search

mirkoschubert / gdpr-cli

A command line tool for checking your website for GDPR compliance.
MIT License
96 stars 13 forks source link

CDN detection, especially Cloudflare. #3

Open ghost opened 6 years ago

ghost commented 6 years ago

Is your feature request related to a problem? Please describe.

Your tool should be able to detect CDN connection. Cloudflare is used by many non-professional users for free SSL and cache. However, Cloudflare itself is very dangerous, government funded MITMed point. Therefore your tool should notify the user - "Don't forget to write 'We also share your IP and posted data with Cloudflare'!."

Describe the solution you'd like

Detect any CDN connection.

Describe alternatives you've considered

Suggest non-CDN solution. Let's Encrypt for certificate, for example.

Additional context

https://trac.torproject.org/projects/tor/ticket/24351 https://trac.torproject.org/projects/tor/ticket/18361

ghost commented 6 years ago

"Cloudflare?" https://github.com/privacytoolsIO/privacytools.io/issues/374

ghost commented 6 years ago

For your coding idea - https://github.com/privacytoolsIO/privacytools.io/issues/442#issuecomment-392675444 's addon can detect those.

mirkoschubert commented 6 years ago

@ohmynameisrico Thank you for your suggestion! Detecting CDNs such as Cloudflare is already on my roadmap. ;)

DanielRuf commented 6 years ago

Cloudflare is used by many non-professional users for free SSL and cache.

I would not say this. npm and yarn use Cloudflare ;-)

mirkoschubert commented 6 years ago

@ohmynameisrico CDNs aren't the bad guys per se ;) In fact, many of the bigger companies and services, such as DigitalOcean, Siteground, Mapbox, Zendesk... use Cloudflare as well. I use Cloudflare as my main DNS resolver (1.1.1.1), which is very privacy oriented.

Cloudflare is certified under the Privacy Shield and has updated their privacy policy as well to make their services GDPR compliant.

How much personal data will be stored, depends mainly on those who book their services. E.g. OKCupid (which uses Cloudflare as well) is known to do a lot of profiling - they usually release a book full of their studies based on their collected data every year. 😆

But back to my tool... It shows SSL information since my software is publicly available, so you can already see wether the website is using a Cloudflare SSL certificate or not. CDN detection is already in place right now (at the dev branch) and will be available in the next version. But don't expect any miracles. 😏 Since my tool is mainly looking at the HTML, CSS and JS files which are provided by the website you check it isn't always possible to detect CDNs right away. E.g. OKCupid uses their own domain for their CDN from Cloudflare (okccdn.com) and even a whois query doesn't show any relation to Cloudflare. So my tool can basically detect CDNs by known URIs such as cdnjs.cloudflare.com, bootstrapcdn.com ore use.fontawesome.com.