% cat sorted_unique_cf.txt | tr '[A-Z]' '[a-z]' | sort | uniq -d | wc -l
    1213
%

this should return zero.

www.gommehd.net also uses cloudflare

zip file has /Users/squash/Desktop/sorted_unique_cf.txt instead of just sorted_unique_cf.txt at the root, probably as a result of macos zip fuckery

Please add Bitcoin.de - German Bitcoin Marketplace

The site jmln.tw owned by me is only a static website and no user data on it. Thank you.

Paste.ee was affected

Our site simplecast.com/fm is on the list of affected sites, but I'm wondering about the legitimacy of the email that CloudFlare sent to customers saying that their site wasn't affected? We received the email from them saying we were not affected, but it would appear from everything that I've read that this isn't true? Can anyone clarify this for me?

https://twitter.com/Cloudflare/status/834940080397529088
https://twitter.com/1Password/status/834933333704359937

If I understand the issue correctly, whole HTTP requests got leaked, including all headers. Those headers will also include Cookie.

I've seen people assume since they logged in into reddit for example via cookie for the past few months, they are safe. It's advisable to log out and log back in into websites using long-living cookies (just locally deleting cookies does not help obviously), and I suggest adding such a notice to the "Impact" and "What should I do" sections.

If I use FULL ssl encryption from end to end is it possible that my websites 'were' affected? I have read in many places that it is only the Flexible SSL that was affected, is this true?

See NS records and/or WHOIS data for smartgunlaws.org, as well as below confirmation (look very very closely at the mangled data on the right):

http://webcache.googleusercontent.com/search?q=cache:lw4K9G2F1WgJ:lightnetwork.ph/ofw-family-day-december-1/+&cd=3&hl=en&ct=clnk&gl=us

Domains: http://playlyst.xyz, http://nikitapek.in, https://dank.xyz (all owned by me, playlyst.xyz actually just lapsed)

Sites are static (except dank.xyz) but none of them use CloudFlare SSL termination.

Proof sent to [email protected].

Business and enterprise can use branded nameservers. The branded nameserver IP addresses will match those the standard nameservers, so they're easy enough to find. Zone files typically include glue records for nameservers. Here are the first 10 in the com zone file:

NS1.STORMBLAZE A 173.245.58.51
NS1.GLOBO-CHEM A 173.245.58.51
NS1.BLACKSTONEHOSTING A 173.245.58.51
NS1.DBSDATA A 173.245.58.51
NS1.INALIAS A 173.245.58.51
NS1.IDEARTTE A 173.245.58.51
NS1.PHASE-7 A 173.245.59.142
NS1.HIPPERS A 173.245.58.51
NS1.FLASHSTOCKS A 173.245.58.51
NS1.TERA-KSA A 173.245.58.110

As such, using dig + grep is inadequate; many of Cloudflare's largest customers will go undetected.

Please remove Vigilante.pw from the list. We do not store any user data and we don't store the breached databases that we report on, either. The website consists of a static page with a list of data breaches.

The same goes for DBDirectory.info and Disappear.today which are just mirrors of the site.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please remove robxu9.com since it's a static website using Github Pages - https://github.com/robxu9/robxu9.github.com
This is me: keybase.io/robxu9

I do use the TLS proxy but since it's a static site, no user data should be compromised.

Thanks!
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.64
Comment: https://keybase.io/crypto

wl4EABEKAAYFAliv2P4ACgkQAWAAgagK5W/uEAEApz/RmnZuIXQYmx05ZR9mA9lR
gYonmk+RlbBuIBiW5LUBAK8rtVNraTpOEiIwK9e6S7RsaQf7yo52/6fFF1tH/DPH
=YnEQ
-----END PGP SIGNATURE-----

Add https://securesql.info

Sorry guys I have to commute home, I'll resume accepting correction PRs once I get home.

Please add LICENSE.md specifying what people can do with the data from here.

