticfile | Open source CDN for open source libraries. Can detect by URL. | |
Tor2web | ad6de0c | Not a CDN, but a gateway. |
TransparentCDN | 1ad2d8d | |
Variti | 6cc3ae8 | |
Zenedge | 6fe4d17 |
Any chances True Sight to be ported to Chromium?
Tested on Firefox 62.0 and Waterfox 56.2.2, Windows 7 64bit.
The toolbar icon of version 0.13.0 used to show the list of domains when clicked on, even when the address bar icon was disabled in the extension options. This has changed with 0.13.1, it's only showing "Cloudflare not detected." now when clicked on if the address bar icon is disabled in the options, but the badge with the number is still here showing correctly non-zero Cloudflare requests on the toolbar icon.
They're meant to help but I suspect they can be darn confusing and even misleading to some. WTF was I thinking? NEED MOAR SLEEP.
Well... at least I'm not messing up the code itself...
That is at least on the surface reading of https://www.bleepingcomputer.com/news/google/google-chrome-adding-support-for-signed-http-exchanges/ and without having dug into details.
Perhaps not surprising that is being pushed by G and CF. So far M is not caving but will see how long that might last.
N.B. Noticed that development of this WX has slowed and efforts are invested into the other WX https://github.com/claustromaniac/poop/releases
Considering this development of SXG it would probably render further development of this WX rather futile anyway?
or do something about the popup to make it more intuitive. Or both.
and be sure to take your time to explain well what you mean by that.
For users with the strictest privacy preferences, this would help a great deal. If the heuristics detect a webpage with CDNs then users could be redirected to a page warning them the website was infected with CDNs, and show a list of what ones were used.
Potential later enhancements:
I really like the addon, but seing the eye in my address bar, it feels out of place. Having the option of using a flat icon consistent with the visual style of the rest of Firefox would be great.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.