I’m reading this Password reuse is rampant: nearly half of observed user logins are compromised, and the discussion on lobsters.
Those are some quotes:
Cloudflare once again reminds us that it’s operating the largest sustained MitM attack of all time.
The point’s been raised elsewhere on social media, but just to mention it here: Cloudflare appears to have got this data by spying on cleartext usernames and passwords passed through their infrastructure between web service users’ browsers and their clients’ servers, and then analysing the data they got from that spying.
The ethics here are … questionable. Cloudflare, you will recall, claims to be neutral internet infrastructure. Imagine the phone company putting out a press release one day announcing how many phone calls included someone entering a credit card number over touch-tone on unsecured lines. (Okay, that doesn’t happen very much any more. Imagine it had happened in the 1990s.)
Can’t wait for their next post drop: “And here are the most common un-compromised-yet username and passwords”
And, more related to web dev in general:
It’s always the same issue: people deploying websites without knowing how things work.
If your SSL/TLS termination point is not on the same infrastructure than your application server (different provider, different region of the same provider), anyone between that termination point and your application server can read your users passwords.
This calls for two technical decisions:
- Simplify your stack so that you can understand it fully
- Refuse suspiciously easy-but-not-simple solutions