What was one revelation of the Snowden leaks? NSA/five eyes really hate encryption and lamented about the fact more and more web traffic is encrypted. It would be very convenient for them to have a honeypot MITM that strips encryption and can see all traffic, while also preventing Tor users from effectively browsing the clearnet.
Cloudflare sees all traffic between you and the website you want to visit in clear text. Cloudflare is located in San Francisco, CA, USA. 20% of clearnet internet traffic goes through Cloudflare. Every US company can be forced by secret federal court order to allow the NSA to tap into their communications and no one at such a company who knows about it may talk about it to anyone unless they want to spend the next 10-20 years behind bars. It doesn’t matter if Cloudflare was an NSA-thing from the start or turned into one later, it very surely is given its size and market share.
DDoS protection is nothing special. Hosters like Hetzner have first-rate DDoS-protection and it’s included free of charge with their VPS packages. With some very few exceptions, I think it’s nonsense that companies think they have to use Cloudflare for DDoS protection.
Please think twice before using services like Cloudflare, especially when they’re “free”. Who is the product?
Please think twice before using services like Cloudflare, especially when they’re “free”. Who is the product?
While I agree with that, it’s often not even the choice of most tech people, unless it’s their own company. Similar things are true for cloud usage at large. There’s very little incentive to care about privacy and that kind of security in most companies. It doesn’t cost companies anything, but it brings them certain benefits. It’s just not how your typical company operates.
Of course this also explains why companies, large and small are being “hacked” all the time. But the response is using some mandatory security courses for employees and hoping it doesn’t happen next time. Security is barely a worthwhile endeavor for most companies, outside of marketing and similar things. It sounds good both in ads and in internal presentations, projects, etc. But it’s rarely meant sincerely in commercial contexts.
It’s more like companies showing you a “Your privacy is important to us”, when the only reason that they are required to have that banner up is precisely cause they couldn’t care less about it.
Companies still will eagerly provide your data to CDNs, analytics tools, and all sorts of other third parties, embed Facebook, not read the docs enough to opt out for non-facebook sending their data to FB and so on. It’s simply not an objective for a company that exists to increase profit. It’s not just about privacy. It’s a general theme. It’s about all about incentives.
If a website uses Cloudflare, the traffic between you and the website is 100% readable by Cloudflare. If you don’t believe me, read this:
CF does see all of the passwords, OAuth tokens, secrets, and PII that go through its systems, however, Cloudflare operates in accordance 56 with the GDPR and isn’t an advertising or data collection company giving them little to no incentive to steal any PII or steal the passwords of customers/website operators.
It’s not a question of belief. It was simply a technical question. As @edk mentions, the CDN functionality relies on being able to terminate the TLS connection on a Cloudflare server.
It certainly is a security puzzle worth thinking about. For example, there are protocols (designed before TLS was widespread) that use nonces and do not pass plain text passwords or even login identities (see “userhash”), even within TLS protected streams, e.g. https://datatracker.ietf.org/doc/html/rfc7616
A lot of CloudFlare’s (and other CDN) features depend on MITMing, reading data, but also things like modifying headers, sometimes compressing or re-incoding images, etc. And of course they cache the data. Tunneling through cloudflare wouldn’t be a big problem, but also wouldn’t gain you anything.
You could of course do that just for passwords, but the thing you protect against by having an account and a password could still be done by Cloudflare (reading content, and even modifying requests and responses).
Cloudflare is a CDN at heart. Like any CDN it needs to think in plaintext so it can cache things. So Cloudflare’s reverse proxy terminates TLS and (optionally!!) re-establishes TLS in order to talk to whatever is behind it. Setting aside any internal policy/security measures, which I hope exist but have no way of knowing for sure, someone with access to Cloudflare’s infrastructure could snoop on traffic while it’s between TLS connections, so to speak.
I should note that unlike parent I am not totally convinced Cloudflare is the NSA, although I would imagine they’ve seen more FISA orders than most companies their size.
