Genuine question here…

Aside from the centralisation issue, why do people dislike so much?

No hyperbole please, I’d prefer the discussion to be based on facts.

@kev I hate it because of the captcha implementation it does. That one is sooo annoying that even I am annoyed by how frequent it is

@kev imho google has better captcha system in terms of user satisfaction and less user frustration

I highly disagree, recaptch i am never able to get too work and sometimes it even refuses me to do the csptcha, o have faild one hcsptcha and its much quicker to do.

@Twelve @kev Hmmmmm, Are you a tor user? Then I can understand your sentiment. But even then there must be a better way to implement this rather than having to click of pictures which 65% to 55% of the time you will make mistakes as it is getting harder

With recaptcha i have been having the issues a lot, but hcaptcha been reaøøy nice and just happens to work. I will agree the pictures are harder to see, but it still usualy works

@Twelve @XxAlexXx @kev I hate both captchas. None of them work without JavaScript. If a site isn't absolutely necessary for me, there's no way I will ever enable JavaScript.

@Twelve @XxAlexXx @kev I had to stop using a website through tor because I couldn't solve hcaptca

@kev it seems that some people an offence in the way it operates by terminating TLS connections. This obviously breaks the trust of TLS as now the connection is between you and Cloudflare and no longer you and the site owner. (At the same time people might don't mind hosting providers like which also terminate TLS sessions on someone's behalf.)

Another critique point is of course the never ending CAPTCHA thingy.

@sheogorath great point. I know I’d personally prefer it if my TLS chain wasn’t MiTM, especially when services like Let’s Encrypt exist.

I suppose what’s important here is to understand what they’re doing with that data when the carry out TLS inspection.

@kev Privacy reasons. I am forced to trust that they are not collecting, selling, or processing my data and especially meta data.

@floppy that’s hyperbolic IMO. That’s the same for any service, with any provider. It’s not unique to Cloudflare.

@kev @floppy The problem is that CloudFlare is so ubiquitous that it is hard to avoid. Try using Tor Browser for a day.

@kev Any service can collect data, yes, but CDN has access to different data. I respectfully object that this is hyperbolic.

Separate web services can collect data separately for their own use. A CDN backing those services can associate and correlate separate requests to several services. It possesses an overview of what collection of services are used by an individual, which is information that cannot be acquired trivially by individual services.


@kev Depending how the CDN is integrated, it can collect more or less meta data, e.g. when were requests made (and when not). Meta data can be used for creepy correlations to work out e.g. when somebody is on holidays, who your friends are, or what you like. Due to the various sources for the CDN, the available meta data is more potent.


@kev Yes, here I may get a bit hyperbolic regarding what intentions I assume. Problem is: The technical possibilities exist. I don't see any technical limitations that make abuse impossible. So I am required to trust, which I don't think is a good model in this case.


@kev Here is a addon for multiple browsers, related to the discussion of CDN, tracking, and privacy.

Decentraleyes | Local CDN Emulation

@be @MindOfJoe @kristof

@floppy @kev @be @MindOfJoe Decentraleyes is a bit different, because it replaces CDN for third-party resources. Thankfully, browsers nowadays use first-party isolation, so third-party resources leak very little information to the CDN (the CDN can’t just set a cookie when you browse one site and retrieve it when you browse another). Probably the largest vulnerability would be the CDN injecting malicious code, but that can be avoided by the developers with subresource integrity. That is not to say that local CDN emulation is not useful (that’s one fewer HTTP request to analyze and correlate, the very least), but it can’t do much against willful MITM use for first-party resources, where the request may carry much more relevant information (like usernames, first-party cookies and session IDs).

@kristof @floppy @be @kev Identify-activity fingerprinting begins simply with my IP address as a source seeking a resource at the destination IP address. If all of the resources you visit are hosted by me, then I know quite a bit about you. I don't need everything in the payload for metadata analysis.

@MindOfJoe @be @floppy @kev Yeah, probably only the names of resources requested close to each other (or in the same TLS connection) would be most of the time enough to identify the site a given IP address is visiting. Although with aggressive enough browser caching, that fingerprinting vector can be plugged up, but then you’d have just created another one.

@kristof @be @floppy @kev Interesting discussion, but I think we've drifted from Kev's intent. I just wanted to throw support for floppy against Kev's off-hand dismissal: One reason to dislike CDNs is that they have a very broad view of individual activity. Same applies to ISPs, VPS Providers, etc. If Tor were *centralized* (meaning they had complete information about every node's activity), we wouldn't trust it either. #justsayin'
@floppy @kev Concur with floppy entirely. CDNs are potential cross-domain identity aggregation points.

Re: cloudflare, privacy 

@kev @floppy Their quantity has a quality of its own. Due to the sheer number of sites they MITM, they have a nearly exceptional ability to correlate and analyze user behavior across sites. Granted, a site may still chose to share data with trackers and data aggregators, which gives aggregators the same correlation ability, but at least that’s overt, while sites opting to use a CDN with MITM inadvertently give away connection data for free (or even pay for the ‘privilege’).

@kev 13 minutes and already we found factual reasons to hate them. Says much about hoe prople hate it dontcha think?

