Daily reminder that sites “protected” by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.

And if you think Cloudflare aren’t being tapped by the NSA, you’re sadly sadly naive.

All the “privacy respecting” sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they’ve modified.

Edit: good info link below https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

  • Tinkerer@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    So what domain provider does everyone recommend instead of cloudflare for hosting my domain?

      • Tinkerer@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        I mean no but the added security kind of trumps everything else. It helps to not expose my public IP and the added bonus of firewall rules too.

        • orcrist@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          7 months ago

          That all depends on your setup. If your website is on a VPS, why are you adding the extra security? Are you adding extra security? I think one of the points is that you’re taking away security.

          And if you need firewall rules, maybe you should put the firewall rules on your firewall. Why would you rely on someone else’s firewall?

    • InFerNo@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      Does your site actually need protection from cloudflare? Have you been attacked?

  • TimLovesTech (AuDHD)(he/him)@badatbeing.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    So does everyone here that fears Cloudflare as secretly out to get them not believe that the NSA doesn’t have their hooks in all the major datacenters? The same datacenters used by all the major web hosts people are using to “self host” for privacy.

    Personally I think you have to have faith at some point that everything from your node to the destination is on the up-and-up unless you have a concrete reason to assume otherwise. Otherwise you should be suspicious of your ISP’s network and every switch/router/firewall/node your data traverses on the internet. And being that paranoid basically means anything you didn’t review the code of and compile yourself should be out of bounds.

    • Citizen@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      Not if you have everything “on premises” under your control and doing the hard work of keeping that infrastructure up and running. Yeah, that is a lot of effort, but still doable!

      Someone asked me: Does it worth it? I let you answer that question yourself 🙂

      • TimLovesTech (AuDHD)(he/him)@badatbeing.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 months ago

        Agreed, it can work for those wanting to be an admin (and know enough to be “dangerous”). I think the bigger issue comes when you want to open services to the internet, because unless you are an admin you probably don’t want to do that without a proxy (and possibly firewall) of some kind in front of your home network. Which is kinda what I was thinking with this anti-Cloudflare post. If you are interacting with the Internet you have to trust a network and hardware outside of your own. And I think it’s naive to fear the 3-letter orgs being inside Cloudflare, and then thinking that putting your data in a datacenter you don’t control is any “safer”.

        I think ultimately if the 3 letter groups want your data that bad because you’re on some list, I think the internet as a whole is something you should probably be avoiding anyways. And for randoms, if they are sweeping up data like that you can be sure they would do it at more than just Cloudflare.

  • starman@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    7 months ago

    BTW, can someone recommend me nice alternative for fast and free static website hosting?

    I tried GitHub Pages, but I couldn’t get it working with subdomains.

  • youmaynotknow@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    I’m basically running all my self-hosted services over CF tunnels. Does anyone have a suggestion for an alternative to this? I’d like to remove CF from my life, but not at the expense of poking port holes in my FW.

        • Harrison@infosec.pub
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          7 months ago

          Remember not to compromise security in favor of privacy. To me they’re both important, but security wins every time.

          Remember that services directly accessible over tunnels, whether from cloudflare or frp or ngrok or whatever, are directly accessible over the internet. So if any of those various self-hosted services have a remote vulnerability, and EVERYTHING does sooner or later, you will be exposed. This is why I personally WG VPN to my home LAN rather than exposing most of my stuff via any sort of tunnel. Tailscale is another option I often recommend.

          I do use CF tunnels for specific purposes; Home Assistant Google Home integration for example, but I secure that via their “zero trust” authentication by validating incoming IP ranges, so only Google can reach the tunnel in the first place, everybody else is stopped by Cloudflare. For other services with human users, I have them authenticate via github or google oauth first. I also run all services accessible by the internet by any means on a restricted VLAN firewalled off from the rest of my LAN.

  • IphtashuFitz@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    I hope you realize that virtually every CDN provider does the exact same thing in similar ways. Sites that use Akamai, AWS, Google cloud, Fastly, etc. all give those companies access to unencrypted content. It’s just how CDNs work…

    • Scolding0513@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      ofc. they are all catch-alls for the NSA. people think the NSA is monitoring traffic as in looking over our shoulders. like direct interception. nope, they just let a few megacorps convince the entire internet to pass everything through their servers, then buy off all the data.

      Once again, the earthly principle of all things being ultimately voluntarily, is still true.

      • Reddfugee42@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        Yeah, the NSA isn’t already completely integrated into telco itself. It needs these other companies to execute its tasks. You get it.

          • tarmarbar@startrek.website
            link
            fedilink
            arrow-up
            0
            ·
            7 months ago

            I think he’s saying they don’t have to if they can read it off of your pc or the server before it’s even encrypted. OS backdoors, in-app backdoors, hardware backdoors inside the CPU like Intel ME…

            • Scolding0513@sh.itjust.worksOP
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              7 months ago

              there is a difference between targetted attacks like that and straight allowing them to dragnet you and millions of others

  • bokherif@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    My man thinks he has privacy lol. Any CDN that provides WAF capabilities will inject themselves in the middle to inspect the traffic. This does not mean they don’t respect your privacy. If you think the three letter bureaus let you have your privacy with anything, you’re wrong. Privacy is a long dead thing of the past. You can’t even hide your data from companies that want to make a profit off your data, let alone the three letter government agencies. The government monitors and has access to every digital device known to regular consumers, beit in the US, CN or any other country.

