Remove site using only CF DNS

[cryptk]

This site only uses CF for DNS services, and additionally all traffic to the site (with the exception of a couple of test static sites) is encrypted using a wildcard SSL certificate that was not provided, nor served by CloudFlare.

[tycoonlover1359]

Please prove the site is not affected by CloudBleed. For more information, please contact @pirate

[cryptk]

@tycoonlover1359 How exactly do you expect me to do that? Short of showing you my CloudFlare account to demonstrate that the site does not go through the CF proxy service, here is what I can give you... a simple dig on the domain would show that the DNS entry for it does NOT point to CloudFlare, and instead points directly to the server.

@pirate what do you need for me to "prove" that my site is not affected? Evidently seeing that the DNS does not point to any CF servers is not enough... would you like a copy of the NGINX config showing that the entire site is served only via HTTPS, directly from the server, and no packets for it ever traverse the CF network (other than DNS)?

[caleuanhopkins]

@tycoonlover1359 appreciate you're helping to ensure legitimacy for these requests, but I think it's best we wait for @pirate to decide how he wants to receive removal proof before hundreds of us start spamming his inbox with emails. Should we open an issue ticket to act as a central point for advice on this sort of this?

[tycoonlover1359]

I am copying and pasting this from the "issue_template.md" found within the .guthub folder.

Please, do not create duplicate issues

DISCLAIMER:

This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised. This list will be narrowed down to the affected domains as I get more information.

HOW TO REMOVE YOUR SITE

verify the site is static and contains no user data (I will remove it immediately once I confirm)
OR
Verify ownership, send me an email from @yourdomain.com, post a random nonce on the domain, or provide keybase proof
Verify you are not using the Cloudflare proxy service
I will not remove sites that contain user data and are returning server:cloudflare-nginx in response headers, since they may have been affected.

[cryptk]

Also, @tycoonlover1359 if you want me to place a file on the server (which is mentioned in the issue template) that does not prove that the site is not affected... all it does is prove control of the server. Here is a pretty simple way to "prove" that it isn't affected... all without proving ownership because knowing that I own the domain and control the server does not tell you anything about whether or not the site is affected. Notice that I am able to do all of these checks from my local system, which means that it is possible for any member of the public to perform these same tasks.

The DNS entry does not point to any CF related systems

cryptk@cryptk-beast-L ~ $ whois `dig cryptkcoding.com +short` | grep -E '(Cust|Org)Name'
CustName:       Rackspace Cloud Servers
OrgName:        Rackspace Hosting

The SSL certificate is not issued by, nor does it have anything to do with CloudFlare. As an added bonus, it's SHA256 because SHA1 is horrible.

cryptk@cryptk-beast-L ~ $ openssl s_client -showcerts -connect cryptkcoding.com:443 2> /dev/null | grep -E '(s:|i:|subject|issuer|Cipher)'
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cryptkcoding.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cryptkcoding.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

And more proof that is easily externally verifiable that the site is not being served by CloudFlare's Proxy.

cryptk@cryptk-beast-L ~ $ curl -I -s cryptkcoding.com | grep Server
Server: nginx

[caleuanhopkins]

@tycoonlover1359 ok have opened an issue for clearer removal verification as there's a few moving parts to this: #96. Let's move this sort of discussion to there

[cryptk]

@tycoonlover1359 here is a nonce that I have placed on the domain which should satisfy the verification of ownership (point 2), https://cryptkcoding.com/nonce.txt

And for point 3, since there is no way of actually verifying that, I guess you will just have to take my word for it? Other than, of course, all of the evidence that I already posted.

[tycoonlover1359]

@cryptk Again, I'm not exactly sure of how to verify you own the site. I only help @pirate with answering issues and PRs that involve removing sites seemingly randomly or answering questions. I almost always respond at the end saying, "Contact @pirate with any further information you need."

[cryptk]

@tycoonlover1359 I just updated https://cryptkcoding.com/nonce.txt with a line just for you to show that I do indeed own the domain and control the server... If you want, I can even add a DNS TXT record with your username in it ;)

[cryptk]

@pirate if the information that I have provided is not sufficient, then please let me know what would be.

[pirate]

@tycoonlover1359 thanks for the help, for now we only need verification from non-static sites, I'm responding individually when it's needed. @cryptk I'm well aware that domain verification is not sufficient proof of not being affected, the verification is for proof that an employee is taking accountability for having their site removed, so that we have a paper trail if people dispute that a site was vulnerable. It's an interim solution so that we don't damage the reputation of sites that weren't affected. I'm individually verifying that sites are static or didn't use the cloudflare proxy, although I'm going to stop doing that shortly as people may have turned off proxying over the last day.

[pirate]

@cryptk I've confirmed your site is fairly static, this is a (rough) confirmation, and like the whole list, it's not definitive proof that you didn't leak anyone's data.

[pirate]

@cryptk I've added a clarification section explaining why verification is needed: 7080a3d (typo fixes: 4f0f433)