I'm referring to this statement by Namecheap: https://status.namecheap.com/archives/30660

Not sure if I'm reading this wrong, but it sounds like Namecheap did use Cloudflare as reverse proxy and therefore could be potentially affected. IMO, we need a clear message like Fastmail before we can conclude a site is unaffected.

Looks like account.leagueoflegends.com is also using CloudFlare.

Can't fully confirm, that they use it for everything else, but I just received a message checking for my browser (DDoS prevention system).

References:

• https://git-lfs.github.com/
• https://help.github.com/articles/working-with-large-files/

The file sorted_unique_cf.txt is already > 50MB, and GitHub recommends pushing it into LFS to improve performance without breaking any functionality.

The site '*********' is owned and operated by me and is so small and unused that the chance of it being affected is 1 in literally 10 trillion so please remove it from your zip file.

to add to list:

accounts-extra.sageone.com
app.sageone.com
eu-signon[1-6].sso.services.sage.com
signon[1-6].sso.services.sage.com

Please remove xxxxx.co.uk (wordpress blog, only one user, me) and xxxx.uk (static site hosted on github).

these haven't been all manually confirmed but was based on the connections made by each app during dynamic analysis https://gist.github.com/dweinstein/a30f5814dde36425de7bef4168469ac4

Per CloudFlare's report, earliest that a site could have been affected was 2016-09-22. I moved StackOverflow and related sites off of CloudFlare in June and July of 2016. As such, not possibly affected by this issue.

Their certificates, are used for multiple domains (alternative names). We can lookup all their certificates and expose the domains that are under that. E.g.:

https://www.ssllabs.com/ssltest/:

ssl381767.cloudflaressl.com 
Fingerprint SHA1: 6a151a7e38b1bffa5dabb8123e1d837c7fdcd714
Pin SHA256: I+iFnnQivyNnDgG0MKwVZmOogDRbZlwSmJitxplhX4w=

Common names	ssl381767.cloudflaressl.com
Alternative names	
ssl381767.cloudflaressl.com *.biomagnetichealingonline.com *.brutonsgrill.com *.bsccn.net *.bsvcn.net *.conwyguttercleaning.com *.falcon-paq.com *.francotaxes.com *.hermespopcorn.com *.ibsvirtual.net *.midtownfdl.com *.musictheorytutoringlab.com *.nankin238.org *.optimizehit.net *.paintoncanvas.info *.parkersoaps.com *.preparedpatriotreport.com *.presenterlab.com *.pureorganicsalonbyjon.com *.reagan.com *.rhianhansonharpist.com *.taxexpertswaco.com *.thegiantkillers.co.uk *.thesweeper.com *.trimyourbellyfat.com *.visionprotocol.com *.witwcanadianrally.com *.woolardhvacr.com biomagnetichealingonline.com brutonsgrill.com bsccn.net bsvcn.net conwyguttercleaning.com falcon-paq.com francotaxes.com hermespopcorn.com ibsvirtual.net midtownfdl.com musictheorytutoringlab.com nankin238.org optimizehit.net paintoncanvas.info parkersoaps.com preparedpatriotreport.com presenterlab.com pureorganicsalonbyjon.com reagan.com rhianhansonharpist.com taxexpertswaco.com thegiantkillers.c

Doesn't reddit use cloud flare?, or have they confirmed that they are not affected, as I do not see reddit here, if not added, kindly add : https://reddit.com to the list as well.

"Also there are some sites that are using the CloudFlare SSL proxy without using CloudFlare DNS -- for example betterment.com is using Amazon Route 53 and is not in sorted_unique_cf.txt . Basically I think you just have to make HTTPS requests and look for the CF-Ray or Server: cloudflare-nginx header. It probably would be useful for someone to write a script to make requests to the domains in sorted_unique_cf.txt and update it to remove the ones that aren't using the SSL proxy." @youngj

Both sites have a huge amount of unique user accounts (Discord has insane user growth in recent months), and humblebundle.com users are likely to have saved payment methods which means a rogue login may be able to make purchases.

