I happened to look at the HTML source for the Cloudflare Dashboard and noticed quite a number of domains in a JSON array marked as SSO Domains. I have removed the personal information, but have pasted it below. Is this just a feature, or is it a bug??
OK, so it wonāt let me post JSON either, as I get a 2 link max warning limit. But thereās no links!
So hereās the JSON on PasteBin - https://pastebin.com/pBuc1vgU
I assume it rather is a āfeatureā, though somewhat of a leaky one.
1 Like
OK, hopefully itās fixed soon.
Fixed? Why are you concerned by that?
Itās doubtful Iām the only person getting such data, and potentially (though this is mere speculation on my part) could show domains under CF protection. And I certainly wouldnāt want any of my data attached to any domain under your protection that doesnāt reflect my viewsā¦ One such domain your CEO kicked off the platform just a few days agoā¦
My CEO? My CEO didnt kick off anyone.
Anyhow, whether a domain is on Cloudflare is something which is public information anyhow and your data is not attached to anything anyhow. That simply is a list of domains. If anybody, those owners might be concerned, but you definitely dont need to be.
I stand corrected, I wrongly believed you worked for Cloudflare.
Though the matter is trivial, some people who are in environments (or countries) that have Deep Packet Inspection (DPI) turned on may be concerned that merely visiting the Dashboard could red flag them for containing domains that are not āsuitableā whether from a corporate view or a country-wide view.
Iām not too concerned for myself, though I do see the ramifications of this āpotentialā misconfiguration for othersā¦
Considering the dashboard is on TLS, DPI should not work (unless these countries break HTTPS as well).
Even though I have an assumption as to why these domains are there, I am not quite sure why Cloudflare implemented it that way, but generally there really is no reason to be concerned. The owners of these sites might be, but thats a whole different issue and because of that I did tag cloonan earlier.
1 Like
Yes, it could be better engineered to where it checks for SSO with an event like onBlur but itās not that big of a data leak since the list of domains are almost exclusively enterprise-grade domains.
Your shouldnāt be concerned with government censorship as these domains wonāt appear in DPI since it never connects to them unless you try to sign in with one of those domain emails. Obviously theyāll be detected if the government has you install their own CA and they proxy all of your traffic, but at that point these domains appearing in the json response is the least of your problems.
Hi @gareth1, can you share that detail and a link to this thread with support, they can investigate details. When you do, please share the ticket number here and I will follow progress.
To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. Please give Support the complete details and link to your Community post. Hereās a bit of background on Cloudflare Support for reference:
https://support.cloudflare.com/hc/en-us/articles/200172476-How-do-I-report-a-bug-to-Cloudflare-
Thanks @cloonan, I have filled the form, and the ticket number is ā1731879ā.
2 Likes
Perfect, thank you. I see the ticket and the notes from the engineer. Thank you and sorry for the troubles.
I am afraid I am not sure what your point is. The OP did not refer to the security token but to the list of domains. This list is of no concern (except possibly for their owners) and DPI and TLS are of relevance in this context either.
Bottom line, Cloudflare should address this bit simply for the sake of the domain owners, but it generally is no real issue, particularly not for any third parties like the OP, you, or me.
1 Like