They don’t really need to “be” NSA. If they operate in the US, as they do, any employee can be compelled to do their bidding through a National Security Letter, and it might even be a punishable offense for that employee to tell his boss.
That’s the happy case. There are many Government far more malign than the US Government; I’d bet that some of them (e.g. the Chinese and Russian Governments) have at least attempted to compromise individual employees of Cloudflare.
The “happy case” depends entirely on who exactly has their privacy infringed by a Cloudflare compromise, and it will likely not be the same answer for everyone involved.
What was one revelation of the Snowden leaks? NSA/five eyes really hate encryption and lamented about the fact more and more web traffic is encrypted.
This was a published issue long before Snowden. Clipper chip arguments from 1994 or so and back earlier with James Bamford’s Puzzle Palace all these supposed revelations were in the clear. https://a.co/d/8KBvKPL
I think (pretty much aligned with your point) that “people” in your sentence really means “people who didn’t read Bamford’s The Puzzle Palace from 1983, or read any freedom of information act documents since then about NSA, or ever visit NSA” because most the people i knew were like “no duh…should be obvious”.
And, again to your point, the number of such people was adequately large to create a sustained reaction to Snowden’s leaks.
I do think the co-opting of NSA equipment to watch domestic cellphone network traffic was the only previously unemphasized thing (because it’s outside NSA’s charter, unless one side of the conversation crosses the US border).
This happened to me for a few days (then inexplicably stopped), and I couldn’t use give-or-take half of the websites I wanted to. Bot/scraping “protection” does nothing to block evil scrapers, they have botnets, proxies, whatever necessary - just look at Twitter. All this “protection” does is intercept and interfere with the human action of regular people.
I wonder if this penny will ever drop for companies, or this arms race will continue and make the web “experience” worse for everyone as collateral (and before you know it, we’ll have a web that works as well as if we’re browsing it from behind the Great Firewall of China)
The waves of labor-assaulting layoffs (which, while they seem to have cooled off this year, are still an impending threat) making it extremely likely that anyone who dares stick their neck too far out will be without a paycheck with which to buy food and pay rent, make me disagree in practice that there can be significant pushback on any real scale against this, at least right now.
I agree that it’s pretty bad to have a bouncer at the front doors of the internet, judging whether your user agent is deemed “human” enough, like it was some sort of exclusive club. That just sucks.
Bot/scraping “protection” does nothing to block evil scrapers, they have botnets, proxies, whatever necessary - just look at Twitter
But sadly, I am afraid it’s a bit more nuanced than that. While things like cloudflare will never be perfect, they do block a lot bad stuff. At least with a payed account you do get a capable WAF that still isn’t complete buillshit, especially for i.e. less-technically inclined people who want to host a somewhat controversial blog on a cheap VPS.
Sounds like the barrier to entry should be lowered (possibly AGPL’d) for self-hosting anti-spam options. This sounds like a less dystopian option than proposing it’s best to let a publicy-traded, US corporation hold the keys the internet.
The problem isn’t anti-spam, it’s volume of traffic. If you rent a VPS you probably have in the order of 100-1000 Mbps bandwidth - easily saturated by a modest botnet but you’re nowhere near the level of service where you can get someone on the phone to help you classify and block traffic. Many sites are playing the “don’t be a target” card right now and it’s working, but for how long?
Ultimately it’s a technical flaw, or at least a trade-off in the design of the internet. IMO we’d do well to look at protocols that help us share content and create multiuser applications without letting a single node get overwhelmed - something quite different from IP+HTTP.
As for a community-run Cloudflare… well I can only imagine how the discussions would go about which Mastodon instances deserve protection and which don’t. Under the circumstances, I’ll take the corporation.
I can be mad at & still understand siding with the corporation in the short-term, but long-term we need a real solution out there to a corporate gatekeeper.
Any recommendations for a trustworthy community-ran or non-profit alternative to cloudflare?
