Remove: jkhub.org (DNS only)

[DarthFutuza]

jkhub.org was not affected, I've worked with the owner of the site and they confirmed they didn't use cloudflare's proxy service. They will probably email you to have it removed. However, I've also confirmed they aren't returning server:cloudflare-nginx in the header.

[pirate]

Perfect, once I get an email from @jkhub.org to confirm I'll remove it. (it's just for a paper trail in case your users dispute it)

[Zenexer]

It's worth noting that darkempireofthesith.com appears to CF proxy to de.jkhub.org, and both appear in Google. There may be other groups/subdomains on jkhub.org that primarily use the CF proxy, as well.

[DarthFutuza]

@Zenexer I didn't mention it specifically here, but there are other domains yes, none of them actually used cloudflare's proxy service.

[Zenexer]

@DarthFutuza The issue is that darkempireofsith.com does use Cloudflare's proxy service:

% dig darkempireofthesith.com a

; <<>> DiG 9.8.3-P1 <<>> darkempireofthesith.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62107
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;darkempireofthesith.com.   IN  A

;; ANSWER SECTION:
darkempireofthesith.com. 299    IN  A   104.18.49.7
darkempireofthesith.com. 299    IN  A   104.18.48.7

;; Query time: 661 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Fri Feb 24 20:08:51 2017
;; MSG SIZE  rcvd: 73

% curl -svvv darkempireofthesith.com > /dev/null
* Rebuilt URL to: darkempireofthesith.com/
*   Trying 104.18.49.7...
* TCP_NODELAY set
* Connected to darkempireofthesith.com (104.18.49.7) port 80 (#0)
> GET / HTTP/1.1
> Host: darkempireofthesith.com
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 25 Feb 2017 01:09:06 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d6bec1386464d47eb4fd69eec82eb2db91487984945; expires=Sun, 25-Feb-18 01:09:05 GMT; path=/; domain=.darkempireofthesith.com; HttpOnly
< Server: cloudflare-nginx
< CF-RAY: 33674517460946f2-EWR
<
{ [1102 bytes data]
* Curl_http_done: called premature == 0
* Connection #0 to host darkempireofthesith.com left intact

This is the same as de.jkhub.org, and appears to be the same website/server. If credentials or any other information is shared between the two, then this carries over to jkhub.org (as well as all the other sites sharing those credentials), and it shouldn't be removed from the list.

[tonyztan]

@Zenexer How are you verifying that emails are not being spoofed? Are you checking the sender IP?

[pirate]

@tonyztan we've been checking for DKIM signing by the origin domain, which should be sufficient to confirm ownership if their email is set up properly. (correct me if I'm wrong)

[coderobe]

Correct, DKIM verifies that the mail did indeed come from the origin domain.

[Zenexer]

@tonyztan I haven't had the need to verify anyone's identity via email yet, but I'd be using DKIM, as previously mentioned. If I can easily confirm a domain wasn't using the Cloudflare proxy during the relevant period, then I go ahead and remove the domain, as it shouldn't be on the list regardless of who requests the removal. I don't really know what our policy is for cases like this one, though, so I'm going to let @pirate handle it.

[DarthFutuza]

@Zenexer the de.jkhub.org/ darkempireofthesith.com don't share any credential information with the main site - so the main site wouldn't be affected. I actually didn't know about the darkempireofthesith one, so I'll forward the information over to the owner to do with it as he will.

EDIT: He replied back, de.jkhub.org is just a redirect, the owner of jkhub.org doesn't pay for/have control over darkempireofthesith.com which does use Cloudflare as far as we can tell.

[pirate]

I'm closing this issue and others like it. The list is now archived an I'm not accepting any change requests. I know this comes as a surprise and may seem unfair but please consider the following:

• you can link concerned users directly to our README, which explicitly states the list contains many unaffected sites
• you can link users to several articles discussing how minor the leak's impact is
• our README clearly states the list is not for end-users, and is for technical analysis (the title is also changed from "affected sites" to "Cloudflare DNS users")
• I will be intentionally breaking search tools shortly by moving the txt file to a new location (no more browser extensions for searching the list)

If you have a specific objection or unrelated issue you want resolved, you can contact me via twitter DM. Thanks for your understanding.