Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

The Cloudflare Poison

Daily reminder that sites "protected" by cloudflare are effectively MITM attacks. HTTPS is now even more worthless. Cloudflare can see everything. this is a known fact and not a theory.

And if you think Cloudflare aren't being tapped by the NSA, you're sadly sadly naive.

All the "privacy respecting" sites use it too. So remember, as soon as you see that cloudflare portal page, you can assume that everything you plug into the site is property of NSA Inc. Trust no one, and do not trust code being served to you over the web if it comes through CF, there is no way to know what they've modified.

Edit: good info link below
https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

IphtashuFitz ,

I hope you realize that virtually every CDN provider does the exact same thing in similar ways. Sites that use Akamai, AWS, Google cloud, Fastly, etc. all give those companies access to unencrypted content. It’s just how CDNs work…

Scolding0513 OP ,

ofc. they are all catch-alls for the NSA. people think the NSA is monitoring traffic as in looking over our shoulders. like direct interception. nope, they just let a few megacorps convince the entire internet to pass everything through their servers, then buy off all the data.

Once again, the earthly principle of all things being ultimately voluntarily, is still true.

Reddfugee42 ,

Yeah, the NSA isn't already completely integrated into telco itself. It needs these other companies to execute its tasks. You get it.

Scolding0513 OP ,

if they want to bypass all TLS, then yes, mr smarty pants

tarmarbar ,

I think he's saying they don't have to if they can read it off of your pc or the server before it's even encrypted. OS backdoors, in-app backdoors, hardware backdoors inside the CPU like Intel ME...

Scolding0513 OP ,

there is a difference between targetted attacks like that and straight allowing them to dragnet you and millions of others

tarmarbar ,

I'm not arguing for cloud flare hahahh it's horrible. I'm just saying, it's just one of many ways your data is taken. I don't see why the backdoors I listed should be used for targeted "attacks" only. They call it telemetry and it's "used to improve the product you use" hehehh

Reddfugee42 ,

If you don't think the NSA can read standard web encryption, well, that's just adorable

xilona ,

Well put!

I've been saying this since they made their services available...Nobody listened to me.

Usually when I said sth. like you mentioned, people look at me like they look today:

Ohhh...You are a conspiracy theorist...

No mate, I have a better understanding of the fucking computers and technology because I do this for a few decades...

Hoping they will listen to you!

Scolding0513 OP ,

factual statements

people won't listen because they know it's true but dont wanna admit. willful ignorance

SquiffSquiff ,

It's not that you're wrong. It's more that I don't understand what you're proposing as an alternative. To add to the comments here pointing out that that's how CDNs work: for many designs of website, the CDN essentially is the website, being served from a cache by the provider. Even when this isn't the case, you would normally have a load balancer in front of whatever was serving your website so that if you need to swap out the server for maintenance upgrade, etc. you don't need to tell who your visitors to go to a different address. In that case, your certificate would be attached to load balancer rather than the server behind it.

If this was a 1990s and I were trying to run my own server on my own hardware in my bedroom, you might have a point, but please explain how you would implement an alternative in any meaningful way today.

myliltoehurts ,

Honestly, even if you don't terminate SSL right until your very own app server, it's still based on the assumption that whoever holds the root cert for your certificate is trustworthy.

The thing that has actually scared me with CF is the way their rules work. I am not even sure what's the verification step to get to this, but if there is a configured page rule in a different CF account for your domain that points at cloudflare (I.e. the orange cloud), you essentially can't control your domain as long as it's pointing at CF (I think this sentence is a bit confusing so an alternative explanation: your domain is pointing DNS at your own CF account, in your CF account you have enabled proxying for your domain, some other CF account has a page rule for your domain, that rule is now in control). The rule in some other account will control it.

It has happened to us at work and I had to escalate with their support to get them to remove the rule from the other cloudflare account so we can get back control of our domain while using CF. Their standard response is for you to find and ask the other CF account to remove the rule for your domain.

This is a pretty common issue with gitbook, even the gitbook CEO was surprised CF does this.

SquiffSquiff ,

Thanks. This is pushing the limits of my current understanding, but unless I'm mistaken, this reads like 'anyone who chooses may hijack part of your domain at any time if you both use cloudflare'. Sounds crazy.

TheAnonymouseJoker ,

I explicitly block Cloudflare and Google domains fully, until and unless it is a website with no privacy repercussions or throwaway account possibilities. If it is something I legally purchase and requires their captcha, I can tolerate it unless I can avoid.

People are too used to submitting or cucking themselves. I am not such a person.

Deebster ,
@Deebster@programming.dev avatar

If you're blocking everything that's proxied via Cloudflare or hosted on Google, the internet must be a very small place for you. I think even a third of Lemmy is behind Cloudflare.

TheAnonymouseJoker ,

I do not directly use Lemmy world or those instances. Their contents federate with Lemmy.ml instance.

Moreover, only 22% of internet is behind Cloudflare. You missed the part where I said I refuse to use a Cloudflare service where there is no throwaway account possibilities or no privacy/anonymity repercussions. That is most of Cloudflare sites. I have encountered probably 20ish CF sites in my life according to my criteria where I had to avoid using them.

Deebster ,
@Deebster@programming.dev avatar

I know how federation works, but look at the network inspector and you'll see you're pulling a lot of images from Cloudflare-proxied sites (or you're missing a lot, if you've blacklisted them).

Anyway, I only meant that even Lemmy, with its anti-corporate culture, is still heavily using Cloudflare. "Only" 22% is still a lot in my book.

I'm interested as to your motives - are you doing this as a boycott, and/or to protect your privacy (or similar)? Also, are you blocking domains one-by-one, or are doing something like using firewall rules?

Scolding0513 OP ,

fully agreed. if i have to use a CF site i make absolutely sure im using a dedicated IP with useless disposable info/creds

sometimes I just close the site and never go back, I'm so sick of seeing it.

iarigby ,

It is very weird that tools that support “onion” ssl - some way that would allow one layer of encryption for your “allowed” mitm which would keep almost all the request encrypted with key for the server.

Scolding0513 OP ,

exactly my thoughts, i been wanting look into this. seems like they are trying to MITM even onion traffic

elias_griffin ,
@elias_griffin@lemmy.world avatar

The name sounds akin to "mass gaslighting"?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacy@lemmy.ml
  • incremental_games
  • random
  • meta
  • All magazines
    •