I am with you in the ideological argument, but also involved in projects where resources are low, ddos happens and cloudflare seems hard to beat. Would love to learn about more alternatives, especially european ones
Their free WAF rules do offer very easy blocking of certain ASNs, countries* or clients, while creating 0 overhead for your webserver. I only use them for one service, but their WAF rules + caching can diminish the traffic you see to 1% (for example with media files), while costing you nothing.
As much as I dislike the size (literally network effect) and amount of MITM through CF, their value for hosting simple stuff can’t be understated. I know people who said “DDoS for the application API of our company? dunno, we let CF handle it”..
But - and that is the problem - a CF wide block is literally the starting point of what we fear the so called browser integrity will bring us. CF will probably also just add browser integrity checks on top.
* based on your service, it may be, that you actually don’t expect traffic from outside your country - or you just invoke a DDoS JS captcha in front, and let that handle the problems.
This is scaring me. The web was a haven where apps were not. Just today my bank app finally figured out either I had root (with Zygisk) or had a custom ROM (which I use for a firewall, ad block, Aurora Services, & microG which improves my privacy), but I could fall back to the non-mobile-optimized, right-click-disabling, log-you-out-without-prompt, Netscape-Navigator-4-detecting website. If we get the Web Integrity BS, the web won’t be safe either. Luckily I’m in a cash-first country, but I have a feeling its all about to get worse, & we’ll need to carry a separate device just to do basic tasks—a device all the advertisers & trackers can milk every big out of you.
Just today my bank app finally figured out either I had root or had a custom ROM
Yep, even a verification app my health insurance wanted me to use, did detect this.
Apparently they rather have me fake it, or leave the OEM android that’s 4 years outdated.
There’s another issue, which is that some sites using Cloudflare simply don’t work on non-mainstream browsers. E.g. GitLab; I’ve had an open issue with them for ages about this, and in fact it’s one of the reasons I moved to Sourcehut:
What was one revelation of the Snowden leaks? NSA/five eyes really hate encryption and lamented about the fact more and more web traffic is encrypted. It would be very convenient for them to have a honeypot MITM that strips encryption and can see all traffic, while also preventing Tor users from effectively browsing the clearnet.
Cloudflare sees all traffic between you and the website you want to visit in clear text. Cloudflare is located in San Francisco, CA, USA. 20% of clearnet internet traffic goes through Cloudflare. Every US company can be forced by secret federal court order to allow the NSA to tap into their communications and no one at such a company who knows about it may talk about it to anyone unless they want to spend the next 10-20 years behind bars. It doesn’t matter if Cloudflare was an NSA-thing from the start or turned into one later, it very surely is given its size and market share.
DDoS protection is nothing special. Hosters like Hetzner have first-rate DDoS-protection and it’s included free of charge with their VPS packages. With some very few exceptions, I think it’s nonsense that companies think they have to use Cloudflare for DDoS protection.
Please think twice before using services like Cloudflare, especially when they’re “free”. Who is the product?
While I agree with that, it’s often not even the choice of most tech people, unless it’s their own company. Similar things are true for cloud usage at large. There’s very little incentive to care about privacy and that kind of security in most companies. It doesn’t cost companies anything, but it brings them certain benefits. It’s just not how your typical company operates.
Of course this also explains why companies, large and small are being “hacked” all the time. But the response is using some mandatory security courses for employees and hoping it doesn’t happen next time. Security is barely a worthwhile endeavor for most companies, outside of marketing and similar things. It sounds good both in ads and in internal presentations, projects, etc. But it’s rarely meant sincerely in commercial contexts.
It’s more like companies showing you a “Your privacy is important to us”, when the only reason that they are required to have that banner up is precisely cause they couldn’t care less about it.
Companies still will eagerly provide your data to CDNs, analytics tools, and all sorts of other third parties, embed Facebook, not read the docs enough to opt out for non-facebook sending their data to FB and so on. It’s simply not an objective for a company that exists to increase profit. It’s not just about privacy. It’s a general theme. It’s about all about incentives.
Please explain this claim.
