16.gif
Best Blackhat Forum / Freebies / Miscellaneous Products / [GET] SSL Cloudflare Crimeflare.net CloudFlare's half-baked SSL suspicious sockets layer ???

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

New Reply
 
03-02-2018, 10:29 AM (This post was last modified: 03-02-2018 10:31 AM by RegaLives.)
Post: #1
RegaLives Offline
Super Active BBHF Member
*****
Posts: 5,943
Joined: May 2012

Reputation: 2275
[GET] SSL Cloudflare Crimeflare.net CloudFlare's half-baked SSL suspicious sockets layer ???
SSL Cloudflare Crimeflare.net CloudFlare's half-baked SSL suspicious sockets layer ???

After reading this website statement's from 2013 update to 2018 02 28 now.

WHAT IS Men-In-The-Middle meaning???

Have Cloudflare SSL improve and are better because it is FREE AND NO MONEY involve for word press for domain validation period?? 2017 2018??

we get what we pay for?? zero??

Should we charge 97.00 to offline business to do the work to install SSL ON CloudFlare's and 97.00 for SSL by Lets Encrypt install work???

there is about 2 - 3 hours of work to install ,backup site, install both plugins and correct ,images css non https ,etc to force to https
better to get real paid 10.00 SSL CRS REQUEST INSTALL TO stop loopholes??

same work must be done for Lets Encrypt ssl install on WP.

Still use SSL reseller account 50.00 min up to 5,000.00 Desposit to buy them wholesale and still install for 197.00 to 500.00 for high end offline clients??

What has work for you, we need to get a system down?
it vary from niches and brick /mortal biz.


"In other words, nothing can be done about the ISIS sites, carders, booters, gamblers,escorts, phishers, malware, and copyright infringers that CloudFlare protects."

CloudFlare's half-baked SSL suspicious sockets layer

October 2013 updated: February 26, 2018

We were inspired to collect the data on this page after reading this report: Phishers using CloudFlare for SSL.
https://news.netcraft.com/archives/2013/...r-ssl.html

Also see this technical analysis (PDF, 545 KB)
http://www.crimeflare.org/httpsincdn.pdf

on the use of SSL by CloudFlare and similar services. The CloudFlare certificates we found all had the common name in the same style as the

"ssl2796.cloudflare.com" shown in that Netcraft report. The "ssl2796" in the name is a CloudFlare tracking ID in the 137,127 root domains we found that use "standard" (not "universal") CloudFlare certificates.

Every root domain also has a subdomain wildcard line (*.example.com), which we deleted to save space.

We compiled this list by attempting a handshake with the CloudFlare domains in our database. The "standard" certificates on this page (with "ssl" in front of the number instead of "sni") mean that the domain has a paid account at CloudFlare. Paid accounts make up about five percent of the domains that use CloudFlare, according to news reports.

It's all a marketing effort anyway, whether paid or free. There is no such thing as "secure" SSL when you have potential Men-In-The-Middle at scores of data centers around the world.

Local authorities could be sniffing the plaintext available at these data centers, and CloudFlare wouldn't have a clue.

(Their "data centers" are typically a rack or two of equipment that CloudFlare ships to a real data center, along with installation instructions.)
We asked CloudFlare to confirm that sniffing is possible at these so-called "data centers," but they didn't respond.

By now we're wondering if there's a plaintext Ethernet port at the back of their equipment rack that makes interception easy and convenient. If so, it would make no difference whether the origin server has its own certificate.

CloudFlare may claim that there is no way plaintext can be accessed from their equipment racks, despite the fact that some sort of decrypt and re-encrypt must occur there due to the nature of their role as a CDN. After all, CloudFlare has engineers who come up with clever techniques to enhance SSL. But imagine that you are a government regulator in a country where a big ISP hosts a CloudFlare "data center."

Your job is to consider the Internet in terms of public safety and current
laws, and you go to that ISP with a list of CloudFlare-user domains you want blocked.

The ISP replies that everything is encrypted, and CloudFlare traffic cannot be intercepted. In other words, nothing can be done about the ISIS sites, carders, booters, gamblers, escorts, phishers, malware, and copyright infringers that CloudFlare protects.


How would you respond? It's fairly obvious — you ask this ISP to block the CloudFlare IP addresses used by the offending domains (this is
already happening in Russia). If those IPs change, then block CloudFlare's entire IP space, and continue to monitor the situation.

