
Show HN: Does it use Cloudflare? - doesXcloudflare
http://www.doesitusecloudflare.com/
======
nikcub
This doesn't detect Cloudflare CNAME clients.

For ex. It says uber.com is not vulnerable - because the homepage isn't, while
the app is consitantly one of the most impacted in the caches I've seen

I don't think anyone has really nailed the methodology here - and I think that
is important (as is erring towards false positives rather than false
negatives) for security mitigation advice

~~~
mauriciob
It's not that easy. Not all CNAME clients used the three services that had the
issue.

These lists are bad, because they list any Cloudflare clients that can be
found, not just the ones that might have had exposed data.

------
throwfast1
Why was this flagged? Can HN offer a mouse over description to answer these
types of questions? just curious

~~~
eli
Individual users have the ability to flag posts (after a certain karma, I
think) and there's no place to provide a reason.

~~~
grzm
To elaborate, flags are (nearly?) always the result of user action, not mods.

------
neic
Does this use live data? Would a site be positive even if it, after the
publication of Cloudbleed, migrated away from Cloudfare?

~~~
Piskvorrr
"Live" is somewhat misleading here: the leaks are out there, in crawler
caches. Do you consider such source "live", even though it is no longer
leaking data?

~~~
lucideer
I think that's exactly what the commenter was getting at. "Live" data would be
deficient in this instance, historical data would be better.

------
baptistem
otherwise :

dig website.com +short | head -n1 | xargs -- whois | grep -q cloudflare

~~~
gkya
doesn't work with my setup, whois on cloudflare domains do not inlcude the
string "cloudflare". This works tho:

    
    
      dig website.com +short |  grep -q cloudflare

------
sli
Dang, this one's probably going to be more popular than mine.

[http://cloudbleed.surge.sh](http://cloudbleed.surge.sh)

Of course, mine isn't exactly performant, was the result of about 15 minutes
of work, and just uses that Github repo with the list of affected domains (so,
not exactly the most comprehensive). But hey, it was fun to build.

------
manojlds
My jekyll based static site hosted on Github Pages uses cloudflare for https.
Saying that my site is compromised by CloudBleed is a bit too much.

[http://www.doesitusecloudflare.com/?url=www.stacktoheap.com](http://www.doesitusecloudflare.com/?url=www.stacktoheap.com)

~~~
arianvanp
But it is compromised.... this is literally the only use case in which you can
get comprimised. If you put your _http_ page behind cloudlfare https

~~~
blibble
if it's public static content what exactly has been compromised?

~~~
mcbits
IP addresses of visitors? Depending on the site or visitor, that could be
theoretically a compromise.

But the parent comment is untrue. Cloudflare will have unencrypted data in
memory at some point, even if it's encrypted coming and going. This is how
they eliminate the scary browser message about self-signed certificates,
ironically.

~~~
bpicolo
They have a (more expensive) version that encrypts all the way to your own
edge.

------
gkya
This is at about 38 upvotes ATM, and I believe it may not be killed for
anybody's whims after that. It's tech-related, actual, and liked by the
community here (not that is of particular interest to me but still).

------
springogeek
I was literally just saying to someone that this sort of tool needed to be
made. Good job!

------
thenomad
Doesn't detect Reddit, which I understand to be affected?

~~~
hector031
According to one of the reddit engineers, they stopped using Cloudflare prior
to when this issue started.

[https://www.reddit.com/r/programming/comments/5vtv16/cloudfl...](https://www.reddit.com/r/programming/comments/5vtv16/cloudflare_have_been_leaking_customer_https/de5awy9/)

------
buildops
Time to move to Incapsula

------
ExpiredLink
news.ycombinator.com ... OMG!