@kev they act as a MITM, Cloudflare decrypts all your traffic. All the usernames, passwords, have passed in plain text through cloudflare’s server.

Here you have more information about Cloudflare

@werwolf @kev I have noticed I now always get flagged for that 5 second browser check treatment when I would access , among other places.

@werwolf yeah, I know that Cloudflare basically MiTM your traffic, but that's the same as any corporation who uses systems like Alteon to do SSL inspection.

It's what they do with that data that counts - which the link you posts doesn't offer any credible sources.

I agree that we should assume worst case and hope for best case and that's where the layered InfoSec comes in - unique passwords, multi-factor etc.

@kev @werwolf who is on the cloudflare board? Who are their investors? That will tell you a LOT. If it include people like Richard Clarke or Gilman Louie, or investors something like blackstone or in-q-tel, be afraid, be VERY afraid.

@kev since we don't know what's running at cloudflare's servers we should assume that Cloudflare is malware. That's why I have it blocked on my browser and I distrust Cloudflare's certs.

@werwolf if that's the case, you should probably block traffic to the vast majority of large enterprises too, as many of them do content inspection too.

@kev yeah, I try to do it. I have my Pihole blocking a ton of dangerous domains and hosts. Then on my browser I have uBlock Origin blocking third parties by default and with custom filter lists.

Sometimes when I really need to use a site that's broken I may make an exception. But only if it's completely necessary.

@kev Urgh...thank you for asking that. I've asked this question for myself, too.

People often say, it was "the biggest privacy abuser", while linking to some dubious websites and Github comments/README's (!)
I mean...WTF!?

@kev I’m personally a bit torn. Cloudflare have done many good things, such as making it easy for website operators to use HTTPS, help haveibeenpwned with caching (for free!), and recently help keep icanhazip online.

At the same time their spam filtering is way to aggressive. It was rare, but I sometimes couldn’t open websites while I lived in the Philippines because of Cloudflare’s filtering. That’s my primary reason for disliking them.

@reykjalin @kev what's the point of helping to use HTTPS when Cloudflare completely decrypts your traffic?


Because it’s an exponential improvement over plain HTTP.

Because it’s infinitely easier to set up than managing certs on your servers.

Because Cloudflare doesn’t have a business incentive to read the traffic going through their servers.

Because it’s only Cloudflare and your server communicating through HTTP, all other connections are encrypted.




Just because Cloudflare must decrypt the connection *because they act as a reverse proxy* doesn’t devalue the prospect of easy encryption that’s *exponentially more secure* than leaving your site with plain HTTP.



@kev Not sure, I use Cloudflare as my primary dns and am rather happy with it.
So no dislike from me

@kev people in this sphere can be self-important, and paranoid. But this is anecdotal based on what I see.

As in: major trust issues. I often see that they view Cloudflare’s infrastructure as a MitM. Especially using their edge network for CDN or for proxy.

Also as in: believing ideology comes at the expense of infrastructure. “Cloudflare is for profit, trust is implicit, they are not FOSS, and therefore should be abandoned.” When that’s not how the rest of the world thinks, acts or does work.

@kev one potential reason is how cloudflare describes it's e2e tls sessions when they aren't really end to end encrypted (i.e. tls negotiation happens directly with the origin server). The way cloudflare does e2e tls is that clients negotiate tls with the edge then the edge negotiates another tls session with the origin. So some people suggest that cloudflare is a mitm proxy that could potentially spy on their users

@rny does Cloudflare market it's SSL/TLS offering as E2E? That's a new one on me if it does.

@rny so in full mode I assume you have to give your private key to Cloudflare?

@kev there's also a more advanced approach where CF users dont have to give CF their private key, using but I think this is a paid feature.
@kev It kinda is end-to-end, but not the kind of end-to-end that we understand as the Signal protocol.

@kev It's quite interesting how the thread escalated. And a lot of it, is a bit like anti-vaxxer discussions.

"The vaccines are evil because the pharma industry is evil."

I mean, … In this discussion I feel like I have to defend Cloudflare many times, just because a lot of people completely overshoot the target. Cloudflare are sure not angels, but they also don't sit in their little office, thinking about how to bring terror into the world.

What a bee nest…

@sheogorath @kev that’s FOSS in general sir. Especially in this instance.

There’s plenty of tinfoil hatters or people who spiral down the literal dementia that is “everyone wants to watch you, they’re stealing your information, you have no control, the govt and corps are out to get us.”

And suddenly we have libre vegan hippie kind of idealogies that are more of a pain to accommodate or involve than they are to sideline in the name of normal users, profit and greater adoption.

@sheogorath @kev I just wanna say to these people..

Corps and govts aren’t saints.

“No. You’re not being watched by the govt because you like free software.

You’re not being watched for knowing how a computer works and believing you should control it.

You’re being watched by the government if for ANYTHING, it’s for being a crazy (expletive) that goes online and advocates instability through “fighting for information freedom” and aggressively pushing extreme opinions on the government.“

@kev my previous, personal experience with cloudflare (and the only time I tried to use it) back when they provided mitm https for everyone before letsencrypt was available:

@kev for me it was because if Cloudflare has any issues then my site could be down and it's completely out of my control.


Well, isn't the centralisation issue enough ?

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.