"It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised."

You already know this, so what exactly is the purpose of this overly broad list?

Cloudflare's DNS service is basically free. It's massively popular. Centralization of DNS may be worth debating, but it's an aside. Here you're just lumping all of these customers, many of them totally unaffected, into a pile vaguely labeled "potentially affected". It's very likely only a small subset of these customers are using the SSL proxy service.

Please just stop posting this inaccurate list. Bring it back when you have a list of domains that are actually impacted. Checking the response headers seems like a much better approach.

So not sure if this were a coincidence or otherwise, but the forbes app added itself to my facebook and tried posting things to my page, which resulted in Facebook locking my account down. My actual login for Facebook was not compromised though and Facebook just flagged the Forbes app as a malicious app, so I removed it. Forbes itself isn't on the list but Forbes.ru is. Thought I'd mention that in case you guys, who probably know more about this than I do, know of any way app permission for Facebook or Twitter could be compromised in a similar fashion. Thanks regardless for generating this list!

Please, do not create duplicate issues

DISCLAIMER:

This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data).
It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.
This list will be narrowed down to the affected domains as I get more information.

HOW TO REMOVE YOUR SITE

1. verify the site is static and contains no user data (I will remove it immediately once I confirm)
   OR
2. Verify ownership, send me an email from @yourdomain.com, post a random nonce on the domain, or provide keybase proof
3. Verify you are not using the Cloudflare proxy service

I will not remove sites that contain user data and are returning server:cloudflare-nginx in response headers, since they may have been affected.

It looks like many of the listed domain don't or didn't use any of the affected cloudflare "features" (for example the reverse proxying) which had to be enabled for a website to possibly be affected. Please bear in mind this repository is referenced and mentioned all over the news now. Please make sure you correctly make assumptions, mark what is an assumption and then filter the list.

warbyparker.com
ramnode.com
clientarea.ramnode.com
ipsw.me
puush.me
freenode.net
trakt.tv

You could make the list more human friendly if you alphabetize it. I would suggest just copying the list into a decent text editor and telling it to sort the lines. It's a quick and easy fix, but I feel like it would help a lot of people.

HOW TO REMOVE YOUR SITE

1. verify the site is static and contains no user data (I will remove it immediately once I confirm)
   OR
2. Verify ownership, send me an email from @yourdomain.com, post a random nonce on the domain, or provide keybase proof
3. Verify you are not using the Cloudflare proxy service

I will not remove sites that contain user data and are returning server:cloudflare-nginx in response headers, since they may have been affected.

So how do we have domains removed which have been confirmed by Cloudflare that they have not been effected by the Cloudbleed bug? I understand the need for some verification but I have been told by Cloudflare that my sites were unaffected and they do return server:cloudflare-nginx. Either we need a better confirmation process for removal or if the domains are not safe, should Cloudflare be informing customers that their sites were unaffected?

As one of the admins of a site listed in your zip file, I'd like to know how exactly you derived this information, since our site absolutely does not use Cloudflare's reverse proxy.

It does use Cloudflares DNS, but that's not the same thing and didn't expose any users to data leakage.

Several (currently listed) sites, including coderobe.net and rob1nn.pw which i'm the provable owner of were not affected by this vulnerability. This should:

• Be stated in readme.md
  OR:
• Removed from the zip entirely

Now that this repository is making the news, this could potentially hurt the reputation of many sites.

Note: I am not an official contributor of this repository nor am I affiliated with the owner of it in any way. I am simply just a person attempting to help the owner of the repository

I am speaking based on what I have seen others comment on the issues of this list, and I will provide answer I've tried gathering based on what @pirate has stated in other issues and the main page. I will update this list as time goes on as I do my best to assist the owner of the repository to the best of my ability. If you feel a question or issue should be added, comment below and I will consider it based on other comments people have added on other issues and what @pirate has stated before.

