I happened to look at the HTML source for the Cloudflare Dashboard and noticed quite a number of domains in a JSON array marked as SSO Domains. I have removed the personal information, but have pasted it below. Is this just a feature, or is it a bug??
OK, so it won’t let me post JSON either, as I get a 2 link max warning limit. But there’s no links!
So here’s the JSON on PasteBin - https://pastebin.com/pBuc1vgU
I assume it rather is a “feature”, though somewhat of a leaky one.
OK, hopefully it’s fixed soon.
Fixed? Why are you concerned by that?
It’s doubtful I’m the only person getting such data, and potentially (though this is mere speculation on my part) could show domains under CF protection. And I certainly wouldn’t want any of my data attached to any domain under your protection that doesn’t reflect my views… One such domain your CEO kicked off the platform just a few days ago…
My CEO? My CEO didnt kick off anyone.
Anyhow, whether a domain is on Cloudflare is something which is public information anyhow and your data is not attached to anything anyhow. That simply is a list of domains. If anybody, those owners might be concerned, but you definitely dont need to be.
I stand corrected, I wrongly believed you worked for Cloudflare.
Though the matter is trivial, some people who are in environments (or countries) that have Deep Packet Inspection (DPI) turned on may be concerned that merely visiting the Dashboard could red flag them for containing domains that are not ‘suitable’ whether from a corporate view or a country-wide view.
I’m not too concerned for myself, though I do see the ramifications of this ‘potential’ misconfiguration for others…
Considering the dashboard is on TLS, DPI should not work (unless these countries break HTTPS as well).
Even though I have an assumption as to why these domains are there, I am not quite sure why Cloudflare implemented it that way, but generally there really is no reason to be concerned. The owners of these sites might be, but thats a whole different issue and because of that I did tag cloonan earlier.
Yes, it could be better engineered to where it checks for SSO with an event like
onBlur but it’s not that big of a data leak since the list of domains are almost exclusively enterprise-grade domains.
Your shouldn’t be concerned with government censorship as these domains won’t appear in DPI since it never connects to them unless you try to sign in with one of those domain emails. Obviously they’ll be detected if the government has you install their own CA and they proxy all of your traffic, but at that point these domains appearing in the json response is the least of your problems.
Hi @gareth1, can you share that detail and a link to this thread with support, they can investigate details. When you do, please share the ticket number here and I will follow progress.
To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. Please give Support the complete details and link to your Community post. Here’s a bit of background on Cloudflare Support for reference:
Thanks @cloonan, I have filled the form, and the ticket number is “1731879”.
Perfect, thank you. I see the ticket and the notes from the engineer. Thank you and sorry for the troubles.
I am afraid I am not sure what your point is. The OP did not refer to the security token but to the list of domains. This list is of no concern (except possibly for their owners) and DPI and TLS are of relevance in this context either.
Bottom line, Cloudflare should address this bit simply for the sake of the domain owners, but it generally is no real issue, particularly not for any third parties like the OP, you, or me.