If CloudFlare's traffic still gets through, you ask the ISP to pull the plug on CloudFlare's racks. This is why CloudFlare will add a plaintext port to their own hardware someday, if they haven't already.

The CloudFlare certificates below encrypt the traffic only between the browser and CloudFlare. The traffic between the original web server and CloudFlare remains unencrypted unless the web server owner has his own certificate installed on his machine.

Almost everyone who browses a https domain reached from CloudFlare is
unaware that just half of the route is encrypted. When they see the padlock on their screen, they feel that everything is safe.

This is why phishers love CloudFlare's SSL. It's easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars. Moreover, the subdomain wildcard option on
each domain is handy for obscuring a URL in a phishing email.

Suppose that grandpa, age 90, gets an official-looking email that advises him to immediately change his password. He clicks on the URL in the email and ends up at bankofamerica.q4.es.

This page is an excellent imitation of the Bank of America pages he remembers, and there is also that nice little SSL padlock in the corner of
the address bar. Would he fill out the form?

Probably, because he doesn't realize that he's at a subdomain of q4.es and is entering his old and new password into a fake page for the benefit of a phisher.

As if the "standard" certificates aren't enough of a problem, there are also over four million "universal" certificates that present bigger problems.

All you need for a free CloudFlare account is a domain and an email address. Little countries and even some little islands all have their own top-level domain these days.

Rich people can buy a generic top-level domain. Many registrars around the world are pleased to sell these ccTLD and gTLD registrations. It's a cash cow for everyone, but especially for bad guys. The same situation exists for anyone who needs a throwaway email address that's nearly impossible to trace.

Now add CloudFlare's free fly-by-night "universal" SSL. When you email CloudFlare to open your new account, they ask for your domain.

Then they scrape your zone file from whatever dubious nameservers are listed at your dubious registrar. Without asking, they assign you a dubious "universal" SSL certificate.

All of these "universal" certificates include that magical wildcard subdomain that invites so much mischief.

Some critics are referring to these CloudFlare certificates as
"fraudulent" because the domain ownership validation (a necessary component of the SSL standard) is achieved only from CloudFlare's initial access to the zone file.

With the paid accounts, there are payment records associated with a CloudFlare customer. But with free CloudFlare accounts, everything is too easy for bad guys, and the information about who's really behind a domain is frequently beyond the reach of law enforcement. The problem is that Silicon Valley is too self-serving.

After the embarrassing NSA leaks, Google declared that everyone should look for a little padlock on their screen when they visit a website. Even your cat pictures should sport a little padlock these days! Now CloudFlare comes along and hopes to pave their way toward an IPO by giving away more free padlocks than anyone else.

But by now the padlocks are almost meaningless. The NSA probably finds this amusing.

The domains shown in BLUE were not using CloudFlare nameservers when they were checked on 2018-02-26. Additional information is available for these domains and their certificates. Just paste the domain (without the certificate number) into the search box.

read more


home page read much more

I am asking for help from the real brains in this global citizens brother and sister hood

Thank You Peace and Love
25sweating
[url= http://bestblackhatforum.com/Thread-Gene...ad]General + Sig Rules for BBHF [Updated FEB 2020] **Must Read**
[/url]
find Quote
03-02-2018, 02:44 PM
Post: #2
shermanbir Offline
Super Active BBHF Member
*****
Posts: 7,729
Joined: Dec 2012

Reputation: 322
RE: [GET] SSL Cloudflare Crimeflare.net CloudFlare's half-baked SSL suspicious sockets layer ???
thanks for this insight
find Quote
03-02-2018, 02:55 PM
Post: #3
Lumos Offline
The Black Knights
********
Posts: 12,926
Joined: Mar 2017

Reputation: 32153
RE: [GET] SSL Cloudflare Crimeflare.net CloudFlare's half-baked SSL suspicious sockets layer ???
Here is how I see it:
References to the 'internet' and 'secure' never belong in the same sentence or topic because it is ALL just smoke and mirrors.
I totally despise board spammers and spambots !!!
find Quote
New Reply
 




68.gif
Contact Us | BestBlackhatForum | Return to Top | Return to Content | Lite (Archive) Mode
Free counters!