    • orcrist@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      I think you were doing all right until you got to the end, where you went into hardcore conspiracy theory mode. But even at the beginning, you were oversimplifying, which made your analysis weak. In reality, there are many different attackers willing to spend different amounts of time and money. When we take steps to improve security, we discourage some of those attackers even if we don’t stop them all.

      • bc93@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        I’m not sure what you mean by this - while their comment was a bit wild, it’s factually correct - you will never, ever be able to protect your privacy from state actors. Cloudflare and similar CDNs are one part of that but are by no means necessary. To be truly private from state actors would require such an onerous process that it’s essentially impossible for the average working class person.

        I think having HTTPS provided through Cloudflare is better than no HTTPS at all in almost every case.

  • intro@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    7 months ago

    Is this also true about the cloudflare DNS over HTTPS option that Firefox provides in the privacy settings? If yes, then would it help if I changed the setting from ‘Cloudflare’ to ‘NextDNS’?

    • ssm@lemmy.sdf.org
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      7 months ago

      I use quad9 with DNS over TLS systemwide with openbsd unwind

      unwind.conf config

      forwarder { 9.9.9.9 port 853 DoT 149.112.112.112 port 853 DoT }
      preference { DoT }
      

      firefox’s use of cloudflare for DoH is irresponsible, and possibly worse than just sending your DNS queries to your ISP’s default servers. It would be in line with Mozilla’s other practices though.

    • voxel@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      7 months ago

      that’s just dns tho
      but yeah, obviously your dns provider can see the dns requests (aka domain names) you’re making, that’s the whole point of dns server

  • edric@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    Isn’t it a money thing? I kinda remember reading somewhere that big corporate clients basically can have their traffic pass through without decryption because they pay enough for the service. So as usual, it’s the small individual user who gets shafted.

  • iarigby@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    It is very weird that tools that support “onion” ssl - some way that would allow one layer of encryption for your “allowed” mitm which would keep almost all the request encrypted with key for the server.

  • Apollo2323@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    I mean most pirate sites have cloudfare in the front and even with legal request Cloudfare has denied giving the IP so many times.

    • wildbus8979@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      It’s far more useful for them to maintain that image while essentially acting as a giant Room 101 for the entire internet. The three letter agencies, the fusion centers, and the Five Eyes of this world caneasily just parallel construction their way into what ever legal shenanigans they need.

  • TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    And then there’s people using Cloudflare tunnels, Tailscale and others for self-hosting stuff… that also may have your keys or inject clients at some point…

    But we’re about to get downvoted to hell for pointing this out because our community is self-hosters that pride themselves on sovereignty can’t deal with the cognitive dissonance of having their favorite corporate solutions unmasked for what they are - spyware on steroids.

    • somethingsomethingidk@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      Tailscale keeps the private keys locally, . It just facillitates setting up wireguard. They could steal your private keys, as could any program you install with root access. But it would comepletely destroy their business, and it’s open source. I really dont think they have anything to gain by tricking everyone

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        Use headscale, I have no idea how people are OK with tailscale when they keep your keys and essentially have access to your network

      • TCB13@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 months ago

        They could steal your private keys, as could any program you install with root access

        There you go.

        and it’s open source.

        Are you sure that what you download from https://tailscale.com/download is 100% open-source and the same thing that is published on their repos?

        But it would comepletely destroy their business (…) I really dont think they have anything to gain by tricking everyone

        Same goes for Cloudflare. Maybe Tailscale is secure and good people, or maybe they copy all keys to somewhere and covertly share them with govt agencies.

  • cursed_technology@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    CloudFlare is a huge danger to a free and open internet, in my opinion. I cringe every time I hear privacy-conscious people recommend it.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      7 months ago

      True but from what I can tell there isn’t much in way of alternatives as Cloudflare is huge.

      I wish Lemmy instances would find alternatives.

    • Scolding0513@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      absolute fax

      I cannot begin to tell how pissed this makes me.

      Please for the love of all that is holy, do NOT call your site or yourself “privacy-respecting” or “privacy-oriented”, and then meet me with a Cloudflare MITM to knowingly and willingly give over everything i input in your site to NSA Inc.

      I’m sick to my stomach of all these orgs and companies and people talking about privacy, and then they constantly do all these kinds of things thst prove that they don’t actually care about privacy or anonymity or anything in between. They are Vipers and Snakes trying to make a quick dollar on a buzzword. It’s become sadly trite.

      We must return to the dark ages of p2p. The age of self-hosting, blockchain (the truly good parts like monero), ipfs, bittorrent, tor onions, i2p, any other p2p or decentralized network - these kinds of things are all that stands between us and internet controlled by a handful of NSA-worshipping megacorps.

      • Citizen@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        This is why I like this community so much!

        I always learn from people like you!

        We discuss, sometimes we agree sometimes we don’t, but we speak our minds freely and come up with some neat solutions!

        Thank you!

        Its time to use the technology for the benefits of humans not against them!

        Let’s look into better solutions together!

    • voxel@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      there’s no alternative tho, and by definition alternatives will have the same level of access…

  • Citizen@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    Well put!

    I’ve been saying this since they made their services available…Nobody listened to me.

    Usually when I said sth. like you mentioned, people look at me like they look today:

    Ohhh…You are a conspiracy theorist…

    No mate, I have a better understanding of the fucking computers and technology because I do this for a few decades…

    Hoping they will listen to you!