If a website uses Cloudflare, the traffic between you and the website is 100% readable by Cloudflare. If you don’t believe me, read this:
trust us™
It’s not a question of belief. It was simply a technical question. As @edk mentions, the CDN functionality relies on being able to terminate the TLS connection on a Cloudflare server.
It certainly is a security puzzle worth thinking about. For example, there are protocols (designed before TLS was widespread) that use nonces and do not pass plain text passwords or even login identities (see “userhash”), even within TLS protected streams, e.g. https://datatracker.ietf.org/doc/html/rfc7616
It doesn’t seem like a security puzzle to me.
A lot of CloudFlare’s (and other CDN) features depend on MITMing, reading data, but also things like modifying headers, sometimes compressing or re-incoding images, etc. And of course they cache the data. Tunneling through cloudflare wouldn’t be a big problem, but also wouldn’t gain you anything.
You could of course do that just for passwords, but the thing you protect against by having an account and a password could still be done by Cloudflare (reading content, and even modifying requests and responses).
Cloudflare is a CDN at heart. Like any CDN it needs to think in plaintext so it can cache things. So Cloudflare’s reverse proxy terminates TLS and (optionally!!) re-establishes TLS in order to talk to whatever is behind it. Setting aside any internal policy/security measures, which I hope exist but have no way of knowing for sure, someone with access to Cloudflare’s infrastructure could snoop on traffic while it’s between TLS connections, so to speak.
I should note that unlike parent I am not totally convinced Cloudflare is the NSA, although I would imagine they’ve seen more FISA orders than most companies their size.
They don’t really need to “be” NSA. If they operate in the US, as they do, any employee can be compelled to do their bidding through a National Security Letter, and it might even be a punishable offense for that employee to tell his boss.
That’s the happy case. There are many Government far more malign than the US Government; I’d bet that some of them (e.g. the Chinese and Russian Governments) have at least attempted to compromise individual employees of Cloudflare.
The “happy case” depends entirely on who exactly has their privacy infringed by a Cloudflare compromise, and it will likely not be the same answer for everyone involved.
This was a published issue long before Snowden. Clipper chip arguments from 1994 or so and back earlier with James Bamford’s Puzzle Palace all these supposed revelations were in the clear. https://a.co/d/8KBvKPL
Yeah, but Snowden demonstrated that the surveillance was an order of magnitude or two larger than what people realistically expected.
I think (pretty much aligned with your point) that “people” in your sentence really means “people who didn’t read Bamford’s The Puzzle Palace from 1983, or read any freedom of information act documents since then about NSA, or ever visit NSA” because most the people i knew were like “no duh…should be obvious”.
And, again to your point, the number of such people was adequately large to create a sustained reaction to Snowden’s leaks.
I do think the co-opting of NSA equipment to watch domestic cellphone network traffic was the only previously unemphasized thing (because it’s outside NSA’s charter, unless one side of the conversation crosses the US border).
This happened to me for a few days (then inexplicably stopped), and I couldn’t use give-or-take half of the websites I wanted to. Bot/scraping “protection” does nothing to block evil scrapers, they have botnets, proxies, whatever necessary - just look at Twitter. All this “protection” does is intercept and interfere with the human action of regular people.
I wonder if this penny will ever drop for companies, or this arms race will continue and make the web “experience” worse for everyone as collateral (and before you know it, we’ll have a web that works as well as if we’re browsing it from behind the Great Firewall of China)
Developers could & should take a stand against implementing & using these systems as well.
I agree with you in theory.
The waves of labor-assaulting layoffs (which, while they seem to have cooled off this year, are still an impending threat) making it extremely likely that anyone who dares stick their neck too far out will be without a paycheck with which to buy food and pay rent, make me disagree in practice that there can be significant pushback on any real scale against this, at least right now.
I agree that it’s pretty bad to have a bouncer at the front doors of the internet, judging whether your user agent is deemed “human” enough, like it was some sort of exclusive club. That just sucks.