1. The list is incorrect. It involves sites that don't use / weren't / aren't affected by this.
   A: These sites, as the disclaimer on the front page states, have possibly been affected by this. Until these sites are confirmed as unaffected, the site will remain on the list as a precaution.

2. My site is not affected. Please remove it from the list.
   A: Please provide proof that your site in question has not been affected by #cloudbleed. If you need further instruction on how to do this, ask Pirate, the owner of this repository, for assistance.

Many of my domains, including critcola.com, are included in this list. We use Cloudflare only for DNS, which was never affected by Cloudbleed. All of our traffic is through CloudFront.

I will send a pull request with my domains removed, but this list should really be filtered to remove domains that do not use Cloudflare as a CDN or for front-end caching.

jkhub.org was not affected, I've worked with the owner of the site and they confirmed they didn't use cloudflare's proxy service. They will probably email you to have it removed. However, I've also confirmed they aren't returning server:cloudflare-nginx in the header.

It might be nice to have a searchable HTML site for the non-programmers that don't know how to use Github/grep. I am willing to throw one together early tomorrow afternoon (~13hrs from now), but if anyone wants to do it sooner, I wouldn't complain.

EDIT: Here's the list so far:
http://www.doesitusecloudflare.com/ (doesn't search the historical list, it's just current sites)
https://chrome.google.com/webstore/detail/cloudbleed-bookmark-check/egoobjhmbpflgogbgbihhdeibdfnedii - chrome plugin
http://cloudflarelistcheck.abal.moe/
https://talepicker.com/cloudbleed/
https://cloudbleed.ak5s.com/
https://thislooksfun.github.io/cloudbleed-search/ (mine - fully browser based)
http://pickarsch.xyz/
https://cloudbleedcheck.com/
https://github.com/Eonasdan/LeakyCloudChecker/ - windows app
https://bleed.cloud/index.html
https://chrome.google.com/webstore/detail/cloudbleed/gmbmbodfgolnnfhfanhjeodfambaoklj - chrome plugin
https://addons.mozilla.org/en-US/firefox/addon/cloudbleed/ - Firefox plugin
https://github.com/mikemrm/CloudFlare-HistoryChecker - Chrome / Firefox history checker

Domains: pvpcraft.ca, ryke.xyz, both owned by me.

https://keybase.io/macdja38

ryke.xyz while not static does not store user data, it's a little experiment.
pvpcraft.ca uses cloudflare for DNS and while it does store user sessions the site is not proxied through cloudflare as services need to correct directly to the domain. The subdomain bot.pvpcraft.ca also stores sessions but uses oauth with another provider and all sessions from the vulnerable period have been cleared.

Lots of duplicates!

$ cat sorted_unique_cf.txt | wc -l
 7385121

$ cat sorted_unique_cf.txt | uniq |wc -l
 4287625

Please, do not create duplicate issues

DISCLAIMER:

This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data).
It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.
This list will be narrowed down to the affected domains as I get more information.

HOW TO REMOVE YOUR SITE

1. verify the site is static and contains no user data (I will remove it immediately once I confirm)
   OR
2. Verify ownership, send me an email from @yourdomain.com, post a random nonce on the domain, or provide keybase proof
3. Verify you are not using the Cloudflare proxy service

I will not remove sites that contain user data and are returning server:cloudflare-nginx in response headers, since they may have been affected.

It's 6:25am, time to sleep. Don't worry, I'll get to your PRs and issues tomorrow.

Following the README.md instructions yields deceptive results.

e.g.

$ grep reddit.com sorted_unique_cf.txt
cometreddit.com
destinyreddit.com
notifierforreddit.com
reddit.com.ve
sexyreddit.com
telereddit.com
toreddit.com

When in fact reddit.com isn't even in the list to begin with.