I need maintainers to help, this is too much work

[pirate]

If you or a company you work for are willing to help officially maintain this list, please comment here.

It's getting to be too much work for me to personally confirm every site by hand, and I don't want to rush the job.

• if you run a password manager, you can help curate a list of sites you users need to reset passwords on
• if you run a security consultancy, you can alert your users that they may have services affected
• if you're a personal security researcher you can help by writing a script that automates removing static sites or DNS-only sites

[ddymko]

I am willing to help out the best I can....

[pirate]

Paging: @Zenexer @abalabahaha @coderobe @wolever @franciscop @pathmissing @thislooksfun @Xaekai @youngj @ymschaap @ddymko
I'm willing to make you guys contributors if you're interested, we can agree on some basic criteria needed for removing domains from the list, and close out a lot of these PRs. I'm also looking to get security companies involved in owning this list, since it's too much work for a single maintainer at this point.

I propose this plan of action:

1. merge all static site PRs
2. write a simple removal script to remove domains and resort/uniquify the list
3. remove any PRs that have provided ownership verification papertrail, and claim they have never used Cloudflare's proxy during the affected period
4. allow any sites that have posts explaining why they think they were unaffected to link to them from the readme
5. close PRs for sites using the proxy that have user data with a standard rejection message

Please comment to confirm you want maintainer status, with a link to your keybase proof. Mine is https://keybase.io/nikisweeting

[coderobe]

Sure, count me in if you want.

[ddymko]

count me in as well!

[abalabahaha]

@pirate sure, count me in!

Do you have a preferred platform we can communicate on?

[pirate]

@abalabahaha irc.freenode.net #sites-using-cloudflare

[Xaekai]

I have already ran the script I wrote for domains starting with 0 and 8

[ddymko]

@pirate also is there a specific email address where they can send verification?

[youngj]

count me in too

[pirate]

@ddymko [email protected]

[Zenexer]

https://keybase.io/zenexer

I'll be on IRC when I get home. Among other things, I may be able to provide some resources, such as hosting and zone files.

[pirate]

FYI the policy is now to allow sites that used the proxy with user data to add blog posts regarding cloudflare to the README:

• adafruit.com [no evidence of data leaked](https://example.com/blog/post-about-cloudflare-leak)

We don't want to remove them from the list because they did use the proxy, but we're letting them indicate that they have addressed the issue in an official announcement.

[pathmissing]

@pirate You can count me in

[tonyztan]

@pirate Glad to help. Count me in. https://keybase.io/tonytan

[Phineas]

I'll help out @pirate

https://keybase.io/phineas

[Zenexer]

@tonyztan FYI, your DNS and HTTPS Keybase proofs for tonytan98.com are failing.

[tkachenko]

Small PHP script to left just domains thats use CloudFlare proxy (without dns only or removed domains)

But its not optimal way.. =(

run like php checkprx.php > clearlist.txt

<?php

$i = 0;
$file = 'sorted_unique_cf.txt';
$f = fopen($file, 'r');


$ipcache = [];

while (false !== ($line = fgets($f))) {
   // echo $line;
    $i++;

    $ip = gethostbyname(trim($line));

    if($ip){
        if(!isset($ipcache[$ip])){
            $w = exec('whois '.$ip.' | grep [email protected]');
            if($w){
                $ipcache[$ip] = 1; // its cloudflare proxy
            }else{
                $ipcache[$ip] = 0; // this site doesnt use proxy
            }
        }
       if(isset($ipcache[$ip]) AND $ipcache[$ip])
           echo $line;
    }
}

edit: formatting

[calnation]

@pirate and others participating, the list is now also linked to under External links on Cloudbleed Wikipedia page. Keep up the good work. 👍

[pirate]

@calnation I'm assuming you're calexit on Wikipedia? If so, thanks for helping write the wiki!

[tycoonlover1359]

I'm not mentioned here, but if needed, I can still be assisting you guys in helping to get people to provide necessary information to confirm their sites aren't affected, thus can be removed. Would you like this or would you like me to stop and sorta get out of the way? I don't mind either option, whatever you guys decide is fine by me.

[pirate]

@tycoonlover1359 thanks for the help so far! I think we have enough committers at the moment, I'll ping you if that changes.