But sadly, I am afraid it’s a bit more nuanced than that. While things like cloudflare will never be perfect, they do block a lot bad stuff. At least with a payed account you do get a capable WAF that still isn’t complete buillshit, especially for i.e. less-technically inclined people who want to host a somewhat controversial blog on a cheap VPS.
Sounds like the barrier to entry should be lowered (possibly AGPL’d) for self-hosting anti-spam options. This sounds like a less dystopian option than proposing it’s best to let a publicy-traded, US corporation hold the keys the internet.
The problem isn’t anti-spam, it’s volume of traffic. If you rent a VPS you probably have in the order of 100-1000 Mbps bandwidth - easily saturated by a modest botnet but you’re nowhere near the level of service where you can get someone on the phone to help you classify and block traffic. Many sites are playing the “don’t be a target” card right now and it’s working, but for how long?
Surely there is community/collective-ran or non-profit option here. I’m not convinced it’s in our best interest that a corporation is given the power.
Ultimately it’s a technical flaw, or at least a trade-off in the design of the internet. IMO we’d do well to look at protocols that help us share content and create multiuser applications without letting a single node get overwhelmed - something quite different from IP+HTTP.
As for a community-run Cloudflare… well I can only imagine how the discussions would go about which Mastodon instances deserve protection and which don’t. Under the circumstances, I’ll take the corporation.
I can be mad at & still understand siding with the corporation in the short-term, but long-term we need a real solution out there to a corporate gatekeeper.
Any recommendations for a trustworthy community-ran or non-profit alternative to cloudflare?
I am with you in the ideological argument, but also involved in projects where resources are low, ddos happens and cloudflare seems hard to beat. Would love to learn about more alternatives, especially european ones
Their free WAF rules do offer very easy blocking of certain ASNs, countries* or clients, while creating 0 overhead for your webserver. I only use them for one service, but their WAF rules + caching can diminish the traffic you see to 1% (for example with media files), while costing you nothing.
As much as I dislike the size (literally network effect) and amount of MITM through CF, their value for hosting simple stuff can’t be understated. I know people who said “DDoS for the application API of our company? dunno, we let CF handle it”..
But - and that is the problem - a CF wide block is literally the starting point of what we fear the so called browser integrity will bring us. CF will probably also just add browser integrity checks on top.
* based on your service, it may be, that you actually don’t expect traffic from outside your country - or you just invoke a DDoS JS captcha in front, and let that handle the problems.
This is scaring me. The web was a haven where apps were not. Just today my bank app finally figured out either I had root (with Zygisk) or had a custom ROM (which I use for a firewall, ad block, Aurora Services, & microG which improves my privacy), but I could fall back to the non-mobile-optimized, right-click-disabling, log-you-out-without-prompt, Netscape-Navigator-4-detecting website. If we get the Web Integrity BS, the web won’t be safe either. Luckily I’m in a cash-first country, but I have a feeling its all about to get worse, & we’ll need to carry a separate device just to do basic tasks—a device all the advertisers & trackers can milk every big out of you.
Yep, even a verification app my health insurance wanted me to use, did detect this. Apparently they rather have me fake it, or leave the OEM android that’s 4 years outdated.
“install our spyware or you dont get healthcare” sounds terrifying
What does “WAF” mean?
Web Application Firewall
you setup rules by which to present captchas, block pages, rate limits etc in a very simple “and” “or” chain
based on IPs, networks, ASNs, countries, URLs, cookies etc etc
There’s another issue, which is that some sites using Cloudflare simply don’t work on non-mainstream browsers. E.g. GitLab; I’ve had an open issue with them for ages about this, and in fact it’s one of the reasons I moved to Sourcehut:
https://gitlab.com/gitlab-org/gitlab/-/issues/341736
… which is also related to another CF issue here:
https://gitlab.com/gitlab-org/gitlab/-/issues/358802
Per one of the comments on the second issue, CF doesn’t seem to have any way for
victimsend-users of their systems to report issues.