Leaked Credentials Detection docs needs better explanation and more safety reassurances #20903
Description
Existing documentation URL(s)
https://developers.cloudflare.com/waf/detections/
https://developers.cloudflare.com/waf/detections/leaked-credentials/
What changes are you suggesting?
An opsec person on Mastodon posted this article, concerned about the ramifications of CloudFlare being able to access credentials.
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/
The article breezes past the fact that the Leaked Credentials Detection can view your credentials as well as the fact that this is enabled by default on free accounts. To anyone who's security-conscious or privacy-conscious that comes across as pretty scary, like CloudFlare is exploiting some insecure gaps or something to that effect.
Further, the docs the article links to don't go into any more detail about HOW Leaked Credentials Detection works or how to check if you have it enabled. There are no reassurances made about any of it.
In situations where sensitive information is involved, documentation will usually say "it is encrypted at rest, is compliant with XYZ, etc". Those same kinds of reassurances need to be made regarding credentials.
Additionally, these instructions seem to be out of date or simply do not work with a free plan. I don't see a "Security" link in the sidebar.
Last, it should be made abundantly clear that this is enabled by default on free accounts and why that's a good thing, not a bad thing.
I brought all this up in the CloudFlare discord, but was met with a fair bit of skepticism; "anyone who knows about this stuff will understand it isn't stealing credentials". But that's the problem, not everyone knows about this stuff so the headline and the feature look pretty scary.
It's an issue of optics.
Additional information
No response